The GDPR deadline is only seven months away and businesses need to start reviewing their data collection, handling and processing now to ensure they’re keeping on top of the new compliance regulations.The Information Commissioner’s Guidance (ICO) has put together some information for businesses surrounding GDPR which detail that individuals will need to have more control over their personal data and businesses need to provide a means in which they can do so. It’s about giving genuine choice to people, so that means defaulted elements such as pre-ticked checkboxes can’t be used anymore.
We’re going to take this opportunity to talk more in detail about GDPR-approved consent for marketers and hope to provide a clearer picture on thewhat makes a GDPR marketing opt in.
Clear on Consent
In the ICO’s guidelines, they state that the consent process needs to be “specific, granular, clear, prominent, opted-in, documented and easily withdrawn.” Essentially, your consent options need to follow specific requirements in order to be accepted under GDPR once it comes into effect.
Firstly, any consent processes on your website need to be separated from other terms and conditions. This is known as being unbundled. This way, you’re making it much more clearer and prominent in what you’re asking of an individual, without them being confused by other information.
Active Opt-In - Many businesses already use this kind of consent option on their websites. For example, an individual will enter their email and then actively select a checkbox to subscribe to something you have offered (blogs posts, newsletters etc.). One way your business can make this process even better is to have the individual enter their email address twice. This way, you’re absolutely certain that they are actively opting-in and consenting.
Granular - Granular consent is where you provide different consent types for different types of processes. For example, you could have your consent split up into different segments such as channels:
Yes, I would like to be sent marketing communications by email
Yes, I would like to be sent marketing communications by telephone
Yes, I would like to be sent marketing communications by SMS (text message)
Yes, I would like to be sent marketing communications by post
No, I do not want to be sent any marketing communications at all
This is great because you’re providing an individual with more choices and they still have to actively opt-in.
Named - If needed, this is where you would include any and all names (including third parties) that handle, process or rely on the consent given. For example:
I want to receive communications from [BUSINESS 1]
I want to receive communications from [BUSINESS 2]
I want to receive communications from [BUSINESS 3]
This would demonstrate clearly to the individual which parties would be involved in the handling of their data and you’re giving them the option to actively opt-in. You’re starting to see the pattern here, aren’t you?
Easy to Withdraw - If it’s quick and easy for an individual to give consent, then the consent withdrawal process should be just as quick and easy. Again, many businesses have this option as standard best practice. Some do it better than others. Although you may not want to lose a contact, it is important that they have been given the choice to opt-out.
Right to Erasure - One thing many businesses don’t yet offer is a way to delete an individual’s personal data permanently. If you do offer this, you’ll be in line with GDPR practices, so it’s definitely something to consider providing.
Understanding Legitimate Interest
This one is a bit trickier to grasp. “Legitimate interest” under GDPR is essentially a legal justification for processing someone’s personal data if it’s seen as being relevant. This is more aimed at those who do direct/outbound marketing such as calling an individual.
However, there’s still not a great deal of clear-cut guidance on this. The right of a business and the right of a customer can be a bit of a battle. So think: if you need to use personal data for direct marketing, is it classed as “legitimate interest” because:
- There is an absolute necessity to do it
- The individual is expecting to be contacted due to consent provided
Legitimate interest will need to work on the basis that explicit consent has been provided in the first place. If an individual has opted-out from the beginning, it’s best to let that one go in the interest of your business.
Marketing Campaigns & Emails
When sending out marketing campaigns via email marketing, you still need explicit consent from any individual in order to do so.
However, there is an exception rule called “soft opt-in”. This applies to your existing customers. For example, the way that soft opt-in would work would be if:
- An individual has recently purchased a product or service from you
- They have given you their personal details
- They did not opt-out of marketing communications (assuming that you provided a simple opt-out process in the first instance)
It’s likely that they are happy to continue receiving marketing information from you about similar products or services - even though they haven’t explicitly provided consent. The important bit to remember here is that you need to always provide a way for them to opt-out in all your messages that you send to them.
Check In With the TPS
If your business still does any form of outbound or direct marketing such as contacting people via telephone, you’ll need to review this as well. If an individual has registered their telephone or mobile number with the Telephone Preference Service (TPS), this allows them to be opted-out of wanting to receive unwanted calls and texts.
Whether or not a number has been registered with the TPS, we do advise that still ask for clear consent. By asking for explicit permission you’ll be taking the right steps in the eyes of GDPR. Ensure that you clearly spell out exactly how and what a person’s details will be used for - if they actively opt-in, they’re giving you their consent to be contacted.
Keeping Records is Vital
It never used to be essential to keep records under the Data Protection Act, but with GDPR keeping records of every consent you receive is pretty important. It’s mainly to do with having the essential evidence that you can show to an authority (or individual) should you ever be challenged or there is a dispute.
The earlier you can start with your GDPR consent reviews, the better it will be for your business to get it just right. Don’t feel like GDPR will be a hinderance to your data collection. Instead, think of it as a way to collect even more qualified leads. And the more qualified the lead, the more quality they will provide your contact database and the more likely they will be receptive to what you have to offer them.
Download our GDPR for Business Toolkit today to help you get started on your compliance and data reviews before the May 25th deadline.