GDPR compliance one year on

GDPR compliance one year on – what’s changed?

This time last year, virtually no business or organisation was actually ready for the General Data Protection Regulation (GDPR) coming into effect on 25 May 2018. At best they were on their journey towards compliance.

The initial impact of GDPR on businesses

For many smaller businesses without access to in-house legal teams or the budget to pay for external advice, it was a stressful time.

First, they needed to understand what, if anything, they had to do and then find out how to implement it. Many businesses spent hours trying to fathom out what legal bases to use for their different purposes of processing personal data and whether they should or shouldn’t be re-permissioning their marketing databases.

Others had sleepless nights worrying about how they were going to comply when their main business system (often a CRM or sales transaction system) was based outside of Europe and clearly not GDPR compliant.

At the other extreme, many businesses were simply ignoring it all.

Moving towards greater clarity and guidance from the ICO

Certainly, when GDPR came into effect, many areas of compliance were still in debate. The ICO’s online chat facility was busy from dawn to dusk, and you were lucky to get an email reply within three months. Now the furore has died down, you are likely to be able to access their online chat (during their opening hours) whenever you need it, which is reassuring to know.

Updated guidance on using legitimate interest and soft opt-in

The ICO’s office have been updating their guidance over the past year. Their guidelines are now clearer, particularly in relation to how legitimate interest and soft opt-in can be used for direct marketing to existing customers. In addition, they have updated their guidance on the Privacy and Electronic Communications Regulations (PECR) which specifically covers the sending of email marketing.

Initially the ICO’s guidance only referenced being able to rely on legitimate interest as your legal basis for direct email marketing to existing customers, if you had previously gained their soft opt-in consent. This applied where customers were either individuals in business (business-to-business) or individuals acting in their own capacity (business-to-consumer). It was also reasonably clear that going forward you would be able to rely on legitimate interest and soft opt-in consent for direct email marketing to existing business-to-business customers. However, what was not initially clear to many people was whether you would be able to rely on legitimate interest and a soft-opt in for direct email marketing to existing business-to-consumer customers. This is one reason why we saw so many organisations sending out re-permissioning email campaigns.

Some of the confusion around whether you had to use consent for direct email marketing to existing business-to-consumer customers arose because of the additional requirement to consider compliance under PECR and, under GDPR, a higher standard of consent is required i.e. a clear and affirmative action (opt-in rather than opt-out).

Best practice versus legal requirement

Another area that was often debated, was whether double-opt in consent is required when adding individuals to email marketing lists. Under GDPR it is not strictly required, but if you are using, for example, a newsletter signup form on your website, then without double opt-in consent you can’t easily prove that you have the individual’s consent – anyone could add that individual’s email address to the website signup form. In this scenario, whilst double opt-in consent is not legally required, it is definitely best practice in order to be able to demonstrate compliance (which is a requirement under GDPR).

The impact of GDPR on consumers

Most individuals were looking forward to the new, higher standards of consent under GDPR being rolled out in relation to direct email marketing.

Have consumers been let down?

Unfortunately, many people feel let down because they are still being bombarded with unwanted email marketing.

This may be happening for two reasons. The first is simply that some businesses are still failing to comply. The second is because many businesses are using legitimate interest rather than consent as their legal basis for sending direct email marketing (even after having taken PECR into consideration). This option was not clear in the ICO’s initial guidance, but has since become significantly clearer.

Email marketing does not always require consent

The ICO website now states that an organisation should not send direct marketing emails to an individual unless they have obtained that individual’s consent or alternatively, they are an existing customer who bought (or negotiated to buy) a similar product or service in the past and was given a simple way to opt-out both when their details were collected and in every message sent since.

Therefore, if you are able to satisfy the latter of these conditions, known as the ‘soft opt-in‘, then you will not need to obtain that individual’s consent in order to send them marketing material, regardless of whether this soft opt-in was before or after GDPR came into effect. In instances like this, in addition to identifying a legitimate interest for using an individual’s personal data for marketing purposes, you must also satisfy the three-part-test.

