As RedEye’s Compliance Director, there is one question I get asked all the time and that is “how do I get consent for the GDPR?” and that is usually followed by “can I use pre-ticked boxes?” And “will I need to re-permission my whole database?”.
There is a lot of confusion out there at the moment, with the ‘experts’ circling and driving herds of marketers towards the pit of consent. And to be honest I can’t blame marketing departments for seeing consent as the only route to go, as they are surrounded by a mass of nodding dogs, barking statements like “but you know that consent is the best way to go” and “think of the customer first”.
The confusion is understandable, but let me tell you, it is not all about consent.
Let’s get one thing straight, it’s not about sending a B2C email, posting something on social media or sending a SMS… that’s another story.
I’ve seen some people purport that consent for electronic marketing is the same as consent for the GDPR. It is not!
What GDPR relates to, is being able to process data for the purposes of direct marketing, which includes storage, segmentation, profiling, matching, sending direct mail, making marketing phone calls and electronic marketing in the B2B sector.
It will be a balanced relationship too, with the use you put the data, compatible and relevant to the relationship you have with the individual. At least it should be. If not, you are breaking the law now; and you don’t need to wait until May 18 to have sleepless nights.
Assuming you are doing this correctly at the moment, you only need to move from DP98 to GDPR compliance. Christopher Graham, the previous Information Commissioner said many times at events that I have attended, “if as marketers, you are complying with the current rules, you don’t need to do much more to comply with GDPR”.
That doesn’t sound like the basis for panic over consent, does it?
I think the misinformation about consent is causing marketers to ask at the beginning of the process, questions that should come at the end of the process. Most marketers won’t yet have the information needed to make a decision about the correct legal basis for processing. But getting there is a logical process, that starts at a place very familiar to marketers; the data.
Audit your data
- What have you got and what do you use it for?
- Have you got more than you need?
- Do you keep it longer than you should?
- Is what you use it for, likely to be reasonably expected by the individual, based on their relationship with you?
- Do you match data obtained from elsewhere?
The Data Protection Network, (in conjunction with the DMA and others) have produced some good guidance on legitimate interest, with a really handy template to help you with the Legitimate Interest Impact Assessment on your data. In a nutshell;
- Find out what data you have got and what you use it for
- Apply the tests using the template in the DPN guide
- Then make your decision. Can you justify legitimate interest, or will it need to be consent?
At least you will know why you are making the decision, which will help you in writing your privacy notices and consent statements if required.
Whatever basis you choose at this point will need to be applied to your current data as well as new data added to your database.
Taking the legitimate interest highway
In the case of legitimate interest, you will need to communicate to your current database the fact that you have a new privacy notice and give them the opportunity to object to direct marketing. You will need to record what you sent, to whom and when. You should only use data that you have permission to market to, this is a marketing communication not a service one, so choose the right channel to reflect the permissions you have.
Going down the consent road
In the case of consent, there is no getting round it, you will need to get your existing customers to opt in. This means communicating the specific detail relating to the use of the data, so the data subject can be fully informed before they opt in. You can use a layered approach to this, where the communication content, or the webpage they land on, has the summary details of the processing undertaken, linking through to greater detail on further pages.
You must ensure that the individual is presented with sufficient information to allow them to be said to be informed. You will need to record who opted in, what they were told at the time and have some form of verification, such as double opt in, to give an audit trail.
Quite a difference in approach
You should decide which way to go based on need. If consent is the best way to go, it should be because your use of the data presents a risk to the rights and freedoms of the individual. If this is not the case and your Legitimate Interest Impact Assessment says you can use legitimate interest, then use it.
Why put the business through unnecessary pain and your customers through unnecessary inconvenience, if you don’t need to?
Click on the image below to view RedEye’s infographic on 12 steps to prepare for the GDPR
Why not check out Econsultancy’s GDPR training course?