Marketing professionals are increasingly confused about the rules around consent of data subjects under the GDPR, due to become law on 25 May.
Marketers will now have to understand the bases for legally processing people's data – and much of that will involve consent of the individual. Most companies that undertake email marketing to their customers will have to review the consent given to them by people (data subjects) to identify if that consent meets GDPR requirements.
Now a crime for illegal direct marketing without consent..
If that consent has not been freely given or has been withdrawn, new consent forms will have to be used to comply with the regulation. One warning is that agencies should be aware it'll now be a crime for illegal direct marketing without consent. The alternative is to use what is termed 'legitimate interest' for a basis for processing, but an objection from an individual will more often override any legitimate interest. A company will also have to provide reasons for legitimate interest and how it will not affect the rights and freedoms of the individual.
"Where you rely on consent as a basis for processing personal data, the GDPR stipulates that you need to demonstrate you have consent from every data subject," said Mike Raybone, CEO of Birmingham-based AIM Internet. "That consent will have to include details on who consented, when, to what and how they consented.
"If that consent has been given, did that person clearly demonstrate consent with a positive action, such as ticking a box on a website?"
"Also the consent will need to be separate from other terms and conditions and you need to tell the person that they have the right to withdraw their consent at any time – they need to be given transparent information on how to do that.
"So the bad news is that for every person you hold information on, you will have to contact them and ask them to renew consent. You then have to delete any personal data where you don't have upated constent."
Personal data should be deleted
Once a company has given data subjects a reasonable opportunity to provide or withdraw their consent, personal data should be deleted of all data subjects who fail to respond or have positively said that they do not give their consent to your processing of their data. A marketer cannot rely on their failure to respond as an indication of consent.
Furthermore, Mike added that it is not enough to simply stop sending emails to the data subjects who have not given their consent. By holding their personal data on a database "you are processing this data, which you cannot do without a legal basis".
"Similarly, if you're buying mailing lists you need to be absolutely sure the list broker has complied with GDPR and the list has been put together lawfully. So your contract with the list broker will be vitally important to ensure everything has been done lawfully – which ensures you are acting within the regulations."