Managing consent under the GDPR
Posted on 26 Mar 2018
GDPR is overbearing on so many businesses that even if I believe it is right that we regulate the use of data better, it will no doubt hurt business but also social relations in the short run as everyone adapts to it. The key is not to fall foul of the rules. The main one in my humble opinion for most of us is how do you email marketing material come the 25th May 2018?
The new regulation requires that you only rely on affirmative consent that is “freely given, specific, informed and unambiguous”.
A lot of people told me they have heard that they can rely on only providing an ‘unsubscribe’button. Although the unsubscribe ability is a part of GDPR, this is not related to consent!
There is a guide on consent under GDPR that was published a year ago: (https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf).
We summarise a few points below:
1. Get a positive CONSENT
A consent is valid if a data subject actively confirms their consent, e.g. by ticking an unchecked box. Customer inaction that assumes consent is not valid and “Silence, pre-ticked boxes or inactivity should not constitute consent.”
2. Do not hide consent in your TERMS & CONDITIONS
Consent must be freely given so there must be a clear choice. If you compel consent to receive something such as a research piece (which means you can then send lots of marketing materials) this is not valid.
You cannot bundle consent with your terms and conditions, privacy notices, or any of your services, unless email consent is necessary to complete that service. In short, you must keep consent separate.
3. Explain how people get out
Each marketing email you send must include an option to unsubscribe. Most people have this in place but check the rules to make sure you are in the right place.
4. Keep evidence of consent—WHO, WHEN, HOW
GDPR requires a lot of record keeping – thus we use a software to tag all these records and to remember to do them! Try to keep evidence of consent with the following information:
Who /When/What information was given at the time/How (e.g. email request, download?)/Whether consent was withdrawn
5. You may be fine but probably not …
The GDPR does not compel us all to redo what we did right … so if you are compliant with the above you do not need to worry … but if you are not, you have to start implementing a strategy for past consents and of course new ones!
“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation.”
So, check what you used to do and what records you have (if any) and start a re-permission campaign …
Note that you will not be able to send marketing materials after 26 May 2018 to EU residents if you do not do this. YOU MUST THEREFORE start this ASAP!
For off the shelf solutions that can be customised for your firm, please visit our online library here where you can download our GDPR memorandum.
We are here to help ensure your firm and staff are up to speed with the scope and responsibilities of GDPR with our GDPR Services, which include training, gap analysis, providing memorandums for the board and ongoing monitoring through our Digital Compliance Assistant software.
Contact us here for more information.