• Free Report -

    "The six essentials you need to
    protect your small business"

  • This field is for validation purposes and should be left unchanged.

Category Archives: GDPR

GDPR – Do I Need to Get Fresh Consent for my Email Marketing?

GDPR - do I need to get fresh consent for my email marketing

RECONSENT

Here is what you need to know about re-consent and email marketing if you are thinking about obtaining fresh consent from your list.

1. Decide the lawful ground for all of your processing of personal data including for sending marketing emails.

2. The ICO guidance is that legitimate interests for email marketing MAY be a lawful ground of processing where you do not need to obtain consent for the purposes of PECR.

3. You need to obtain consent under PECR where:

a. The email marketing is ‘unsolicited’; and
b. The email marketing is to an individual (which includes sole traders and partnerships); and
c. The soft opt in doesn’t apply

4. The soft opt in applies where:

a. you have obtained the contact details of the recipient of that email in the course of the sale or negotiations for the sale of a product or service to that recipient
b. the email is in respect of similar products and services only; and
c. the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

5. In order to rely on legitimate interests, you have to carry out a balancing test and record your decision making (you can use the assessment form in my GDPR pack).

6. You may decide that you do NOT have to obtain fresh (or any) consent from:

a. Limited companies or LLCs
b. Existing customers
c. Prospects with whom you have had negotiations about similar goods or services.

7. If you decide that you can send marketing emails on the grounds of legitimate interests, then you need to send an email with your updated privacy policy and informing those relevant email subscribers of their right to object to the processing (or opt out). There is an email in my GDPR Pack for this.

8. If you decide that consent is your lawful ground of processing to send marketing emails to certain of your email subscribers, then you need to look at whether you already have a GDPR standard of consent for those subscribers (check the ICO’s website here for a checklist to work this out). If you do, then great, you don’t need to do anything apart from send out your new privacy policy and remind them of their right to opt out.

9. If you decide that consent is your lawful ground to email certain email subscribers and you don’t have the GDPR standard of consent (see the above ICO checklist), then you need to get a fresh consent that is to a GDPR standard. This needs to be done before 25 May 2018 or you will no longer have a lawful ground of processing. There is an email template you can use in my GDPR Pack for this.

You must then opt out of marketing emails all those people who did not re-consent to the marketing emails before 25 May 2018.

10. If you decide you need consent to send marketing emails to certain subscribers and you don’t actually have any consent for that email marketing, then you can’t email those subscribers to request that consent.

11. Flybe were fined because they emailed to people who had previously unsubscribed and Honda did not have any records of consent, but this was NOT because they didn’t have a GDPR standard of consent and were obtaining the new higher standard of consent.

12. If you have previously obtained consent for email marketing from people who you may not need to do so, then the Working Party have stated that you have a one off chance to change your lawful ground of processing before GDPR comes into force.

For those of you established outside of the EU, PECR does not yet apply to you but is likely to from 2019.

Read more:

 

 

Suzanne DibbleSuzanne Dibble is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR. The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award. Suzanne has had second to none training and experience at a top City law firm, leading billion pound deals and being on the board of £100m+ business (resulting in her being listed in the Who’s Who of Britain’s Business Elite two years in a row). Suzanne is one of the few lawyers that really understands the online world and the small business world and puts law and regulation in the context of your business. There has been a lot of scaremongering and hype about GDPR (with the headline fines of 20m) and Suzanne brings a practical, balanced approach.

DISCLAIMER: as I do not know your individual circumstances, none of my blogs, my videos, my guidance in the Facebook group or any other materials available to you where I have not taken you on as a one to one client shall be construed as legal advice and I shall have no liability to you in any circumstances should you choose to rely on any of the materials I publish.

What is Granularity of Consent?

What is Granularity of Consent?Granularity of consent is a question that repeatedly comes up in my free GDPR Facebook group, so I imagine you too have been confused over how many tick boxes you need for your subscribers, which types of marketing services should be split up with the tick boxes, and whether you even need tick boxes?!

