Do I need to re-consent my customer base?


With less than 30 days until 'go Live' date for GDPR (General Data Protection Regulations), there's been a flurry of activity from businesses trying to comply with the new regulations. However, there's also been a flurry of confusion, differing advice and frustration from people trying to do things and not knowing where to start or what the right thing is. 


So for part two of my GDPR blog, I've decided to cover a couple of questions which I have been asked a lot by my clients and provide my thoughts and comments on them. 

The first question is: 


Do I need to re-consent my customer base?

I don't know about you, but I've been inundated with emails from companies claiming that if I don't respond back to them, they will never be able to contact me again. I'm not saying that this is the wrong thing to do. In some instances, to comply with the GDPR regulations you will need to re-consent your base.

However with average open rates at between 20-30% and click through rates being less than 8%, with most less than 5%, you going to want to be sure you need to reconsent your base before you kick this process off and potentially cut off contact with a large proportion of your base.

So it's worth making sure you have the right basis before you work through getting further consent As we discussed in the earlier blog, consent isn't the only basis for processing your data. There are :

  • Contract
  • Consent
  • Legal Oblication
  • Vital Interests
  • Public Task
  • Legitimate Interests

So if consent is your basis for processing data, what guidance does the Information Commissioners Office give us?:

You are not required to automatically ‘repaper’ or refresh all existing DPA
consents in preparation for the GDPR. But it’s important to check your
processes and records in detail to be sure existing consents meet the
GDPR standard.
— Information Commissioner's Office

According to the ICO: 

  • Check your consent practices and your existing consents.
  • Refresh consents if they don’t meet the GDPR standard.
  • Consent means offering individuals genuine choice and control.
  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.  
  • Explicit consent requires a very clear and specific statement of consent.

So if you believe your consent processes already meet GDPR standards then you don't need to get further consent.  If you think they fall short, then you need to go back to your base and get consent that meets the new regulations. 

    One thing not to do is to ask for consent from anyone who has already opted-out of marketing. 

    If you are going to go back for consent, think with your marketing hat on. What would encourage someone to say yes? To help with this, I've included a recent blog from EConsultancy showing examples, good and bad, of re-consent or re-permissioning emails. 

    Once you've got the consent, don't forget as part of GDPR, you also need to show when and how you got the consent, so make sure you keep records. 

    It's worth also mentioning here the Privacy and Electronic Communications Regulations (PECR) that sit alongside GDPR and will apply to you if you are sending any electronic communication such as texts and emails. These are already in existence, so hopefully you'll already be aware, but if not, the link above will give you more information. 

    So let's look at another popular topic :

    agreement-application-business-893894 (1).jpg

    What should I put in my privacy notice?

    You privacy notice tells individuals what you are going to do with their data. There are more guidelines with GDPR and opposed to the current Data Protection Act and more emphasis is placed on making privacy notices understandable and accessible. It sets out your stall, telling individuals what data you collect on them, how you are processing it and why. As a minimum your notice should contain information on :

    • what data you hold on them and whether it is classed as sensitive data
    • who is collecting it
    • the basis for processing their data
    • what you going to do with their data
    • how long you intend to keep it
    • their rights as an individual - access, erasure etc. 
    • whether you are passing their data to 3rd parties and for what reason
    • the existence of automated decision making

    A number of industry bodies have a standard privacy notice that you can start with and tailor to your circumstances.

    This is a good time to review your notice, add in the new elements and make sure individuals can understand what you're saying. Remember it's important to be simple and clear - no jargon and no hiding of information. 

    The privacy notice should be the culmination of your GDPR work, once you know the basis for processing data, what data you are processing and what you are doing with it.  Don't try and attempt your privacy notice until you've done a data audit, so you know what data you are processing and why.

    The other thing to remember is that you need a privacy notice for your employees too. Everyone seems to be focusing on customers at the moment, your staff are also individuals who you hold and and process data on so don't forget this group of people. 

    Hopefully this has taken you another step forward on your GDPR journey. The ICO has said that this is a journey and you need to be starting it and moving forward, so the key thing here is to be taking action. 

    However, if you're stuck or this has kick-started you into action and you'd like to get more input please to contact me at Claire Best Marketing.

    There is also lots of helpful advice and GDPR from the Information Commissioners Office

    Whether you contact me or start talking to someone else, the most important thing is that you do take action. 25th May is less than 1 month away and you need to be looking at this now. 

    Disclaimer : This blog covers my thoughts and views on GDPR. I have worked with various industry bodies and lawyers and taken all reasonable care to ensure the accuracy of this blog, but I am not a lawyer. I can not take any responsibility for the consequences of you implementing anything as a result of what I have said about GDPR.