Part of this test is whether the individual would ‘reasonably expect’ you, the business, to send them your marketing materials. Clearly if they have never bought anything from you before, they would not expect to receive email marketing material from you, with their consent. The question is, what is ‘reasonable expectation’.

In addition, there are some caveats e.g. it is not permissible to send direct marketing emails to existing customers if those individuals are ‘vulnerable’ and the receipt of your email might cause them ‘harm’ e.g. you can’t send direct marketing emails about loan schemes to people who you know are in financial difficulty without their opt-in consent.

Can you change your legal basis?

Yes, in some circumstances, but you can’t simply switch your legal basis because this would be unfair to the people whose personal data you are processing. In addition, it would lead to GDPR breaches of accountability and transparency requirements.

If, however, there is a genuine change in circumstance or you have a new and unanticipated purpose which means there is a good reason to review your lawful basis and make a change, then you need to inform the individuals concerned and document the change.

You can find more information about when and how you can change your lawful basis on the ICO’s website. Before you consider this, make sure you understand the different types of opt-in and, if possible, seek expert advice or ask for clarification from the ICO’s office.

Soft opt-in versus opt-in and double opt-in

As discussed above, soft opt-in is a form of consent, but it is not a legal basis upon which you can lawfully process personal data. Soft opt-in is a form of consent which may help you to satisfy the three-part-test when you are using the legal basis of legitimate interest to process personal data.

If you are relying on consent as your legal basis, then the higher standard of opt in consent applies. Under GDPR, this means requiring a positive, affirmative action. In some cases obtaining an individual’s consent is not just an option but a legal requirement e.g. under PECR and, again, the higher standard of consent applies.

So, if you are relying on legitimate interest as your legal basis, then whilst you may need to demonstrate soft opt-in consent, you do not need the higher standard of ‘consent’ (with a positive affirmative action) as well. In the words of the ICO, “this is only likely to confuse people”!

Lastly, double opt-in consent is not a legal requirement but, in some situations, it is considered best practice and, as discussed above, it can help you to demonstrate compliance when you rely on consent as your legal basis for processing personal data.

Takeaways & caveats

The ICO’s guidance is now clearer. Businesses can rely on legitimate interest to send out marketing materials to existing clients (and those who negotiated to buy but didn’t) if they have soft opt-in consent (i.e. they were given a way to opt out of email marketing) and can satisfy the three-part test. However, there are still caveats on when you can rely on legitimate interest, so if you are unsure then you should seek expert advice.

Whilst many businesses are pleased with this outcome around the ‘ease’ of being able to use legitimate interest for email marketing, it is a double-edged sword. Had legitimate interest with soft opt-in consent been clearly laid out prior to GDPR coming into effect as an option for email marketing, not just for business-to-business organisations but for business-to-consumer organisations, then many more businesses would have chosen that as their legal basis (and potentially would not have missed out on lost marketing opportunities). It is hugely frsutrating to businesses (large and small) when legislation comes into force without clear guidance. It wastes good people’s time and money, whilst those who are less risk averse and/or ignore the legislation appear to get away with it.

For all of us as individuals, the outcome is disappointing as we will continue to have to opt out of email marketing every time we purchase a new product or service.

Final note – maintaining GDPR compliance

On a positive note, the ICO has declared that they will use all the tools at their disposal to stop unscrupulous businesses from flouting the law and ignoring the legal rights of citizens. So, if your business is not compliant, take steps now. And, for every business, remember that GDPR is an ongoing process. You need to be able to demonstrate ongoing compliance with the law.

Author:

  Delia Porter, MD & Founder

Do you need practical support to make sure you comply with GDPR?

Tell us about your business challenge

We respect your privacy.

If you found this useful, please share:

Menu