The Article 29 Working Party Guidelines on consent under Regulation 2016/679 goes into a lot of detail about consent as a whole and gives some examples of valid and invalid consent. However, a lot still is not clear.

What is Granularity of Consent?

Granularity (noun) – the scale or level of detail in a set of data.

As we know, GDPR will set a higher standard of consent. As a business owner, and especially in terms of online marketing, you need to be clear about the level of detail you are using a data subject’s personal data FOR.

What granularity of consent means is that it must be clear to your data subject what they are consenting to.

They must have a choice and be in control of what they choose to receive from you (in terms of email marketing). It will not be compliant to bundle the consent up into one tick box to receive everything and anything.

The Working Party Document says:

“A service may involve multiple processing operations for more than one purpose.

In such cases, the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes.

In a given case, several consents may be warranted to start offering a service, pursuant to the GDPR.”

“When data processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose.”

What we can translate that into saying is that when your subscribers sign up to your email list, you must let them choose for what purposes you will be contacting them using the data they are giving you (their email address).

Granularity of consent means that if your business is contacting subscribers about different types of services, you should offer them a choice about which service they want to hear about.

An example of this is a preference centre where you can choose the types of information you want to receive from a supermarket – groceries, holidays, clothing, wine club, third party providers.

Or a series of tick boxes at sign up where you can choose which lists you want to be on – men’s fashion, women’s fashion, kid’s fashion.

In the next paragraph, the working party document then provides this specific example:

“Within the same consent request a retailer asks its customers for consent to use their data to send them marketing by email and also to share their details with other companies within their group.

This consent is not granular as there is no separate consents for these two separate purposes, therefore the consent will not be valid.

In this case, a specific consent should be collected to send the contact details to commercial partners.”

Therefore, what that tells me is that if you are sending emails about your own business services, which they originally signed up to for generally, then this is still ok.

You don’t need to go down to the absolute nitty gritty about which types of emails you’ll be sending – blog posts, newsletter, promotions – as long as it stays within the realm of the information they signed up for in the first place.

It’s only if you’re using their data for something ELSE that you would need an additional consent tick box.

The flip side of this argument is that too many tick boxes could be a bad thing.

For example, presenting your data subjects with a long list of choices could lead to click fatigue and serve the opposite purpose – they won’t read any of them, they’ll just tick them all, or click away from your site without doing anything.

Granularity of consent is not only restricted to email marketing though. However for the purposes of this blog post, email marketing is all I am referring to, as it is the one that most people are struggling with understanding.

The Working Party document also goes into details about websites (cookies) and other purposes such as behavioural advertising.

In my GDPR pack, there is a Data Processing Inventory that will determine the different purposes and types of processing that you undertake in your business.

There are also seven additional modules of actionable, ordered templates covering exactly what you need to become GDPR compliant.

So to round up, my guidance would be:

  • Yes, it is sensible to offer tick boxes for options of marketing – emails, phone, and mail.
  • All we know is that it must be granular so that data subjects have choice and control. To what standard, we don’t know as yet.
  • The ICO haven’t given exact details on every eventuality of how we get consent, but the principle is that consent should not be bundled.
  • You shouldn’t have one consent covering every processing purpose that you’re going to do.
  • The more that you can split how you’re processing someone’s personal data down and have separate consents for each purpose of processing, the better.

Don’t forget if you have any additional questions on this subject, please come over to the FREE GDPR For Online Entrepreneurs Facebook Group – do a search first as there have been so many questions, it’s very likely you will find the answer you are looking for.

Alternatively watch my epic 2 hour GDPR Mythbusting Webinar where I run through GDPR, common questions asked and what I suggest you do to become compliant in your small business.

Suzanne DibbleSuzanne Dibble is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR. The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award. Suzanne has had second to none training and experience at a top City law firm, leading billion pound deals and being on the board of £100m+ business (resulting in her being listed in the Who’s Who of Britain’s Business Elite two years in a row). Suzanne is one of the few lawyers that really understands the online world and the small business world and puts law and regulation in the context of your business. There has been a lot of scaremongering and hype about GDPR (with the headline fines of 20m) and Suzanne brings a practical, balanced approach.

