Monday, February 26, 2018
One of the most significant changes under the GDPR is the new standard for obtaining consent for the processing of personal data.
Most businesses who engage in email marketing to their clients or customers (data subjects) rely on their consent to such marketing. All such businesses will now have to review the consents that were obtained from the data subjects to identify whether or not the consent meets the requirements of the GDPR. Where they do not, fresh consent must be sought in order to comply with the GDPR.
Organisations should also be aware that under the ePrivacy Regulations there are potential criminal sanctions for illegal direct marketing.
This article sets out the steps a business should take where they engage in email marketing on the basis of the consent of the data subject.
Step One: Review your marketing lists and databases for evidence of consent
Where you rely on consent as a basis for processing personal data the GDPR requires you to be able to demonstrate that you have valid consent from each data subject. The consent should include details on who consented, when, to what, how they consented and it should be checked whether they have asked that their consent be withdrawn.
Where consent was given you should examine whether the consent meets the requirements of the GDPR. In particular:
Step Two: Refresh any consents that do not comply with the GDPR
If you hold consents which comply with all the requirements of the GDPR then you may continue to process this information. However, where the consents cannot be shown to comply with the GDPR (which is probably more likely) you may need to commence a re-permission exercise, however care should be taken to ensure a consent exists in the first place. Organisations should also check whether they can avail of other legal grounds for processing for marketing purposes under the ePrivacy Regulations – i.e. business to business marketing and/or commercial marketing.
A legal ground for processing under GDPR will still be required where one of these grounds exists.
Where a re-permission exercise is undertaken, each individual for whom you hold personal data and a consent, should be contacted and asked to provide a renewed consent that will comply with the GDPR. In order to meet the requirement of “informed” consent you will have to provide a clear notice along with this request for consent which should include information on:
This information will usually be contained in a Privacy Statement.
Step 3: Cease processing where applicable
Where you have given data subjects reasonable opportunity to provide or withdraw their consent, and where they have either not responded or they have objected to the processing, you should then cease such processing. Failure to respond does not amount to consent.
Step 4: Keep clear records and maintain and implement policies and procedures
It is very important that you are in a position to demonstrate your compliance with the GDPR. You should keep clear records of the personal data you hold and the consents that have been obtained from each data subject.
You also need to ensure that you have clear privacy policies and procedures in place to show that you process personal data in compliance with the GDPR. Procedures should be set up to ensure that personal data is deleted when consent is withdrawn and to deal with circumstances where data subjects exercise their rights to access, portability, erasure, rectification, objection and restriction.
Whilst this may seem like a daunting task and one that might result in you losing a number of your contacts there may be some positives to the new GDPR rules. Businesses now have an opportunity to actively re-engage those customers or clients who are interested in receiving marketing information and lose those who are not interested. It should also result in people receiving much fewer marketing emails in general, making it more likely that they will actually look at those they do receive. There are also benefits to holding less data as it will make complying with obligations regarding record keeping and subject access requests a simpler and shorter process.
For more information on this topic, please contact Eoghan Doyle.