GDPR and Consent – Do you Need to Get Fresh Opt-Ins From Your List?

Transcript of the Video

Good morning everyone, again. Thought I would try a little bit closer to the Wi-Fi signal, but as I say, I do like being outside, particularly on sunny days like today. So we'll see how it goes with the signal. If not, I'll have to move inside. But if you're live, if you're joining me live then come to say Hi and tell me where you are from. Tell me what you are up to with your GDPR compliance. Are you on top of it or are you thinking there is not long left to go and I haven't got the foggiest of what I am supposed to be doing?

So come and ... oh, it says we are reconnecting. Is this actually going to work? Okay, so hopefully the people are able to see me. If you can, comment in the chat box.

Okay, nobody is commenting. So that is either because nobody has joined yet or because my signal isn't working. Oh, I can see people joining me now excellent. Guys, if you are joining me, welcome, welcome, welcome. I am doing it outside because it is a lovely sunny day. But I am not sure about the strength of the Wi-Fi out here. So if you can see me and hear me okay then type a little comment in your chat box and let me know if the signal is okay, whether I am breaking up.

Hi Annie, nice to see you. Good, I am glad you can see me okay. Can you hear me okay? Pop a little comment in to let me know that. Okay, I will just wait for it, before I get into the content I will wait to hear somebody is actually able to hear me. Okay, Annie is sending me a heart. Hopefully, that means that you can hear me.

Let's just confirm that you can actually hear me before I get into the content. Can you write me a little message Annie if you can hear me or not as the case may be? Okay. Yes! Hurray! Okay, one person can hear me so that is awesome.

Okay, so the thing about this Facebook Live is obviously they are recorded and stay in the group so even you’re not live right now you can listen into this at a later time. I am really pleased to be doing my first Facebook Live in this group that I just sat up just yesterday. And really, I sat it up because so many people were coming to me and saying I don't know what I am doing with GDPR and more than that, I was seeing a lot of incorrect information online. So I wanted to set up a forum where you know that you are getting the guidance you are getting is actually accurate.

Hi Emma, good to see you. And thanks for sharing within your communities. I was just saying I am outside today because it is a lovely, sunny day. I am competing with airplane noise and my next door neighbors who are having some significant renovations so we will see how we get on here.

But I am going to do a few of these lives, I am going to mix in a few videos because Facebook Live's are great but they are not brilliant for the replays because people who just want the answers to their issue, have to sit through ten minutes of "Is the signal okay? Can you hear me?" Waiting for people to actually come on the live. So I think it will be a mix of lives and videos. So that, I like the lives because people can ask questions and actually join in the discussion and as this group becomes more established and I am doing more regular lives, I am sure we will get more people on to join into that conversation. But, I will also be doing so videos because they are just easy to go to and get the answers that you need to get in two minutes.

I will also be doing some longer training, you know some couple of hour training which will go into it in a lot of details. So hopefully, I will cover all bases for you. Now, added to the plane noise, and the next door but one's renovations, the other neighbors have just started with the lawn mower or the grass or leaf blower or whatever. So if that is too loud for you, let me know and I will go inside regretfully.

But, that is coming across quite loud at the moment so let me know if that is interfering. Okay, so what we are going to be talking about today is consent and obviously GDPR, but consent within the context of GDPR. I was asked a question by Karen Skidmore, a good business friend of mine, who said there is a lot of confusion in the small business community about whether you need to go out to your email list to get ... okay, I am competing with planes and lawnmowers and renovation work so I am moving back inside.

 Okay, right back inside. Okay, so now I have got barking a dog inside so it is all bit of a challenge today. Now, as I saying, Karen Skidmore asked the question that "as to whether you have to go to your existing email list to get fresh consents?"  And this is a conversation I have been seeing the last few weeks going around in small business communities. And some very well-meaning business people have posted to say "don't worry, you don't need to go and get fresh consents because there is an ICO statement that said don't worry if you are compliant, you don't need to go get fresh consents."

