More than offices or IT equipment, data has fast become the most important asset in any business. Brands recognise that value and are now obsessively collecting customer data from every possible avenue – asking outright as well as covertly studying behaviours – consumers are also increasingly aware that their data has value, and they now expect to be part of a fair value exchange.
At the same time, not a week goes by without some story of data loss reaching the media – and while some are sensationalised scare stories, all are based on real data breaches that can have profound and damaging consequences for both organisations and consumers alike. Seeing these stories has made many consumers more cautious when it comes to their data, demanding that organisations are responsible and transparent in the way they use it.
The Right to ‘Opt-in’
In many ways, this consumer awakening is rather unsurprising. Technology has progressed rapidly; it is no longer deemed ‘black magic’ but a subject on which most of the population can now hold an informed debate. Back in 1995, for example, a terabyte of storage would set you back over £1.5m, now it costs less than £40; similarly, just 1 per cent of the UK population had internet access – now we carry it in our pockets.
The arrival of GDPR is a big step in enshrining consumer data rights in law, and ensuring organisations are pushed to act in the interests of these rights. GDPR states that there are six equally legal bases for processing data. The three most likely to be used by marketers are:
- Performance of a contract
- Legitimate Interest
Under GDPR, ‘consent’ is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Put even more simply: organisations that plan to use consent as their legal basis for processing data will need to plainly inform individuals of exactly how they plan to use their data, and then ensure they get clear, unmistakable permission to do just that.
A Deeper Understanding
As marketers, it is our duty to understand exactly what GDPR requires, and ensure our organisation can comply. Looking closely at each condition of consent as set out in the text of the GDPR is crucial:
“Must be freely given”
Consumers should have genuine choice and control over how an organisation uses their data, and consent must be unbundled from other terms and conditions. In the words of the ICO, “consent cannot be a precondition for a service unless it is necessary to deliver the service.”
Organisations must clearly explain exactly what people are consenting to in a way they can easily understand; no legal mumbo jumbo – unless of course you are targeting solicitors.
The request for consent must be detailed: organisations should clearly identify themselves as the data controller, clarify each processing operation they will be performing and collect separate consent for each (unless this would be “unduly disruptive or confusing”). Finally, organisations must describe the reason behind each data processing operation and notify people of their right to withdraw consent at any time.
It must be clear that the person has consented and what they have consented to with an affirmative action (i.e. no pre-checked boxes). Nothing can be presumed; therefore, silence would not be a valid form of consent.
Crucially, these ideas are not new. Under the Privacy and Electronic Communications Regulations, email marketing is primarily consent-based. While GDPR does more tightly define what constitutes consent under the law, this approach (being honest and transparent) has been preached as best practice for several years – though, until now, organisations were not compelled by law to comply.
What’s more, GDPR is clear that controllers must be able to demonstrate that consent was given when using consent as their legal basis. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.
Make no mistake: GDPR is big and will require much work to meet the May 25th deadline. For those who decide to go down the consent route, the next few months are critical for marketers in ensuring that your organisation has full and proper consent from its customers, and that everything is properly documented. It’s a long road ahead, but certainly worth the effort.
By Skip Fidura, Client Services Director at dotmailer
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/