With GDPR just around the corner, we are taking a closer look at some of the areas people are unsure about. Last time we looked at marketing and PECR, and this time we will concentrate on the issue that appears to be causing the greatest concern, conditional consent.
Consent is just one of six lawful basis of GDPR: consent; contract; legal obligation; vital interests; public task; legitimate interests. However, people have become hung up about it, believing they are being prevented from contacting customers and clients because of the need to ask for consent first.
One of the advantages of getting consent properly is that it is unambiguous, meaning you can be confident the Data Subject (aka client or customer) knows what they’ve consented to and what to expect. The disadvantage is that it’s easy for the Data Subject to withdraw consent, and sometimes it’s quite hard to get it in the first place.
Getting clear and unambiguous consent
At the moment, existing levels of consent are very woolly, if they exist at all. In fact, most businesses will have contacts on their database who have never given consent.
One of the more onerous outcomes of GDPR is that we must keep records proving who gave consent, as well as when and how they gave it, and that it was given under the following terms:
‘Freely given’ means you cannot ‘bundle’ consent with other things. So if someone is buying goods or services from you, you cannot have one tick box as a bundled consent to the T&Cs as well as future marketing emails. After 25 May, these consents must be obtained via two boxes that are specific and unambiguous about each consent.
In order for consent to be provable, there must be an affirmative opt-in – the trick that many companies currently use is to have pre-ticked boxes that people actively have to opt out of. This kind of ruse will not be allowed under the new Regulations.
Therefore consent gives people the power and ability to determine what happens with their data, and for that consent to be valid, all four terms must be followed.
The ICO’s initial statement about consent was not particularly clear and people made the assumption that it was the most important part of GDPR.
However, recent clarification about legitimate interest is less ambiguous, which is good news for companies, and the subject I will cover in the next blog.