GDPR Legislation – Everything you need to know about Consent

The General Data Protection Regulation (GDPR) is a new mandatory European ruling, which governs the data protection rights for all individuals within the European Union.

GDPR requirements are changing the ways that companies process, store and protect customer data. If you carry out business with European citizens which involves the processing of their personal data, then this legislation will apply to you. Though it was initiated on the 27th April 2016, a 2-year grace period was permitted to allow businesses to prepare for the changes. Therefore, the regulation comes into force on the 25th May 2018. Failure to comply after this date can result in fines of up to £20 million, or 4% of a company’s annual turnover, whichever is greater.

Individuals’ Right to Consent

Consent is a very key part of the new GDPR legislation and any website that collects personal data must obtain specific permission to use it within their business. Consent must be “knowingly and freely given” and visitors to your website must understand exactly how you are planning on using their data and must agree to each specific purpose. That means if you have someone’s email address because they have placed an order with you, or have have signed up to become a member of your website, you are only allowed to market to them or send them promotional emails if they have agreed to this.

Alongside gaining content, companies are now required to be able to track this consent, with a record of how and when an individual granted permission. There must also be details of what they were told at the time. Individuals have the right to access, modify or delete any information that a company holds on them when requested.

How to Comply:

  • Ensure that any area on your website where people share contact details offers clear information about what the data is going to be used for. You must state the purpose for obtaining their personal data, what you will do with it, how long it is stored for and who will see it.
  • Do not use pre-ticked boxes, soft opt-ins, or implied consent to grow your list. People need to provide active consent in order for their data to be used.
  • Make sure that the consent on your marketing lists can be tracked for each contact, proving they’ve given permission to your use of their data.

Withdrawing Consent

As well as a right to give informed consent, individuals also have a right to retract that consent at any time, and have the “right to be forgotten” (e.g., opt out and unsubscribe). This means that if someone requests an organisation to delete their data, it should be acted on immediately provided there’s no “compelling reason” for the business to continue storing or processing that data. The data must be deleted from all backups, and the organisation should have proof of the deletion. It must be just as easy to remove consent as it was to grant it, and individuals always need to know they have the right to withdraw their consent.

How to Comply

  • Previously granted consent needs to be easily retractable by the individual, and any objections to specific data uses need to be acted upon immediately.
  • Your present data handling routines could need to change to allow individuals to request objections and for “the right to be forgotten” (their data to be deleted).
  • Ensure that you can delete identifiable data about a person completely and in an auditable manner.

But Don’t Forget the Rest!

Although matters of consent, erasure and deletion will be some of the most important points to implement into your marketing practises when GDPR comes in to place on 25th May, you can’t forget that there are also other crucial points to abide by that aren’t just matters for the marketing team. GDPR also provides crucial legislation regarding areas like data breach handling, protections for children, and appointing in-house data protection officers. It is also important to know that GDPR isn’t just about data surrounding consumers and prospects – it refers to all individuals. That includes the data that a company holds about its employees.

Finally, you must make sure your whole team is trained thoroughly on all aspects of GDPR, and are dedicated to keeping your company compliant. Employees should be aware of their new responsibilities to those you hold data about, and be able to answer any questions that customers may be asking about how you handle their data under GDPR legislation.