DISCLAIMER: as I do not know your individual circumstances, none of my blogs, my videos, my guidance in the Facebook group or any other materials available to you where I have not taken you on as a one to one client shall be construed as legal advice and I shall have no liability to you in any circumstances should you choose to rely on any of the materials I publish.

5 Simple Steps to Check Your Service Provider is GDPR Compliant.

5 simple steps to check your service provider is GDPR compliant.

You’d be forgiven for thinking that GDPR is challenging for you as a small business owner. Not only do you have to ensure that you’re GDPR compliant as a business yourself, you also have to ensure that all your third party service providers who process personal data for you (“processors”) are GDPR compliant too.

GDPR protects personal data. That means that if you are controlling clients’ or customers’ (data subjects) personal data using a third party service provider (such as a CRM or email marketing software), you must document and prove that particular processor is GDPR compliant too.

But how can I ensure my processors are GDPR compliant?

Here are my five simple steps to making sure your processors are GDPR compliant:

1. Make a list of all your processors. Providers like email marketing software, accounts software, cloud storage, CRM etc – anyone who processes personal data under your instructions.

2. Carry out research on all of your processors to see what they are saying about complying with GDPR. We have a spreadsheet on the status of many of the commonly used processors in my GDPR Facebook group [insert link to facebook group]

3. Make sure that you have a written Processor Agreement with all of your processors that contains all of the required provisions as set out in GDPR. If you are using a big processor eg Mailchimp, they will have their own Processor Agreement (or may incorporate the required processor terms into their terms of business). If your processor is smaller (such as a virtual assistant), then send them your own Processor Agreement (note that the obligation is on you as the data controller to ensure that a Processor Agreement is in place).

4. Work out whether each of your processors is based outside of the EEA or is transferring data outside of the EEA.

Next to each processor, mark where they are located – are they in the EEA, or are they outside of the EEA (European Economic Area)? Also check to see where they store or transfer their data (is it outside of the EEA?).

  • EU countries are: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.
  • EEA countries are all EU countries, plus Iceland, Liechtenstein and Norway.

5. If your processor is located outside of the EEA or if they transfer the personal data outside of the EEA, ensure you have the necessary safeguards in place for the transfer of that data.

Firstly, check if such countries are included in the list of countries which have been deemed to have a ‘positive finding of adequacy’ of data protection by the European Commission.

  • These countries are Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay.

The European Commission assesses these countries to decide if they are adequately protected and if they agree they are, then they are happy for data to flow between our two countries without any further steps on your behalf.

If your processor is based in the US, or if it transfers personal data there, then you need to check if they are registered on the EU/US Privacy Shield List.

The European Commission says “This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. The framework also brings legal clarity for businesses relying on transatlantic data transfers.”

If you go to the Privacy Shield Database you can search for each company on your list to see if it is registered.

But what if your processor is not in the EEA, not in a country with an adequacy finding and, if based in the US, NOT on the Privacy Shield Framework?

Thankfully, there are other ways of transferring data lawfully if you find that your processors aren’t in the EEA, aren’t in a country with an adequacy finding or aren’t part of the EU/US Privacy Shield.

The main existing way to safeguard personal data when it’s being transferred internationally and none of the above safeguards apply, is to enter into standard contractual clauses that have been pre-approved by the European Commission.

GDPR also provides for codes of conduct and certification but these are not established safeguards as yet.

What if your processor won’t enter into the standard contractual clauses (and a code of conduct or certification does not apply)?

Well in that case, you need to get explicit consent from each and every data subject to the transfer of their data outside of the EEA. The place to do this is via your new Privacy Notice and also a tick box (not pre-ticked) at the point of collection of the personal data (or if you are requesting the consent to transfer outside of the EEA after collecting the data, by a standalone request and tick box consent).

