Given the amount of anger and frustration I have seen, both 1st hand with our subscribers and on social media regarding the GDPR and consent, I am tempted to believe that both will soon be added to the ever growing list of naughty words.

In 2003 the Privacy and Electronic Communication Regulations (PECR) were introduced to govern how privacy is protected within an online or connected environment. Since GDPR became law in May 2016 and in the lead-up
to enforcement on May 25th 2018, a large proportion of businesses have focussed on direct marketing and some have believed that the GDPR is wholly about getting consent, for everything.

Data protection law is not just about direct marketing or gathering consent. The GDPR is essentially a more comprehensive approach to how companies should manage personal data and gives individuals more rights. It also puts a duty on companies to document the who, what, when, where and why of how they manage personal data.

Direct marketing has come into focus because everyone receives spam or mass emails and this is an area of personal data which is ‘revenue generating'. Not everyone will understand the need for extra protection around special category data or keeping a Record of Processing Activity (ROPA) and so the assumption about the GDPR is that every business needs consent for everything.

Reading through the ICO's guidance on each of the 6 lawful basis for processing can be confusing, for example, you do not need consent to send postal marketing as you can claim you have a legitimate interest, however, as a business you may decide to gather consent to send postal marketing to ensure the postal audience targeted is engaged. It is up to you as a business to decide this.

Equally, you do not necessarily require consent to send email marketing if soft opt-in can be applied and the recipient hasn't already unsubscribed. The ICO state: "The idea is that if an individual bought something from you recently, gave you their details, and did not opt-out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven't specifically consented". However, soft opt-in cannot be used for fundraising purposes.

It is also worth noting that whilst consent is required to send unsolicited email marketing to individuals, it is not necessarily required for B2B email marketing with which you can claim legitimate interest.

There are different requirements for how you can market to different recipients, whether by email, postal, SMS, telephone or even fax. You need to decipher which lawful basis you are relying on for each purpose, ensure they are fair and document them. Above all, you must explain to individuals how and why you are using their personal data.

At Protecture we have created a consent matrix to help you understand where you may want to gather consent and where it is necessary.

Just remember that consent and GDPR aren't rude words and that by using the ICO guidance and gaining help from knowledgeable sources can set your business up to be ready for May 25th and beyond. 

For more information please contact