Now, of course, the problem with that is, is that GDPR consent compliance is a much higher standard than we have already. Okay, so I just want to, if you have seen any of those conversations going around, I want to tell you that they are probably not right. But I am going to strip it right back to basics now and tell you what you need to be thinking of.

For those of you who know nothing about GDPR and who nothing about consent, let’s start at ground zero here okay? So if you are processing personal data, and by personal data, I mean data that identifies a living individual. So it’s a name, it’s an email address, it’s an address, it can even be actually an IP address. So it encompasses a lot in the definition of personal data so chances are you are processing some type of personal data. And there has to be a legal ground for processing personal data.

And there are a few of those. The most relevant for the people who I know are in this group is that of consent. I will just quickly run you through the other grounds just in case. Let me just find the list; make sure that I don't miss any out. Okay, so we've got consent. We've got a contract, so if the processing is necessary for a contract that you've got with the individual or because they have asked you to take certain steps before entering into a contract, then you can rely on that.

If you have a legal obligation and the processing is necessary for you to comply with the law, that is another ground. There is a vital interests ground. There is a public task ground. There is a legitimate interest ground, which I will come on to in a bit. Because I do often hear marketers saying they can rely on the legitimate interests ground which isn't always the case.

But for most of us, the relevant legal ground for processing is going to be consent. Now hopefully, because data protection law is not new, we have had it for many, many years in this country. It is just that GDPR takes everything to a higher level. So most of us will have gotten some form of consent for obtaining and processing individual's data up to this point. However, the key point is that it is unlikely that consent process will have been compliant with GDPR because it is a much higher standard of consent.

Really in summary, if I had to put it into a very, very basic way, in summary, it is opt-in only. Okay, so what a lot of people have been doing, which has been compliant and well still is compliant until GDPR comes in is having a link to a privacy policy at the bottom of their websites and when people are opting in, say you have got a freebie on your website and you are collecting email addresses through that, then there might be a link underneath that box that refers people to your privacy policy.

But there has been no positive, other than the act of their putting in their email address there has been no positive confirmation by them that they have accepted the terms in which you are processing their data. So I just want to find the bit. I will actually read it out to you because it impresses upon us the standard of consent that GDPR requires. So let me just find it here in my notes to make sure I get it absolutely right for you.

Where has it gone? Too many papers, hang on one sec. Okay, so consent and this is in Recital 32 of the GDPR, so for those of you who actually want to go and check that out, feel free.

Consent should be given by a clear and affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subjects agreement to the processing of personal data relating to him or her. Now the key words there is clear, affirmative action. And that is really what I am talking about by the opt-in only.

Okay, so pre-ticked boxes are not clear affirmative action. That is not sufficient for GDPR. Establishing a freely given, specific, informed and unambiguous indication. Okay, so this all about genuine choice and control by the data subject. Okay, so if you, you can't have, post-GPDR you can't have consent all bundled up. It needs to be granular. So what that means is you need to have the specific sub-paragraphs that say "we will use our data for X, Y, Z and tick boxes for each of those areas of processing. So data subjects have a genuine choice over what you use their information for.

So one of them might be, we would love to send you our regular email, tick here, sorry, our regular email newsletter, tick here. The next one might be, we'd love to send you emails about products or services that we think would be of interests to you, tick here. The next one might be, we'd love to share your information with selected third parties, tick here. It has to be granular to that level of detail.

Okay, so the other thing to mention is that the onus of proof on having gained GDPR compliance consent is firmly on the data controller, i.e. - you. So you need to be thinking about your CRM system or whatever processes you have in place where people are opting in to make sure you keep a record of those consents and those opt-ins. Because if there is ever a dispute, then the regulator would be looking at that and looking at your record keeping systems and your processes to see whether you are in fact GDPR compliant. So we need to be thinking about that.

So for me for example, I use Infusionsoft and I will be using a tagging system in Infusionsoft to tag people who have opted in for the newsletter or tag people who have opted in for details about products and services for X, Y, and Z. So I use Infusionsoft, I don't know how it works in other email service providers or CRMs but, I am sure they will be responding to this need. So, maybe in time, I will be interviewing people from those or users, sophisticated users of those software systems so that we can get some ideas about how best to do that for you.