Aside from helping you with the steps to take as set out in this article, if you need to obtain a GDPR compliant Processor Agreement (that includes the EU standard contractual clauses for data transfers outside of the EEA) and a GDPR compliant Privacy Notice, then you may be interested in my GDPR Pack (which is currently priced at £147 and contains 20 legal documents and checklists to help you comply with GDPR). The price will be rising to £197 on 25 April 2018 (with one month to go until GDPR comes into effect).

As part of GDPR, we all need to be more vigilant about what personal data we are transferring outside of the EEA and put in place safeguards to protect people’s personal data.

By following my simple steps above (and by having the appropriate documents in place), you can take comfort that your third-party service provider processors are GDPR compliant.

If you’re feeling swamped by GDPR advice and don’t know how to discern the facts from the fiction, come over to my free GDPR For Online Entrepreneurs Facebook group where you can ask questions, watch my daily videos answering common questions and concerns and get real, factual guidance from a real expert.

Suzanne DibbleSuzanne Dibble is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR. The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award. Suzanne has had second to none training and experience at a top City law firm, leading billion pound deals and being on the board of £100m+ business (resulting in her being listed in the Who’s Who of Britain’s Business Elite two years in a row). Suzanne is one of the few lawyers that really understands the online world and the small business world and puts law and regulation in the context of your business. There has been a lot of scaremongering and hype about GDPR (with the headline fines of 20m) and Suzanne brings a practical, balanced approach.

DISCLAIMER: as I do not know your individual circumstances, none of my blogs, my videos, my guidance in the Facebook group or any other materials available to you where I have not taken you on as a one to one client shall be construed as legal advice and I shall have no liability to you in any circumstances should you choose to rely on any of the materials I publish.

Do I Need to Get Reconsent From an Existing List?

Do I need to get reconsent from an existing listSmall business owners are panicking.

“Do I need to get re-consent from an existing email list? What if I do and everyone unsubscribes, or doesn’t re-opt-in and I’m left with no one – I’ll lose my entire marketing list that took me so long to build up!”

Now, I’m talking about a typical small business who’s not processing sensitive data, or data on a large scale (hundreds of thousands of names) or not doing anything dodgy.

There are arguments for and against requesting re-consent from an existing email list but the draft consent guidance from the ICO is clear:

“You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.”

Why is consent important?

– It puts your subscribers in control.
– It builds their trust with you – that you are using their data to contact them about something they agreed to, not taking advantage of having their email address.
– It therefore enhances your reputation.
– Relying on consent that was not freely given puts you at risk of destroying your subscribers trust, harming your reputation AND leaving you open to the chance of being reported and therefore fined.

My view is that if you meet the basic criteria below, then you don’t need to get reconsent. Obviously if we get updated guidance from the ICO, I will update this blog.

But as of today, this is my view.

The draft ICO consent guidance shows that the key elements of what consent is remain the same.

What GDPR does do is make certain that when someone gives you their consent, it is unambiguous and involves a clear action that they have agreed to give you their data for the purpose that’s stated.

So, should YOU get reconsent from an existing list?

I’ve broken down the argument into two simple choices. If you fall into the YES section, then it looks likely that your data doesn’t meet the new standards and will need re-consenting.

If you’re in the NO section, then the chances are that you were already getting valid consent to send further marketing and so you don’t have to refresh your list (unless you want to!).

YES

You don’t have up to date records of how the emails got onto your list. You have names, but no data showing where they came from (admin add for example).
Your opt-in box to send further marketing was a pre-ticked box in the past that didn’t allow subscribers to specifically choose to get further marketing emails from you, perhaps bundled in with your terms and conditions. This means that your subscribers didn’t freely give consent for ongoing marketing.
Your opt-in was for one very specific service (plumbing), but you’ve changed what you’re offering and now you’re sending them marketing emails about something very different (gas boilers) – you need to check if they’re still wanting to receive information on this (see my video about granularity of consent in the Facebook group)

GDPR definition: “In essence, there is a greater emphasis in the GDPR on individuals having clear granular choices upfront and ongoing control over their consent.”

