GDPR: Do you need to ask for consent again?

You are here: Home \ News \ GDPR: Do you need to ask for consent again?
GDPR: Do you need to ask for consent again?
13 June 2018 - 20:46, by , in News, Comments off

[vc_row][vc_column][vc_column_text]When it comes to complying with the new General Data Protection Regulations – or GDPR –  one question stands out:

 

Do subscribers need to re-consent to receiving marketing mail-outs?

[/vc_column_text][vc_empty_space height=”50px”][vc_column_text]Drawn up by the European Commission, the GDPR is the biggest change to EU data protection laws for years. Companies have been feeling the pressure to comply which has led to the spate of re-opt-in emails: “Do you want to still receive our emails?”[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text css=”.vc_custom_1528969096674{border-top-width: 1px !important;border-right-width: 1px !important;border-bottom-width: 1px !important;border-left-width: 1px !important;padding-top: 20px !important;padding-right: 20px !important;padding-bottom: 20px !important;padding-left: 20px !important;border-left-color: rgba(0,0,0,0.7) !important;border-left-style: solid !important;border-right-color: rgba(0,0,0,0.7) !important;border-right-style: solid !important;border-top-color: rgba(0,0,0,0.7) !important;border-top-style: solid !important;border-bottom-color: rgba(0,0,0,0.7) !important;border-bottom-style: solid !important;}”]

Do you need to get consent again?

GDPR: An example of a company asking for re-consent

[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]Given that the re-opt-in email can easily overlooked, for businesses that rely heavily on mailing lists for sales it could be devastating. A mailing list that has taken years to acquire could be wiped out in the space of a week.

 

So let’s get some clarity from an authoritative figure on the matter. And who better than someone from the European Commission (EC).[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row css=”.vc_custom_1528993103925{padding: 20px !important;background-color: rgba(35,232,25,0.5) !important;*background-color: rgb(35,232,25) !important;border: 1px solid rgba(0,0,0,0.8) !important;}”][vc_column width=”1/2″][vc_column_text]

The topics covered in this post include:

 

  • What is GDPR?
  • Who are the EC targeting with GDPR?
  • Approach of the EC to data protection
  • Business cards and consent
  • GDPR Online tools and guidance
  • The EC wants your feedback
  • Our view on small business and re-consent

[/vc_column_text][/vc_column][vc_column width=”1/2″][vc_column_text]

You should read this if you:

 

  • Have sent re-consent emails to subscribers
  • Run an EU or Non-EU-based company with business interests in the EU

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_empty_space height=”50px”][vc_column_text]Claire Bury, the Deputy Director General at DG Connect – a department of the EC – discussed GDPR and the matter of re-consent in a BBC interview. We’ve extracted the best bits.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text css=”.vc_custom_1528972280546{border-top-width: 1px !important;border-right-width: 1px !important;border-bottom-width: 1px !important;border-left-width: 1px !important;padding-top: 20px !important;padding-right: 20px !important;padding-bottom: 20px !important;padding-left: 20px !important;background-color: rgba(0,0,0,0.08) !important;*background-color: rgb(0,0,0) !important;border-left-color: rgba(0,0,0,0.77) !important;border-left-style: solid !important;border-right-color: rgba(0,0,0,0.77) !important;border-right-style: solid !important;border-top-color: rgba(0,0,0,0.77) !important;border-top-style: solid !important;border-bottom-color: rgba(0,0,0,0.77) !important;border-bottom-style: solid !important;}”]

What is the GDPR?

 

The General Data Protection Regulation – or GDPR – lays down the rules on data protection and privacy for EU citizens. It came into force on 25th May 2018. For the official European Commission website on GDPR click here.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

GDPR: An update to existing data protection laws

 

In the interview, Claire Bury clarified that GDPR is an “updating and upgrading [on existing data protection laws in the EU]” and that “we are much more specific about what we call ‘consent’ “.

In addition to the updating of the existing data protection laws, Claire mentions other updates on transparency, rules on data breaches, enforcement and penalties for non-compliance.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

Small Businesses and GDPR

 

It was recognised that some small companies rely heavily on their mailing lists – and in the course of trying to comply with GDPR – could inadvertently lose significant business as a result.

 

The response from Bury should come as some relief.

