One of the most impactful outcomes of the GDPR is the principle of ‘explicit consent’. Just google the word and you’ll find more than 12 million articles. And just so you know, googling GDPR gives you about 5 million results… So yes, there is much to say and read about ‘explicit consent’ under the GDPR.
Then why is it such an important topic? Well, although you could say that the GDPR is just an update of Directive 95/46/EC (the 1995 Data Protection Directive), the definition of ‘consent’ is very much restricted. Where under Directive 95/46/EC you could still rely on implicit or ‘opt-out’ consent, the GDPR now requires an agreement from the data subject through ‘a statement or a clear affirmative action’ and ‘explicit consent’ for sensitive data.
That said, there are two types of reactions in the market today. You have those who are going to put tick-boxes everywhere and ask permission from everybody for everything, just to be sure… Or you have those who have discovered the notion of ‘legitimate interest’ in the GDPR and are trying to legitimise every single data-processing activity under this label. However, as always with these kinds of regulations, the truth lies somewhere in the middle.
The simplest answer is not to go for ‘one size fits all’. The answer may seem simple, but actual implementation is far from it. Start by looking at all the data you collect. Yes, I know for some of you that already seems a task that’s too difficult to even contemplate. But if we, as marketers, keep saying that we need data to be more customer-centric, then at least we can start by mapping what kind of data we collect and how we process it.
Once you have mapped all of that information (and, yes, I am aware for some companies this will take some weeks), start looking at each single process. Determine which parts of your data collection, and the processing linked to it, might come under the principle of ‘legitimate interest’* and which come under ‘explicit consent’. And don’t try to find the easy way out. It is not as simple as differentiating between all the data related to your existing customers and all the data relating to your prospects.
Let’s try to clarify things with an example. When they browse a real estate website, people leave their personal details if they’re interested in a specific property. It is perfectly understandable that by entering this data, the real estate broker linked with this property will contact the potential buyer. So that would clearly be a case of ‘legitimate interest’. However, you cannot use this reasoning to start sending this person a weekly newsletter with new properties for sale in the same neighbourhood. To do this, the real estate website needs to obtain the would-be buyer’s consent.
But coming back to your specific business, think every step through thoroughly and decide where you need ‘explicit consent’, how you are going to ask for it and what information you will need to provide about how the data is processed. And don’t forget that a person has the right at any time to withdraw this consent and that that withdrawal process should be as easy as how consent was given in the first place. (So, don’t hide the information somewhere in your privacy statement that they need to send a handwritten letter to some legal department.)
And let’s be honest, over recent years – and probably also for the years ahead – your marketing strategy has been focused on being more customer-centric. Being transparent about all aspects of personal data is part of this customer-centricity. So, roll up your sleeves and start mapping.
Are you interested in more content regarding the GDPR?
Register now and get 7 in-depth articles on the impact of the GDPR on marketing delivered to your mailbox.
* There are 6 lawful reasons to process personal data (article 6 GDPR). Legitimate interest is one of these and is explained more in detail in recital 47 of the GDPR: “The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.