You haven’t given your list the option of withdrawing their consent (unsubscribing) – this should always be on the bottom of your emails so that the right to withdraw their data is always available. You must make it obvious and not hidden away.
You want to refresh your list anyway and ensure that the people who are receiving your emails WANT to receive them – a good a chance as any to re-engage and end up with a much higher open rate (meaning more chance the emails won’t go into the spam folder!)

NO

You’ve always been very careful about getting consent. You have up to date records showing who, where, what and how they opted in. There is no ambiguity about how you got their data.
Their consent was freely given – not bundled into Terms and Conditions, or a pre-ticked box about sending further marketing emails. When they signed up, either they ticked a box to receive further information from you or it was very clear that you would be sending it. It’s not the granularity that is now required, but I think the ICO would be happy that it meets the standards if you put a tick box in place from this point on.
At the time of consent, you told them they would be receiving further marketing emails from you, therefore when they signed up, they had consented to that too (even if at the time it wasn’t a tick box, it was stated). Giving their email address and name under a statement saying you will send further emails to them is still consenting to this. If you are sending emails about the goods and services that they signed up for in the first place, then I would say that this is fine and the ICO have confirmed that to me. However I have heard other people saying the ICO have given guidance to say that they would still need granularity of consent, so it’s still not clear. My view is that as long as you’re not doing anything terrible with their data, you probably aren’t going to be fined. However, that’s as of today – I may have to update this guidance in the future when it becomes clearer.

GDPR definition: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

You are taking steps to becoming GDPR compliant – reviewing your email marketing list and removing all data that doesn’t comply, including when they unsubscribe. (MailChimp have confirmed that they will be applying this action to their platform to meet GDPR requirements, as at the moment you can’t delete them if they have unsubscribed).
You’re happy with your list. You have worked through if the data is compliant and are satisfied with how they engage with your marketing. No need for a clean.

So I think that is clear. But the issue with consent shouldn’t stop here:

– You should be regularly making sure that the data you hold is current and within the regulations.
– You should be regularly making sure that the chance to unsubscribe is offered to your list.
– You should be regularly reviewing the content that you are sending out and if that meets the consent that you have from subscribers.

GDPR definition: “You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard.”

I’m taking the opportunity to re-engage my list and make sure they’re getting what they want from me because having subscribers in my list who don’t open or read my emails is negatively affecting my ability to reach the people who DO want to see what I send.

The more un-opens and unsubscribes you have, the more chance your marketing score is low and you’ll end up in the Junk folders of the people who DO want to read them.

I’m going to put together a re-engagement campaign and those who don’t opt-in will be taken off my list – it’s a chance to clean it!

If you want to do the same, come over to the Facebook group and watch the expert webinar with Karen Skidmore about how to do a re-engagement campaign to your list.

There are no data protection police who will be out there on the 26th May 2018 checking to see that you have the right GDPR consent for your list. That won’t happen.

There’s a few simple steps that you need to take, but please don’t lose sleep about being fined. Instead why not buy my GDPR Compliance Legal Pack and I can help you take the right steps towards protecting your business.

You’ll get access to 20 legal template documents and checklists, plus video guides from me that will enable you to be GDPR compliant. Click here to get started today.

Consumers are getting savvier about their rights, so if you’re not following GDPR there is more of a chance that someone is going to be complaining.

Don’t ignore it. Consent is just one small part to GDPR, but a big challenge for some businesses who haven’t been keeping up to date with their records.

Look at it from a glass half full point of view – at least you will have a list full of people who are more likely to buy your products and services anyway.

And once you remove the ‘dead wood’, they’ll actually SEE your emails in order to do so!

Suzanne DibbleSuzanne Dibble is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR. The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award. Suzanne has had second to none training and experience at a top City law firm, leading billion pound deals and being on the board of £100m+ business (resulting in her being listed in the Who’s Who of Britain’s Business Elite two years in a row). Suzanne is one of the few lawyers that really understands the online world and the small business world and puts law and regulation in the context of your business. There has been a lot of scaremongering and hype about GDPR (with the headline fines of 20m) and Suzanne brings a practical, balanced approach.

