Small business owners are panicking.
“Do I need to get re-consent from an existing email list? What if I do and everyone unsubscribes, or doesn’t re-opt-in and I’m left with no one – I’ll lose my entire marketing list that took me so long to build up!”
Now, I’m talking about a typical small business who’s not processing sensitive data, or data on a large scale (hundreds of thousands of names) or not doing anything dodgy.
There are arguments for and against requesting re-consent from an existing email list but the draft consent guidance from the ICO is clear:
“You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.”
Why is consent important?
– It puts your subscribers in control.
– It builds their trust with you – that you are using their data to contact them about something they agreed to, not taking advantage of having their email address.
– It therefore enhances your reputation.
– Relying on consent that was not freely given puts you at risk of destroying your subscribers trust, harming your reputation AND leaving you open to the chance of being reported and therefore fined.
My view is that if you meet the basic criteria below, then you don’t need to get reconsent. Obviously if we get updated guidance from the ICO, I will update this blog.
But as of today, this is my view.
The draft ICO consent guidance shows that the key elements of what consent is remain the same.
What GDPR does do is make certain that when someone gives you their consent, it is unambiguous and involves a clear action that they have agreed to give you their data for the purpose that’s stated.
So, should YOU get reconsent from an existing list?
I’ve broken down the argument into two simple choices. If you fall into the YES section, then it looks likely that your data doesn’t meet the new standards and will need re-consenting.
If you’re in the NO section, then the chances are that you were already getting valid consent to send further marketing and so you don’t have to refresh your list (unless you want to!).
– You don’t have up to date records of how the emails got onto your list. You have names, but no data showing where they came from (admin add for example).
– Your opt-in box to send further marketing was a pre-ticked box in the past that didn’t allow subscribers to specifically choose to get further marketing emails from you, perhaps bundled in with your terms and conditions. This means that your subscribers didn’t freely give consent for ongoing marketing.
– Your opt-in was for one very specific service (plumbing), but you’ve changed what you’re offering and now you’re sending them marketing emails about something very different (gas boilers) – you need to check if they’re still wanting to receive information on this (see my video about granularity of consent in the Facebook group)
GDPR definition: “In essence, there is a greater emphasis in the GDPR on individuals having clear granular choices upfront and ongoing control over their consent.”
– You haven’t given your list the option of withdrawing their consent (unsubscribing) – this should always be on the bottom of your emails so that the right to withdraw their data is always available. You must make it obvious and not hidden away.
– You want to refresh your list anyway and ensure that the people who are receiving your emails WANT to receive them – a good a chance as any to re-engage and end up with a much higher open rate (meaning more chance the emails won’t go into the spam folder!)
– You’ve always been very careful about getting consent. You have up to date records showing who, where, what and how they opted in. There is no ambiguity about how you got their data.
– Their consent was freely given – not bundled into Terms and Conditions, or a pre-ticked box about sending further marketing emails. When they signed up, either they ticked a box to receive further information from you or it was very clear that you would be sending it. It’s not the granularity that is now required, but I think the ICO would be happy that it meets the standards if you put a tick box in place from this point on.
– At the time of consent, you told them they would be receiving further marketing emails from you, therefore when they signed up, they had consented to that too (even if at the time it wasn’t a tick box, it was stated). Giving their email address and name under a statement saying you will send further emails to them is still consenting to this. If you are sending emails about the goods and services that they signed up for in the first place, then I would say that this is fine and the ICO have confirmed that to me. However I have heard other people saying the ICO have given guidance to say that they would still need granularity of consent, so it’s still not clear. My view is that as long as you’re not doing anything terrible with their data, you probably aren’t going to be fined. However, that’s as of today – I may have to update this guidance in the future when it becomes clearer.
GDPR definition: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
– You are taking steps to becoming GDPR compliant – reviewing your email marketing list and removing all data that doesn’t comply, including when they unsubscribe. (MailChimp have confirmed that they will be applying this action to their platform to meet GDPR requirements, as at the moment you can’t delete them if they have unsubscribed).
– You’re happy with your list. You have worked through if the data is compliant and are satisfied with how they engage with your marketing. No need for a clean.
So I think that is clear. But the issue with consent shouldn’t stop here:
– You should be regularly making sure that the data you hold is current and within the regulations.
– You should be regularly making sure that the chance to unsubscribe is offered to your list.
– You should be regularly reviewing the content that you are sending out and if that meets the consent that you have from subscribers.
GDPR definition: “You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard.”
I’m taking the opportunity to re-engage my list and make sure they’re getting what they want from me because having subscribers in my list who don’t open or read my emails is negatively affecting my ability to reach the people who DO want to see what I send.
The more un-opens and unsubscribes you have, the more chance your marketing score is low and you’ll end up in the Junk folders of the people who DO want to read them.
I’m going to put together a re-engagement campaign and those who don’t opt-in will be taken off my list – it’s a chance to clean it!
There are no data protection police who will be out there on the 26th May 2018 checking to see that you have the right GDPR consent for your list. That won’t happen.
There’s a few simple steps that you need to take, but please don’t lose sleep about being fined. Instead why not buy my GDPR Compliance Legal Pack and I can help you take the right steps towards protecting your business.
You’ll get access to 20 legal template documents and checklists, plus video guides from me that will enable you to be GDPR compliant. Click here to get started today.
Consumers are getting savvier about their rights, so if you’re not following GDPR there is more of a chance that someone is going to be complaining.
Don’t ignore it. Consent is just one small part to GDPR, but a big challenge for some businesses who haven’t been keeping up to date with their records.
Look at it from a glass half full point of view – at least you will have a list full of people who are more likely to buy your products and services anyway.
And once you remove the ‘dead wood’, they’ll actually SEE your emails in order to do so!
Suzanne Dibble is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR. The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award. Suzanne has had second to none training and experience at a top City law firm, leading billion pound deals and being on the board of £100m+ business (resulting in her being listed in the Who’s Who of Britain’s Business Elite two years in a row). Suzanne is one of the few lawyers that really understands the online world and the small business world and puts law and regulation in the context of your business. There has been a lot of scaremongering and hype about GDPR (with the headline fines of 20m) and Suzanne brings a practical, balanced approach.
DISCLAIMER: as I do not know your individual circumstances, none of my blogs, my videos, my guidance in the Facebook group or any other materials available to you where I have not taken you on as a one to one client shall be construed as legal advice and I shall have no liability to you in any circumstances should you choose to rely on any of the materials I publish.
Data Breaches Happen. How Prepared is your Organization?
Download Suzanne Dibble's Customizable GDPR Compliance Pack to Protect Your Business!