GDPR and re-consent – in conjunction with the checklist I have put together (in the files section)

Transcript of the Video

Hello, ladies and gentlemen. Suzanne Dibble here, data protection law expert coming to you raw and uncut. Hope you've all had a fabulous day in the sunshine watching the royal wedding. Whether you're in the UK, the States. Do they show it in the States? Do they show it in Australia and Canada and wherever else people are from in the group? I don't know, but I hope wherever you are you've enjoyed watching the royal wedding.

I'm here at my uncle's this weekend because he was sworn in as mayor yesterday, which is a great honor. So, yeah, very exciting times. But anyway, a quick video about re-consent because obviously there's been a fair few posts about it in the group recently. And I did a note about it and I've shared a few more things as well. And I shared some notes, some guidance from the ICO, and the first comment back was, "I really can't understand any of that." And I agree it's not the easiest read. So what I've done is I've actually done a written, for once, a little guide on re-consent.

So for those of you who are in this final week of, oh my goodness, do I need to get re-consent, do I not, then hopefully that will be helpful for you. But I just want to do a very quick video just highlighting a few points from that, okay? So in that note, I talk about the re-consent and whether you need it to be on the lawful ground of consent or legitimate interest. Now, this is, I think, the thing that people are really struggling with is whether you need to get re-consent or whether you can just say legitimate interest. Now, the thing is, with re-consent, if you've already obtained consent in the past and it's not up to a GDPR standard then you do actually have two options.

One is you go out and you get that GDPR standard of consent or, two, the working party guidance does say that you have a one-off chance of changing your ground of lawful processing before GDPR comes into force. So if after having been in this group and having worked out that you can potentially rely on legitimate interest for certain types of subscribers, and I'll say a bit more on that in a minute, then you might decide that actually where you have previously obtained consent that that's not the appropriate ground going forwards. And that will certainly be the case for a lot of you who have employees. Historically, a lot of the grounds of processing of employee data was done on the basis of consent. But as we know now, there's this new introduction of consent has to be freely given. It's unlikely that consent is going to be appropriate in an employment relationship.

So certainly those of you who have employees will be looking at other grounds for processing employee data. And the same can be said for email marketing. If you've been getting consent from people that you don't actually need to, then now might be the opportunity to say, "Well, actually that should more appropriately be under the grounds of legitimate interest." Now, as I've said a number of times in all of my videos, legitimate interest is not the easy way out. We have to make sure that we are really giving due consideration to the rights and interests of the data subjects, and making sure that it's something that they would reasonably expect to be done with their data and carry out the balancing test. And there is the legitimate interest assessment form in my pack that can be used for that.

So it's not the easy option. You can't just go, "Oh, can't be bothered going out and getting re-consent. We'll just rely on legitimate interest." It's not that easy. But what I've put in the re-consent checklist, if you like, is the ICO's guidance about when legitimate interest for email marketing might be a lawful ground of processing. Now, notice the word might, okay? The ICO is not saying that in every case legitimate interest can be a lawful grounds for email marketing and processing. So if you look at my note, you'll say that what they seem to have indicated is that where you don't need to obtain consent for the purposes of PECR (or Pecker), then it's possible that legitimate interest may apply. But if you do need to get consent under PECR, then you will need consent under GDPR, okay?

So in my note, I say, well, when do you need consent under PECR? You need consent if the email is unsolicited if it's to an individual and the soft opt-in doesn't apply. Okay, so all of those three things need to be there in order for you to need to obtain consent. So if the marketing's solicited, then you don't need to worry about PECR, i.e. if someone's asked for you to send them some marketing material, PECR doesn't apply. The marketing's to an individual and the soft opt-in doesn't apply. So if you're not marketing to an individual, and remember individuals include sole traders and partnerships or in your email marketing to a company, then PECR doesn't apply. And the final point is the soft opt-in. If you have the soft opt-in, then PECR doesn't apply to that.

Now, in my note, I set out when the soft opt-in applies, and I've done a lot of videos on this. But for completeness, I'll put this in here as well. A soft opt-in applies where you've obtained the contact details of the recipient of that email in the course of the sale or negotiations for the sale of a product or service to that recipient. The email is in respect of similar products or services and the recipient has been given a simple means of refusing the use of his contact details for the purposes of direct marketing at the time that his details were initially collected and where he didn't initially refuse in each subsequent communication. Okay, so all three of those things have to apply and have to be there for the soft opt-in to take effect.

So if you don't need consent for PECR, then possibly you can rely on legitimate interest for email marketing. And I'll say you have to carry out that balancing test. So where you might get to with that is that you might decide that you don't need to obtain fresh consent, or indeed any consent, going forwards for limited companies or LLCs, for existing customers, because chances are the soft opt-in would apply. Although do check that, okay? Do make sure that you did give them a right to opt-out at the point that you collected the details and then on each subsequent marketing communication. And you might also decide that prospects with whom you've had negotiations about similar goods or services, you don't need consent for those. And so then, I talk to you on what do you need to do if you decide you need to get fresh consent and what do you need to do if you decide that you're going to rely on legitimate interest? That's kind of the easy bit, really. But do you have a look at that note?

The other couple of points I just want to make on it are that people have been a bit concerned that going out to the list for fresh consent means that you might get yourselves in trouble because people have seen other articles that talk about Flybe and Honda getting fined. What happened there was that Flybe sent, and you're talking about hundreds of thousands of emails here in each of these cases, but they emailed people who had previously unsubscribed, which of course you can't do. And Honda didn't have any records of consent. So they were emailing people really to arguably ask for new consent because they didn't have any record of consent. But it wasn't because they didn't have a GDPR standard of consent and were obtaining the new higher standards, okay? So don't worry about that.

Now, obviously, if you don't have any consent at all then you can't email people to say, "Oh, do you want to consent?" You can't do that. But if you've previously obtained a consent and it's not a GDPR standard of consent, then you're okay emailing them before the 25th of May to say, "You previously consented to a marketing. Just like to confirm that you still want to do so?" And you make sure that you've got your link to the privacy policy, that you're really clear about what you're doing with that data, and make the opt-out, the fact that they can opt-out at any point, really clear. And you follow there is an ICO checklist about how you need to obtain consent. Have a look through that. That's in the pack as well. And you make sure that in obtaining that fresh consent, you are following all of that. And these are things like making sure you've got appropriate records of the consent, etcetera.

So the email, there are two emails in my pack. One of them is for if you work out that you need consent for certain of your subscribers, then you send them that email obtaining the fresh consent. The other one is if you've worked out that you can rely on legitimate interest for a certain proportion of your database, then you would use that email address to send your new privacy policy and to remind them of their right to opt-out. Okay, so I hope that is helpful for those of you who are having the last week panic about whether to get people to re-subscribe or not. And I've put some links in the little note that I've done where you can read a bit more about it if you are so inclined.

So whatever you're doing, I hope you're having a wonderful weekend, a chance to kick back and relax, although I do seem to have spent most of today looking at GDPR. But I think that's going to be the case for most people who are in the GDPR industry, with a week to go until the regulations come into force. Remember, if you are slightly panicking about it, don't. Do go and watch my video about why you shouldn't panic. Just take some sensible steps, do what you can. But please, please don't lose any sleep over it. Have a great weekend and I'll see you tomorrow.