One of the most significant changes under the GDPR is the new standard for obtaining consent for the processing of personal data.
Most businesses who engage in email marketing to their clients or customers (data subjects) rely on their consent to such marketing. All such businesses will now have to review the consents that were obtained from the data subjects to identify whether or not the consent meets the requirements of the GDPR. Where they do not, fresh consent must be sought in order to comply with the GDPR.
Advertisers should also be aware that under the ePrivacy Regulations there are potential criminal sanctions for illegal direct marketing.
This article sets out the steps a business should take where they engage in email marketing on the basis of the consent of the data subject.
Step One: Review your marketing lists and databases for evidence of consent
Where you rely on consent as a basis for processing personal data the GDPR requires you to be able to demonstrate that you have valid consent from each data subject. The consent should include details on who consented, when, to what, how they consented and it should be checked whether they have asked that their consent be withdrawn.
Where consent was given you should examine whether the consent meets the requirements of the GDPR. In particular:
- Did the data subject clearly demonstrate their consent with a statement or affirmative action? Failure to untick a pre-ticked box is not affirmative action.
- Was the consent separate from other terms and conditions? For example, you cannot make the provision of a service contingent on consent being given where email marketing is not necessary for the service being supplied.
- Did you tell the data subject that they have a right to withdraw their consent and tell them how to do this?
- Did you tell them the purposes for which you would be using their information and are those purposes the same now?
Step Two: Refresh any consents that do not comply with the GDPR
If you hold consents which comply with all the requirements of the GDPR then you may continue to process this information. However, where the consents cannot be shown to comply with the GDPR (which is probably more likely) you need to commence a re-permission exercise.
Each individual for whom you hold personal data should be contacted and asked to provide a renewed consent that will comply with the GDPR. In order to meet the requirement of “informed” consent you will have to provide a clear notice along with this request for consent which should include information on:
- your contact details and those of your data protection officer (if you have one);
- your legal basis for processing and the purposes of processing;
- the details of any third parties who you may pass the data on to, particularly mentioning if the data will pass out of the European Economic Area (this might occur, for example, if you have a website host or backup facility outside the EEA);
- how long you will store the data for;
- the data subjects’ rights and how to access them including the right to withdraw consent;
- the right to lodge a complaint with the Data Protection Commissioner; and
- the existence of any automated decision-making including profiling.
This information will usually be contained in a Privacy Statement.
Step 3: Delete any personal data where you have not received a fresh consent
Once you have given data subjects reasonable opportunity to provide or withdraw their consent, you should permanently delete the personal data of all data subjects who fail to respond or have positively said that they do not give their consent to your processing of their data. You cannot rely on their failure to respond as an indication of their consent.
It is not enough to simply stop sending emails to the data subjects who have not given their consent. By holding their personal data on a database you are processing this data, which you cannot do without a legal basis.
Step 4: Keep clear records and maintain and implement policies and procedures
It is very important that you are in a position to demonstrate your compliance with the GDPR. You should keep clear records of the personal data you hold and the consents that have been obtained from each data subject.
You also need to ensure that you have clear privacy policies and procedures in place to show that you process personal data in compliance with the GDPR. Procedures should be set up to ensure that personal data is deleted when consent is withdrawn and to deal with circumstances where data subjects exercise their rights to access, portability, erasure, rectification, objection and restriction.
Whilst this may seem like a daunting task and one that might result in you losing a number of your contacts there may be some positives to the new GDPR rules. Businesses now have an opportunity to actively re-engage those customers or clients who are interested in receiving marketing information and lose those who are not interested. It should also result in people receiving much fewer marketing emails in general, making it more likely that they will actually look at those they do receive. There are also benefits to holding less data as it will make complying with obligations regarding record keeping and subject access requests a simpler and shorter process.