GDPR: How to know if you should repermission customers for consent

A panel of experts explain how organisations can establish the need to repermission their customers for marketing consent in preparation for GDPR. 

In a new series, MyCustomer speaks with a panel of experts to try to bring clarity to some of the more opaque areas of the impending General Data Protection Regulation (GDPR).

Last time, we examined the issue of “legitimate interest”, with our team of experts answering what legitimate interest is and how to know if your use of data qualifies.

In the latest in the series, the panel is exploring repermissioning – specifically, how to know if you need to repermission your customers for consent to continue using their data.  

How do you know if your organisation needs to repermission its customers for consent?

Jim Roberts, director and founder, BlacklerRoberts 

Before looking at any need for repermissioning you first have to understand consent and whether your business has the appropriate consent required to be GDPR compliant and that you have chosen consent as your lawful reason for processing personal data. So if we assume consent is the path you have chosen, looking at the regulation it states:

"Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to processing of the Personal Data relating to him or her".

So three core elements:

1. Specific, informed & unambiguous;
2. Affirmative action;
3. Freely given.

So the first part of any repermissioning exercise is to understand how, where and when you ask consent. Once you have identified this then consider the following questions on the consent to determine if it is valid?

1. Is an affirmative action required to give consent? Or are you using pre-ticked boxes, which default to consent?
2. Is it a specific consent or general question not providing clear understanding of what is being consented to?
3. Are you making consent conditional on some activity, e.g. entry to a competition?

Note: A secondary point and no less important for GDPR is being able to prove consent, so do you have history of consent (when it was obtained, how it was obtained and where it was obtained)?

If we assume the consent requests are at least consistent, at this point you will have a series of consent points with several possible options:

1. Consent provided and asked in a GDPR compliant fashion.
2. Consent provided but not compliant to GDPR.
3. Consent not provided or removed.

The only time you need to consider repermissioning is if you are sitting in option 2. If consent is provided and asked in a GDPR compliant fashion, why do you need to re-ask? If you do not have consent, then you cannot then ask for permission or you risk breaking existing DPA and PECR rules.

Looking at option 2 you then need to decide do I have permission to speak with them to clarify consent (be specific, remove ambiguity). So for existing customers who have not removed consent for marketing, can I use existing soft opt-in rules to email them with details of your marketing services and consent options, remembering they must be GDPR compliant, so an affirmative action, freely given, informed and not ambiguous.

On the actual activity of completing a repermissioning exercise, it is important to ask several questions to consider how responsive this audience will be :

• How old is the personal data? If this consists of old data (which is dependent on your industry, but let’s assume 24 months or older) and you have not actively been communicating with them providing mechanisms to unsubscribe or change their preference, are they likely to consent and do they have value to you or just add to the volume being targeted?
• Are they are an active customer? This relates to having an existing, recent relationship, so currently a potential soft opt-in as highlighted above. These individuals are actively engaged with you so are likely to be more responsive.
• Is it 3rd party data? If you never had a direct relationship and have questions over consent, this is prone to risk and should be seriously reviewed before sending any repermissioning activity.
• What is the impact of assuming no consent? If you did the unthinkable and marked this group as not consented what is the impact? Can you assign a potential loss of revenue value?

Paul Laughlin, founder, Laughlin Consultancy

It depends on three things: (i) how you originally captured their data; (ii) expectation set as to how you continue to use their data, (iii) how you plan to use their data in future.

If you originally captured their data through positive opt-in (an unambiguous affirmative action), made clear how you plan to use that data and simply plan to continue to use that date for the same purpose - you should be fine. (Putting to one side for now considerations with regards to retention periods and broader definitions of personal data).

If you do not already have an audit trail of positive opt-in and plan to use people’s data for a purpose they would not expect – then you need to gain their permission for that purpose first (or not use their data).

The judgement calls come in the middle ground. Most often, this regards the reasonable expectations of those impacted. Most organisations have not operated with positive opt-in for all their customer data. So, the question focuses on reasonable expectations.

If you are planning to continue to market existing customers, with whom you have been communicating already, you are probably OK to operate on the basis of legitimate interest (with some improvements to comms and your website). However, you cannot make a simple and clear case of people expecting you to use their data for marketing or other purposes, I would recommend a repermissioning campaign.

Micky Khanna, founder, GDPR Plan

My thoughts are that there isn't a clear-cut answer to this, and here's why: Recital 171 of the GDPR states that "Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation".

Of course, if processing is necessary for the performance of a contract, or for any other purpose as outlined as per Article 6 of the EU GDPR, then you will have a much clearer idea as to whether your organisation needs to actually repermission its customers for consent at all. 

However, if the customer data that a business holds was based on consent, and you're going back through your list for "repermission" in order to comply with GDPR, then you may want to check that you're not breaking the rules of Privacy and Electronic Communications Regulation (PECR), otherwise you may be the subject of an ICO investigation and possibly a fine for being in breach of PECR.

Flybe was fined £70,000 for deliberately sending out more than 3.3 million emails to people who had told them they didn’t want to receive marketing emails from the firm, and Honda was fined £13,000 for sending out almost 289,000 emails aiming to clarify certain customers’ choices for receiving marketing, yet couldn't provide evidence that their customers had ever given consent to receive these types of emails - which the ICO stated was a breach of PECR....

Iain Lovatt, chairman, Blue Group Inc

I’d suggest the place to start is ensuring your database is current in the first place.

A data cleanse will get rid of your duplicates, update gone-aways and suppressions, and remove any inaccurate records. This would get you to square one, before you start checking when, where and how you originally obtained consent. If you have records that can verify permissions, great. That so many businesses have started launching repermissioning campaigns is an indication that most simply cannot demonstrate it to the extent that GDPR demands.

It also explains why Wetherspoon’s decided that the risk of holding data they weren’t supposed to was too high and the effort to get permission was too much, so simply deleted its entire email mailing list.

You might not want to take such an extreme approach, but with the threat of those multi-million pound fines under new data protection laws, you can see why people are prepared to take a blanket approach to repermissioning. And I would absolutely start the process now.

Kim Smouter, the head of Government Affairs at ESOMAR 

One of the key changes under the GDPR is that the consent requirements have been made far stricter and more precise compared to the Directive. GDPR Consent requires far more information to be provided in advance, it enshrines a vast array of rights both old and new that might mean consent collected under the directive won’t be valid once the GDPR comes into force.

Additionally, the privacy policies might not have been specific enough about what you're collecting, what it will be used for, and what further re-use options you are allowing yourself. If your policies aren't sufficiently clear about your processing activities (both current and planned), then you're indeed likely to need to secure a new round of consent for legal security.