Obtaining Consent Under the GDPR

While the GDPR includes a number of important changes regarding cyber-security and data management, one of the most important changes involves strengthening the standards of obtaining consent to process data. 

Failure to obtain proper consent under the General Data Protection Regulations (GDPR) to process data, which includes contacting individuals, risk huge fines. The GDPR's maximum fine weighs in at a massive €20 million, or 4 per cent of global turnover, whichever is higher. The risks of non-compliance have increased massively and there is no room for error.

Alan & Thomas Insurance Group have been following the updates from the Information Commissioner's Office (ICO) to help your business obtain consent from prospects and clients while staying compliant with the GDPR. To comply with the GDPR's consent requirements and decide whether your existing consents meet the new higher GDPR standard, your consent mechanisms should demonstrate the following:

  • Unbundled: Consent requests must be separate from other terms and conditions
  • Active opt-in: Pre-ticked opt-in boxes are invalid - instead use unticked opt-in boxes or similar so that the individual has to actively opt-in to hear from you. 
  • Granular: Give granular options to consent separately to different types of data processing wherever appropriate.
  • Named: Name your organisation and any third parties who will be relying on the consent.
  • Documented: Keep records to demonstrate what individuals have consented to, including what they were told, and when and how they consented.
  • Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to consent, meaning you need to have simple and effective withdrawal mechanisms in place.
  • No imbalance in the relationship: Consent will not be 'freely given' if it is conditional to a service being provided to them.

For more information and guidance on obtaining and managing consent under the new GDPR, click here

Can I still contact my clients?

All this information around gaining consent to talk to people could paint a picture that makes it look like you can't contact your own clients. There is currently an exception to the need for expressed consent called the 'soft opt-in'. This means that you don't necessarily need consent to send marketing information about your similar products/ services to your existing customers. 

Processing personal data in this way does not require consent as it falls under the 'Legitimate Interest Condition' but can only be relied upon by the organisation that collected the contact details and not third parties. There are a couple of conditions to the 'soft opt-in' though which are that:

  • You give them the opportunity to opt-out when you receive their contact information
  • You give them the opportunity to opt-out when you send them any other messages

There is more to come . . . 

In addition to the GDPR, there are the ePrivacy Regulations that are set to come into force around May 2018 in order to replace the UK's Privacy and Electronic Communications Regulations 2003 (PECR). These new regulations will bring the laws around digital marketing up to date with current technologies and in line with the GDPR. This may well reduce the scope of the 'soft opt-in' but we will update you on that when we hear more.

For more information about the GDPR, please refer to the documents in each of our articles on the topic or contact us on 01202 754900.