The short answer to a big question in Europe continues to be thrown around, possibly the most contentious point of the GDPR legislation is the juggling-act of defining marketing ‘consent’
The ICO has published a useful 12-step guideline for complying with the new GDPR regulations, but there’s some real ambiguity around defining what the EU Article 29 Working Party final guidance will be on consent guidance. Only then, can the ICO apply this to marketing law and thus UK brands begin to operate their marketing practices accordingly, but as the deadlines have slipped there’s fears that balls are starting to be dropped.
Some large brands are voicing concerns, John Lewis, British Airways and HSBC recently asked for more clarity from the UK regulator over how they can achieve compliance with GDPR, insisting its guidance is still too ambiguous to act on.
So how explicit is explicit?
An explicit consent statement will also need to specifically refer to the element of the processing that requires explicit consent. For example, as the Information Commissioner’s Office states, “the statement should specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer”. Other than that, the requirements for explicit consent are the same as the GDPR’s definition of consent, which is: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The acronym ‘FISU’ is a good one to memorise, ask yourself if your collection process is freely given, informed, specific and unambiguous, and if it isn’t, change it.
The Direct Marketing Association last month held a webinar in response to the questions posed to the ICO from over 300 of its members, it made for an interesting discussion. The DMA’s head of legal services re-enforced the viewpoints of its members who described the draft guidance as “anti-competitive” and believed that the ICO’s view that “opt-out boxes… are essentially the same as pre-ticked boxes, which are banned” is incorrect. Also, that the requirement to specifically name third parties relying on the consent (as opposed to categories of recipient) is “in direct contradiction of” other parts of the GDPR.
Defining consent, definitely
The ICO, said on its blog about consent earlier in the year, “We’re working towards having a final version of our GDPR Consent guidance for publication in June – although this timescale may be affected by developments at European level”
Commercial operations that use personal data to send marketing communications should: (i) identify whether they need a consumer’s consent to send that marketing communication; (ii) review whether they need to make any changes to how they seek, record and manage consent under the GDPR; and (iii) assess whether they fall within and comply with the proposed ePrivacy Regulation.
If you wish to rely on ‘soft opt-in’ for certain electronic marketing or if parts of the draft guidance would be unworkable for your business, you might choose to wait for a more definitive view from the ICO on what consent means in practice and how it corresponds with the ePrivacy Regulation before contacting your customers with revised consent wording
To validate the fact that the ICO is open to dialogue – and that data ownership and permissions is now an evolving set of laws as opposed to one fixed and often outmoded set of rules from The Data Protection Act, 1998, it welcomes conversations and even has a live chat functionality for businesses or consumers to speak directly to them. It also has a grants programme that invites organisations to bid for funding to support independent research into privacy and data protection issues and develop privacy enhancing solutions.
The objectives of the ICO Grants Programme are to support and encourage research and privacy enhancing solutions in significant areas of data protection risk, focused on projects that will make a real difference to the UK public.
Creating a Privacy Culture for your Business
For clarification purposes, the GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Of course, a close attention to rulings and regular updates are the key to keeping ahead of required compliance and if it’s not on your bookmarks already, the ICO website should be, specifically the ‘areas to consider’ section in the link. We will of course keep updates posted on here with regards to new rulings and if you have any questions regarding your data compliance, your marketing campaigns or data management, we’re more than happy to help. All of our staff are trained on GDPR and we have a retained Data Protection Officer, drop us a line below.
What’s the biggest GDPR challenge your organisation faces?