 

“Of course, I would say that small businesses were not the main target.” She continued “those who have taken steps [to comply] – which were done in good faith and all honesty should not be punished. They should not be the ones to suffer.”[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

“It’s not one size fits all”

 

Bury expanded on the main points of GDPR and highlighted the EC’s approach is “rather flexible” and “risk-based” and that “While we say that there is going to be one rule.. At the same time it’s not one size fits all.”[/vc_column_text][vc_empty_space height=”50px”][vc_column_text css=”.vc_custom_1528928921459{background-color: rgba(37,237,223,0.44) !important;background-position: center !important;background-repeat: no-repeat !important;background-size: cover !important;*background-color: rgb(37,237,223) !important;}”]

 

“if there is a legitimate interest of an association then this would be an justification also for keeping data”

Claire Bury, European Commission

 

[/vc_column_text][vc_empty_space height=”50px”][vc_column_text]She followed with some useful examples of the new laws in practice. Bury expressed that consent has to be ‘affirmative’ but she added that “there are other grounds [for which data could be kept]. So, for example, if there is a legitimate interest of an association then this would be an justification also for keeping data.”[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

Business cards: Does that represent consent?

 

The conversation moved onto business cards. Topping up your mailing list with emails from business cards is common practice. But under GDPR, is it a legitimate way to build mailing list?

 

Bury clarifies the matter.

 

“We don’t in any way want to undermine that [method]…if someone has given you a card…that is basically a consent… to have their information”

 

But Bury called for regular checks for consent. “what we’re asking as well is that there are checks from time to time…. we have to be flexible, reasonable and pragmatic”.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text css=”.vc_custom_1528971726961{border-top-width: 1px !important;border-right-width: 1px !important;border-bottom-width: 1px !important;border-left-width: 1px !important;padding-top: 20px !important;padding-right: 20px !important;padding-bottom: 20px !important;padding-left: 20px !important;border-left-style: solid !important;border-right-style: solid !important;border-top-style: solid !important;border-bottom-style: solid !important;}”]Make it easy to unsubscribe

GDPR: Make it easy to unsubscribe

[/vc_column_text][vc_empty_space height=”50px”][vc_column_text]

Opt-out option

 

The Deputy Director General stressed that an opt-out feature should be available: “ [make] sure that those who are on the list can opt-out if they choose to opt-out”.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text css=”.vc_custom_1528993290492{border-top-width: 1px !important;border-right-width: 1px !important;border-bottom-width: 1px !important;border-left-width: 1px !important;padding-top: 20px !important;padding-right: 20px !important;padding-bottom: 20px !important;padding-left: 20px !important;background-color: rgba(125,234,100,0.68) !important;*background-color: rgb(125,234,100) !important;border-left-style: solid !important;border-right-style: solid !important;border-top-style: solid !important;border-bottom-style: solid !important;}”]

GDPR: Online tools and guidance

 

Bury acknowledged that it has not been easy for companies to adjust to the new rules but the EC has been offering online tools, support and guidance. In addition to that, they are working with national data protection authorities in Member States (in the UK that’s the Information Commissioner) to help companies with GDPR compliance.

 

For national data protection authorities in all Member States download the PDF document from here.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

“Actions and Money”

 

Bury reassured listeners that the EC were monitoring the “situation” and that the EC: “…will be supporting where needed not just with words but also with actions and money”.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text css=”.vc_custom_1528966361438{border-top-width: 1px !important;border-right-width: 1px !important;border-bottom-width: 1px !important;border-left-width: 1px !important;padding-top: 20px !important;padding-right: 20px !important;padding-bottom: 20px !important;padding-left: 20px !important;background-color: rgba(0,0,0,0.11) !important;*background-color: rgb(0,0,0) !important;border-left-style: solid !important;border-right-style: solid !important;border-top-style: solid !important;border-bottom-style: solid !important;}”]

The EC want your feedback

 

She reiterated that there is a ‘bump’ in the road as companies adjust to the new rules but the EC were keen to get feedback on GDPR and that they would “find a way forward”.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

Our View

 

Based on the response from Claire Bury, our view is that GDPR targets the Googles and Facebooks of the world – large multinationals – not small to medium sized companies. Unless the main focus of your business is collecting and disseminating personal data then we think it is unlikely you will be required to get subscribers to re-consent to receiving mail-outs.[/vc_column_text][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_separator][vc_empty_space height=”50px”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

Resources

 

Listen to the full interview on the BBC website

Learn about Claire Bury here.

DG Connect – represents the European Commission’s ‘Directorate‑General for Communications Networks, Content and Technology’. According to the DG Connect website, the department is responsible for developing a ‘digital single market to generate smart, sustainable and inclusive growth in Europe.'[/vc_column_text][/vc_column][/vc_row]

About author:

Comments are closed here.

What We Do

We are a London-based regulatory affairs consultancy providing services to the e-cigarette, cosmetic, biocide, pharmaceutical and medical device industry. We help e-cigarette companies comply with the Tobacco Products Directive and pharmaceutical companies obtain and maintain medical product licences. We also offer UKAS accredited biocide and analytical testing services. 

All rights reserved. Copyright © 2024 Medic Pro Limited. Company No. 07415629 VAT GB353833294