But the message is that you need to have some system where you can prove the consent. You know, how they consented, what date that consent was on, exactly what it was for etc. Okay, right, so in summary, I don't want to go into too much detail in this Facebook Live because I am going to be doing a big training on this whole area next Wednesday at 1 o'clock. So make sure that is in your diary. But I just wanted to clear up that confusion about whether you needed to get your email list to opt-in, re-opt in or not because I know, I think there was something in the ICO, in fact, let me find the email here.

There is an ICO blog. And the ICO actually, so the Information Commissioner's Office, has a great website there is some really useful guidance on there. So if you, aside from this group, I am sure I will be sharing some of that guidance in here. But the ICO website is a wealth of information. And, one of the things that were shared by as I said, a very well-meaning businessman was, he said "the ICO clearly states that you do not need to refresh permissions if they are already compliant. There is a very Y2K feel about all the hype here. If you used an opt-in sign up before, it would appear that if you were compliant before, you are compliant now."

Okay, I think that was very much giving the impression that people don't need to worry about going out to their email lists and getting new consent. Chances are, I would say 99% of the cases you will need to do that. Now the important thing is to do it before GDPR comes into force. You need to be doing, going out to your lists and getting consent before the 25th of May, 2018, when GDPR comes in. And I will be doing more sessions, more lives about how best to do that. Maybe we will get some marketers in as well. Do some interviews about how to re-engage the lists through going out to them.

And actually, you know I think we can really take positive out of these regulations. And look at it as a benefit to our marketing. Because at the end of the day do I really want hundreds of people on my list that aren't interested in the stuff I am sending them? It only impacts my email deliverability rate. Actually, I am much better with a smaller list of people who actually love my stuff and really want, really are interested in that content that I am sending them.

So I think we will get some marketers on and do a bit of an interview in this group with them about the best way to actually go out to the list and request that consent. Give me some hearts if that sounds like a good plan for your guys. Because I think yes the legal side of things but actually just as important is the actual marketing side of it and knowing how best to communicate that message and to get clients and prospects on board with that.

Okay, thank you, Jenny, for the hearts there. Thank you, I can't see who else is giving the hearts, but thank you very much. That sounds like you like the idea so we will get those, a marketer or two on an interview and talk about how best to do that. Jenny, I can see you are asking about the wording for that. That is going to be in my GDPR pack that I will be telling you, not right now, but probably at the end. I am not going to promote that all the time in here. That is not what this group is about, but I know people do want the resources so at the end of my webinar, next Wednesday, I will be telling you more about that about the GDPR pack and the letter to get the new consent will be in the email that you will send.

Okay. So I just noticed a few questions there. Let me go back over those and see if I can answer them here. Jasmine says "how does it work when you are using third-party providers like Leadpages, I don't think you can have different tick boxes." Yeah, Jasmine, on a case by case based, I am sure there are lots of bits of software, particularly those outside of the EU where it will be tricky to comply with the granularity that is required for consent. I am sure people in time will come up with workarounds. I would love to personally get in touch with people like Leadpages and get them in for an interview. I mean, whereas this is probably not even on their radar.

You know, I know that magazines like Forbes have just started publishing articles to explain to the US market that this is a real thing they need to take seriously. But whether it is on their radar of not who actually knows. But yeah, I have been thinking I will get into touch with people Leadpages and actually asking them what they are doing to help gear your customers with GDPR. So watch this Jasmine, I will try to get someone from Leadpages to actually come on an interview in this group. Which would be fabulous.

Okay, Jasmine says I also use Infusionsoft. How do you apply the tags on the opt-in form? We will do a session on that as well Jasmine, okay? So I will ask and Infusionsoft expert to come in and show us how to do that. But there is absolutely a way to do it.

Let's see what else. Marketing to existing customers, are we covered under the contract grounds for this? That is an interesting one Coralee. The contract processing ground is only for what is necessary to fulfill that contract. Say, for example, if someone is buying some goods from you, then obviously you need to know their name and address so you can send the goods to them. Okay, so that is the grounds of processing.

