Consent, under GDPR, must be freely given, specific, informed and unambiguous. You must have a clear affirmative action, i.e. a positive opt-in. Which means you cannot infer consent from silence, pre-ticked boxes or inactivity.
If you currently have a notice saying ‘if you do not consent please tick this box’ or consent is assumed unless advised otherwise, you need to change this, it is not GDPR compliant. Make your consent requests completely separate to general T&C’s and make it simple and easy to withdraw consent. Name any third parties who will rely on the consent.
Consent should cover all processing activities carried out for the same purposes and if processing for multiple purposes consent should be given for all of those purposes.
You must be able to demonstrate how the data subject has consented to the processing which means recording who consented, how they consented, when, what they were told at the time, and whether they have since withdrawn consent. If you cannot prove how you obtained consent but are still holding or processing personal data of EU citizens, the likelihood is that you will be fined. This applies to pre-GDPR personal data too as of 25th May 2018. As an example of how serious organisations are taking this new regulation, pub chain JD Wetherspoons took it upon themselves to delete its entire customer email database in June 2017.
…JD Wetherspoons took it upon themselves to delete its entire customer email database in June 2017.
Data collected must be purpose relevant
Data collection must be relevant for its purpose, meaning if you have run a campaign or competition, you can only use the information for that purpose. You must obtain further consent from the data subjects for a different purpose. So marketing databases will need to be cleansed and reviewed so you can provide evidence and proof that consent has been granted lawfully and fairly, that it was used for explicit and legitimate purposes, what data has actually been collected and the accuracy of the information. Don’t worry though, having a cleaned and refined database to work with will work in your favour, explained in further detail later.
Withdrawn consent is just as important as obtained consent!
You need to put in place a practical mechanism that manages when consent has been withdrawn. This is where many legal issues will arise from disgruntled people who have withdrawn consent but have still had their data processed by means of a marketing email, for example. Consider using preference-management tools. The personal data you hold has to be auditable – when a person withdraws consent, do you have a log of it? Are you able to demonstrate to an authority (ICO) that the consent has been withdrawn from your system and you are no longer marketing to them, or using consent as the legal basis for processing. This is where some form of consent data management system would be best.
You can incentivise consent, but be cautious…
You can look to incentivise consent to some extent as there will usually be a benefit to consenting to processing. For example, if joining a loyalty scheme entitled you to money-off vouchers. However people must be able to say no without suffering a detriment. In this instance, the fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal.
Example consent scenarios accepted
- An e-commerce store offers customers the opportunity to opt-in to clearly specified processing with a tick-box (originally un-ticked) during an order process. Which is stand alone, and completely separate to T&C’s and other details. ‘Separate’ would be in a different box above/below the T&C’s and contain only information regarding consent and the related data processing.
- A written declaration is included in a customer's contract containing the customer's consent to the specified types of processing. With the request clearly distinguishable from other matters in the contract.
Do I need completely fresh data before 25 May 2018?
If you rely on individuals’ consent to process data, it doesn’t automatically mean you need to get fresh GDPR-compliant consent in preparation. If your existing consent mechanism is specific, granular, clear, prominent, opt-in, easily withdrawn and all of this is properly documented, you are okay. If not, alter your consent mechanism and seek fresh GDPR-compliant consent before the deadline, or find an alternative but valid lawful basis to consent. You still have time before the deadline to work with the data you have, so take advantage of this as soon as possible.
If you need to get consent as your lawful basis for data processing, be creative with requests for consent so people want to buy into giving consent. It can become a commercial asset if you get it right! Marketing to people who want to be marketed to regarding your services/products is highly beneficial, and not wasting resources on those who don’t, is also too. People are becoming more aware that privacy is changing.
Having to explain what you're doing with a user's data can seem scary at first, and you may feel reluctant to change to complete transparency. If your website uses a standard line of text such as "tick here if you want to receive our newsletter" and a pre-selected tick box along with it (therefore an opt-OUT method – not allowed from 25 May 2018 through GDPR). Opt-IN rates could be around 25% for example, and people are actively unticking the box, impacting brand sentiment also to some degree.
Let’s imagine you change the tick box so it’s not pre-selected (so the opt-IN method – GDPR compliant), you then have a database of customers who have deliberately chosen to receive marketing from you. However, you still may collect less data.
Now imagine the opt-IN was completely revamped to be a nice colourful graphic which explained what sort of content the user was opting in for, how often it was sent, how easy it was to opt out, and that (in this instance) the data will not be not shared with anyone. Opt-IN rates are likely to go up.
Remember that transparency engenders trust, and marketing opt-ins can benefit from this, with a little courage to change and preferably some A/B testing so optimise.
GDPR is an opportunity for Marketers!
GDPR presents an opportunity for Marketers. The opportunity to get a refined and up-to-date database of people who actually want to be marketed to and want to hear about your brand and products/services. Go through your existing database and start experimenting with great ways of introducing consent formats into your platforms. Provide transparency to generate brand trust. Provide value first and then talk about your business, people will want to hear from you.
A great guide is the GDPR consent guidance for consultation provided by the ICO. It provides an easily navigable document with an “In brief…” intro covering each section of GDPR consent.
Disclaimer: The information in this article is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor, or consult the Information Commissioner’s Office (ICO – https://ico.org.uk/)