The last piece of the GDPR jigsaw – the Information Commissioner’s Office’s guidance on consent – has finally been put in place, with a warning that companies embarking on a barrage of repermissioning emails could be wasting their time.
Early last week, Decision Marketing exclusively revealed that the ICO had vowed to published the guidance within a fortnight and the regulator has made good on its promise. However, in a blog post unveiling the advice, deputy commissioner Dave Wood strikes a note of caution.
He said: “From marketing agencies, to clubs and associations, to local authorities, consent has been a hotly debated topic. Some of the myths we’ve heard are, ‘GDPR means I won’t be able to send my newsletter out anymore’ or ‘GDPR says I’ll need to get fresh consent for everything I do’. I can say categorically that these are wrong, but if misinformation is still being packaged as the truth, I need to bust the myth that you not need to automatically refresh all existing consents in preparation for the new law.”
While conceding that “GDPR sets the bar high for consent”, and stressing the importance to check processes and records to be sure existing consents meet the GDPR standard”, he added: “Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.
“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.
“If consent is the appropriate lawful basis then that energy and effort must be spent establishing informed, active, unambiguous consent. Before sending emails consider what the most effective way is to reach your customer – it may not be email. Consider a data protection by design approach – where can this information be embedded to have the best impact.”
Reiterating Commissioner Elizabeth Denham’s assertion that consent is not the silver bullet for GDPR compliance, Wood added “consent is one way to comply with the GDPR, but it’s not the only way”.
“Scaremongering about consent still persists but the headlines often lack context or understanding about all the different lawful bases organisations could use for processing personal information under the GDPR,” Wood concluded.
For more information, visit the ICO website>
Final GDPR consent guidance to be published in 2 weeks
DMA demands answers over threat to third-party data
ICO stands firm on ‘over strict’ GDPR consent guidance
Third-party data crackdown will wreak havoc says DMA
DPN joins calls for more urgency over GDPR guidance
UK bodies publish GDPR ‘legitimate interests’ guidance
GDPR fears mount over delay to ICO consent guidance
Industry on alert over third-party data legal crackdown