The GDPR deadline has long since passed and businesses need to now be reviewing their data collection, handling and processing to ensure they’re keeping on top of the new compliance regulations.
The Information Commissioner’s Office (ICO) has put together some information for businesses surrounding GDPR which detail that individuals will need to have more control over their personal data and businesses need to provide a means in which they can do so. It’s about giving genuine choice to people, so that means defaulted elements such as pre-ticked checkboxes can’t be used anymore.
We’re going to take this opportunity to talk more in detail about GDPR-approved consent for marketers and hope to provide a clearer picture of what makes a GDPR compliant marketing opt-in.
Clear on Consent
In the ICO’s guidelines, they state that the consent process needs to be “specific, granular, clear, prominent, opted-in, documented and easily withdrawn.” Essentially, your consent options need to follow specific requirements in order to be accepted under GDPR.
Firstly, any consent processes on your website need to be separated from other terms and conditions. This is known as being unbundled. This way, you’re making it much clearer and more prominent in what you’re asking of an individual, without them being confused by other information.
Active Opt-In - Many businesses already use this kind of consent option on their websites. For example, an individual will enter their email and then actively select a checkbox to subscribe to something you have offered (blogs posts, newsletters etc.). One way your business can make this process even better is to have the individual enter their email address twice. This way, you’re absolutely certain that they are actively opting-in and consenting.
Granular - Granular consent is where you provide different consent types for different types of processes. For example, you could have your consent split up into different segments such as channels:
Yes, I would like to be sent marketing communications by email
Yes, I would like to be sent marketing communications by telephone
Yes, I would like to be sent marketing communications by SMS (text message)
Yes, I would like to be sent marketing communications by post
This is great because you’re providing an individual with more choices and they still have to actively opt-in.
Named - If needed, this is where you would include any and all names (including third parties) that handle, process or rely on the consent given. For example:
I want to receive communications from [BUSINESS 1]
I want to receive communications from [BUSINESS 2]
I want to receive communications from [BUSINESS 3]
This would demonstrate clearly to the individual which parties would be involved in the handling of their data and you’re giving them the option to actively opt-in. You’re starting to see the pattern here, aren’t you?
Easy to Withdraw - If it’s quick and easy for an individual to give consent, then the consent withdrawal process should be just as quick and easy. Again, many businesses have this option as standard best practice. Some do it better than others. Although you may not want to lose a contact, it is important that they have been given the choice to opt-out.
Right to Erasure - Also called 'Right to be Forgotten'. One thing many businesses don’t yet offer is a way to delete an individual’s personal data permanently. If you do offer this, you’ll be in line with GDPR practices, so it’s definitely something to consider providing.
Understanding Legitimate Interest
This one is a bit trickier to grasp. “Legitimate interest” under GDPR is essentially a legal justification for processing someone’s personal data if it’s seen as being relevant. This is more aimed at those who do direct/outbound marketing, such as calling an individual.
However, there’s still not a great deal of clear-cut guidance on this. The right of a business and the right of a customer can be a bit of a battle.
Legitimate interest basically states that you don’t need specific consent to store a person’s data, as long as you have a clear and valid reason for doing so. If you are in the business of producing shoes for retailers, you couldn’t legitimately claim that you have an interest in processing the data of those who have shown an interest in buying oranges.
Since the ICO hasn’t provided specific guidelines for legitimate interest, it is then up to each entity to provide a Legitimate Interest Assessment (LIA). This is a document that you must create if you are to claim you are holding and processing data under this stipulation. This document needs to be provided as evidence that you can claim an interest in the data of a business or an individual without given consent.
So, the shoe producer should not have individuals who are interested in buying oranges listed in their LIA as this would not stand up as legitimate interest if their data processing was ever questioned.
Marketing Campaigns & Emails
When sending out marketing campaigns via email marketing, you still need explicit consent from any individual in order to do so.
However, there is an exception rule called “soft opt-in”. This applies to your existing customers. For example, the way that soft opt-in would work would be if:
- An individual has recently purchased a product or service from you
- They have given you their personal details
- They did not opt-out of marketing communications (assuming that you provided a simple opt-out process in the first instance)
It’s likely that they are happy to continue receiving marketing information from you about similar products or services - even though they haven’t explicitly provided consent. The important bit to remember here is that you need to always provide a way for them to opt-out in all your messages that you send to them.
Check In With the TPS
If your business still does any form of outbound or direct marketing such as contacting people via telephone, you’ll need to review this as well. If an individual has registered their telephone or mobile number with the Telephone Preference Service (TPS), this allows them to be opted-out of receiving unwanted calls and texts.
Whether or not a number has been registered with the TPS, we do advise you to still ask for clear consent. By asking for explicit permission, you’ll be taking the right steps in the eyes of GDPR. Ensure that you clearly spell out exactly how, and for what purpose, a person’s details will be used - if they actively opt-in, they’re giving you their consent to be contacted.
Keeping Records is Vital
It never used to be essential to keep records under the previous Data Protection Act, but with GDPR, keeping records of every consent you receive is vital. It’s mainly to do with having the essential evidence that you can show to an authority (or individual) should you ever be challenged or there is any dispute.
The earlier you can start with your GDPR consent reviews, the better it will be for your business to get it just right. Don’t feel like GDPR will be a hindrance to your data collection. Instead, think of it as a way to collect even more qualified leads. And the more qualified the lead, the more quality they will provide your contact database and the more likely they will be receptive to what you have to offer them.