But for actual customers, now this is where the ground of processing that I mentioned that marked us sometimes talked about comes into the fray. Let me just find the slide on this because this is a very good point. Recital 47 of the GDPR says "the processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interests." A lot of marketers got quite excited about that because they thought it gave them carte blanche to market without really having to comply with the consent requirements or anything like that. And that isn't the case, unfortunately.

So to rely on legitimate interests, there must be a relevant and appropriate relationship. You need to assess whether the individual would reasonably expect their data to be processed at that time and in the context in which the data is collected. There is a balance between the company interests and the rights of the individual. And it’s likely to be most appropriate where you use people's data in ways that they would reasonably expect in which have a minimal privacy impact or where there is a compelling justification for the processing.

So, the problem with relying on legitimate interests is that it is not black and white. Okay, it is a question of fact in each page. It is open to challenge. Now saying that and the question that Coralee asked about existing customers, that is probably one area that would arguably fall within legitimate interests.

Okay, is it reasonable for an existing customer to expect that you would tell them about offers or products and services that you think might benefit them? I would say yes. Okay, so arguably, for existing customers, you could rely on legitimate interests. And that is kind of like the existing soft opt-in rule that we have already. Which is where you can market to existing customers but you must always give them the right to unsubscribe. And that obviously carries through to GDPR.

We always have to give people the right to unsubscribe at any point. And I think most in email marketing services these days always have that option at the bottom. You know, that little unsubscribe here button at the bottom of every email. That is pretty standard practice these days. So I hope that answers your question Coralee.

Let me see what else we have here. So Emma says I know ConvertKit and Fronto are both aware of GDPR and are covering this. That is good to know. Sara says, "in my newsletter, I send general information with event information. Will I need to split that out and get consent to send both?" If it is a newsletter, then no. If they are actually consenting to receive the newsletter, then you don't have to sort of go into great detail as to what is going to be in your newsletter every week. So I would say, if you would like to receive my newsletter in which I send you general information and event information, please tick here. Okay, so you do not need separate consent for that.

Jenny says it would be helpful to have information about storing the data. Yeah, that is generally going to be in your CRM system, Jenny. So whatever you use there should hopefully, be a way of recording the consent and it’s being automatically there on your system. So Infusionsoft, for example, I know if someone is tagged then I can just search for that tag. I can just search for that person and see when they consented.

So Coralee says "presumably we don't need to consent to hold their data again?" I guess you are still talking about existing customers there Coralee? So no, if you are using customer data for the same purposes as you used to, then you won't need to go and get fresh consent. If you are changing the purpose, then you will need to get fresh consent. That is a common across the board actually. Don't think this is kind of a let's get all our ducks in the row for May 25 and then we can forget about it. It is an ongoing process. It’s on where you are designing privacy for your customers.

I will just read out a comment from the Information Commissioner.

Hello Vicki Stanley, lovely to see you. A personal friend of mine who has probably never seen me do these kinds of things and is probably wondering why I am wearing a hat inside Vicki? That's because I was outside in the sun doing this Facebook Live and we had plane noise, we had renovation work, we had leaf blowing so popped in to save breaking off the Facebook Live so I kept the hat on.

Okay so Elizabeth Denham, who is the current Information Commissioner, says "this is about more than legislative box ticking. Accountability is at the center of all of this. Of getting it right today and getting it right in May 2018 and getting it right beyond that."

So this is very much ongoing. It is not a box ticking exercise we do before May and forget about it. It is ongoing. It is really about thinking about the individual and their rights. The way we responsibly use data. The way we are transparent with them and in fact, I will just remind you. Remind you, you might not know but there are certain data protection principles which are very similar to the ones we have already, but a little bit refined for GDPR.

And the six principles, and I am not going to go into them in detail, but just to give you an overview. Lawfulness, fairness and transparency, purpose limitation. What that means is you collect data for a specified purpose and not process it in a manner that is incompatible with those purposes. Data minimization which means that it is adequate, relevant and limited to what is necessary. So you know you do not need the kitchen sink when you are getting data from people. Just limit it to what is necessary. It needs to be accurate and kept up to date. It needs to be kept in a form that permits identification of the data subject for no longer than is necessary for the purposes which the personal data is processed.

