Consent - one of the misunderstood cornerstones of GDPR
Consent - one of the misunderstood cornerstones of GDPR
I'm sure I can't be the only person who saw a deluge of emails into their inbox in the ten or so days leading up to Friday 25th May 2018.
If it were an orchestra, this score may have had a muted opening sequence but by the time it got to the climax, the crescendo was running full blast!
Some were real relics from the past, the email from a person or company I had bought goods and services from so many years ago the product itself had long since been confined to the memoirs - and yet they were so conversational, "Hi, you bought from us in 1998 and we would love to keep in touch with you but we won't be able to unless you tick the consent box below" - er 'No'. This might have been funny if it happened once, but it happened so many times I stopped ticking 'No' and just went for the Delete button instead.
Or the emails from companies I deal with every day, including a good number of suppliers, who suddenly felt the need for me to refresh my consent.
Admittedly, some were spooky, asking me to continue to give consent to something I had no recollection of ever giving consent to in the first place, and come to that no idea who the company or person was. No, No, No - if you've not asked me out on a date for 3 years don't let the first question to come out of your mouth be "Will you marry me?".
Sorry if this post has started off as a bit of a rant but even I was really astonished by the volume of consent emails, most of which were destined straight for the recycle bin. It did act as a firm reminder that marketing people per se have lost sight of cost, and if you've lost sight of cost, chances are you've lost sight of value too.
And yet the tragic part was not the volume of emails, but that probably 80% of them were totally unnecessary.
Let's say it now, loud and clear, and especially to our many friends from the US and the rest of the world outside of the EU. Consent is not required for every communication under GDPR.
There, I've said it, the rabbit is out of the hat - consent is only one of the options available which mean you can legally keep the details of, and communicate with, individuals within the EU and UK.
So what are some of the other reasons:
- Contractual
If you have a contract with the person involved, whether that is written or verbal, you do not need that person's consent to continue to keep their information and communicate with them --- there are a couple of provisos on this but that's a discussion for another day.
- Legal Requirement
If there is a legal requirement to keep the data and/or contact the person, there is no need to gain their consent. So for example, you don't need the consent of your employees to hold information about them, nor to retain that information where you need to do so for taxation or other official purposes.
Again, use a little piece of common sense though, you can only communicate with your employees without their consent on matters wholly related to their employment with you. This is not an excuse to send them an email with your latest store offers.
- Vital Interests
If it is in the data subject (person)'s vital interest that you retain their information, you do not need their express consent to do so. An example might be recording on someone's HR record that they are diabetic or pregnant.
- Public Task
If your organisation is performing a Public Task, you do not need permission to hold data on data subjects, providing the data is relevant to that public task. Check in each individual country to see what your local legislation has determined is a public task.
- Legitimate Interest
If you can prove that you have a legitimate interest in holding the information on a data subject, you do not need to gain their express consent. For this to hold true, however, you must carry out a and document the results (retain the results in your GDPR folder along with all other GDPR reports in case it is needed at a later date.)
So there we have it, and as you will see, there are many reasons why consent is not the only answer, and indeed is not needed at all (there has been a specific 'gotcha' though with regard to business to consumer (b2c) emails being sent to business email addresses without express consent, and how that can be regarded as a data breach, but that's for another post on another day.