So, in my training, I will be talking about how long you can store the data for, how long you can rely on your consents for. Because the GDPR, the working parties have commented that the consent degrades over time and they recommend that you get a refresh of consent every two years. And the final principle is integrity and confidentiality which is all about the security of the data.

So really, as I am saying, it is something that is ongoing, and as long as we think about our customers, as individuals and think about how we would like our own data to be treated. You know we just want people to be upfront with us about what we are going to do with that data. Not collect more than is necessary. Make sure it is kept somewhere that is safe. And be responsible marketers with it.

I think if we think about it in that context, we will be okay. Now one thing I do want to say. Of course, there are a lot of scare stories out there about GDPR and the fines that regulators can impose. And it is certainly the case that the regulators are showing they are taking this a lot more seriously. Data is an important stuff. You know the economists said that data is now the most valuable asset in the world. It is no longer oil, it is data. We are dealing with really valuable stuff here.

Sorry, my dog is literately bashing himself against the crate to get out, bless him. I am going to have to go and rescue him in a bit. So data is important stuff. Now, I have completely lost my train of thought here. What was I saying? Yes, yes, yes, so small businesses panicking about the impact of it. Now it is true the fines have increased to 20 million Euros or 4% of the global turnover, whichever is the higher. Now saying that, if you are not compliant on the 25th or 26th of May or whenever chances are as a small business owner, you are not going to be fined anyway like that. You know you are probably not going to get fined.

Okay, but what you don't want to do is have an investigative, what has changed the public can now play a much bigger part in complaining about you. You know you are subjected to, there is a potential for class actions where a group of personal data subjects get together and bring a class action against a company. And that is not a good place to be. But even an individual customer can complain about you to the ICO and you are investigated. And nobody, particularly a small business owner with limited time and resources, nobody wants to be investigated by a regulatory organization. So what you need to be doing as a small business owner is showing compliance.

Now the fact you are in this group, the fact you are listening to this, the fact that I am going to share a free checklist with you and you've got that checklist and you are working your way through it, this is all good signs as far as the regulator is concerned. The regulator does not have a big police force of data officers, data policemen going around and checking every small business owner in the country or even the big business owners are completely compliant in this regard. Okay, so the number one message is, do not panic.

Okay, yes, know what it is all about, put steps in place to be compliant but don't be worrying yourself to death about it. Because it’s you know, there is scale in all of this. Now I am consulting with a multi-national at the moment. That is a whole different ballgame. You know the hoops they have to jump through and rightly so, rightly so, because it’s the processing of sensitive data on a large scale and rightly so they should have to jump through hoops.

But for you guys, you know it is, as I say thinking about the individual, how you as the person would like your data to be used and taking some sensible steps to ensure that happens. Okay, so I think I am going to leave that there. Hopefully, that has cleared up the issue for you as to whether you need to go back out to your email list to get fresh consent. The summary answer is yes, you do. Chances are you are not currently GDPR compliant in the consents you have previously obtained. You will have to go out. I am going to hopefully get some marketers in this group and do an interview with them on the best way to present that consent, that re-obtaining of consent that is GDPR compliant. We will get those marketers in, do some interviews.

If anybody wants to let me know third party software, like Leadpages that you think, isn't necessarily compliant let me know and I will try to get into touch with them and see what they are doing about it. Because I think that would be very interesting to know. But otherwise if you have got any comments or questions, then feel free to post them on the replay and I will be doing another video tomorrow. So thanks guys for joining me live. Thanks for all your questions, feel free to share the group far and wide. Let's get some good conversations going on here about what is really going on and because I agree there is a lot of hype about it and there doesn't need to be quite frankly. There just needs to be someone sensible to tell you what is actually going on. So thanks again ladies, I think it is mainly ladies that I am seeing here. If you are a gentleman watching, apologies. I can only see female faces in the comments. But thanks for joining me and have a brilliant day.