DISCLAIMER: as I do not know your individual circumstances, none of my blogs, my videos, my guidance in the Facebook group or any other materials available to you where I have not taken you on as a one to one client shall be construed as legal advice and I shall have no liability to you in any circumstances should you choose to rely on any of the materials I publish.

Do You Need Double Opt-In for GDPR?

Do You Need Double Opt-In for GDPR? One repeated question that keeps coming up within the small business communities is whether you need to switch all your opt-in forms to double opt-in for GDPR.

 Do I need double opt-in?
 Do I have to use double opt-in for everyone?
 Is single opt-in enough to prove that someone has signed up to my list with consent?
 What about the subscribers who didn’t confirm through double opt-in?
 Am I going to have to scrap my whole email list?!

Double opt-in is when a new subscriber to your email marketing list receives a second email asking them to confirm their email address by clicking a link.

This “double opt-in process” is designed to make (double) sure that the person who received the email actually wants to be on your list.
It is considered to be marketing best practice but things have got a little confused and hyped up.

I have seen a lot of conflicting advice going around leading many to believe it is mandatory for GDPR.

This blog post aims to set the story straight.

Do you need double opt-in for GDPR?

The quick and easy answer is no.

It is not a requirement in the GDPR legislation to have double opt-in. You do not NEED double opt-in for GDPR to ensure compliance and consent.

So, does this mean that we can all switch it off?

Maybe not.

If we are welcoming GDPR as an opportunity to make our lists cleaner, then double opt-in can increase the quality of new leads into our lists. It avoids the chance of false data entered by a bot or by someone who is not the owner of the email address. It also ensures that subscribers who do go through the double opt-in process are interested in what we have to offer.

Double opt-in may be useful depending on what type of data you are processing.

GDPR has renamed “Sensitive Data” as “Special Category Data” which includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation.

If you are dealing with any information in this category, then you will need to have “explicit consent” to use it. An example of how to get explicit consent might be to use double opt-in.

“All I’ve been hearing is that double opt-in is the only way to prove consent”

GDPR does impose a higher standard of consent than we have under existing regulations but consent is not the only lawful ground for processing someone’s data.

In addition, double opt-in for GDPR is not the only answer to getting consent.

Consent in GDPR is a whole other kettle of fish and has many different levels to consider. I’ll be going into this in more detail in a future blog.
If you can’t wait thought, learn more in this video I delivered inside my free “GDPR for Online Business” Facebook group on GDPR and granularities of consent.

Your first step to understanding GDPR for your business should be to download my free GDPR Checklist. Here you’ll discover the easy way to become GDPR compliant.

The checklist includes steps to ensure you have consent for your marketing, without necessarily needing double opt-in.

Next time you see a double opt-in for GDPR argument going on with information that you now know is not true, please do them all a favour and give them the link to this post and suggest they join my Facebook group.

Then they’ll have access to clear and simple legal GDPR guidance that won’t scare them to death!


Transcript of the video

I’m Suzanne Dibble, a data protection expert. This me, raw and uncut, but delivering you massive free value in terms of knowledge about GDPR. Hmm, it’s starting to rain.

Okay, so today’s question is do you need a double opt-in post GDPR for your marketing emails? And the quick answer is no, you don’t. Okay? So nothing in the legislation says that you need double opt-in. Now, this is GDPR I’m talking about, if you’re in the States or in Canada then you have your own laws, which I know do require double opt-in. So we’re just talking purely about GDPR.

Now, slightly more complex than that, in that there is this new … Well, it’s kind of similar to what there was before, but a little bit expanded, and they call it special category data, what we used to think of as sensitive data. And that’s things like your race, your political persuasion, and your religious beliefs. And it also now extends to bio-metric data.

Oh, excuse me, up the hill here. And there are number of things like that, and I’ll post what new sensitive data is in the comments below. If you’re dealing with that type of information, then you need explicit consent. Now, the working party has just released some guidance on what constitutes explicit consent. Now, as an example of how to get explicit consent, they say that double opt-in might be a way of getting that explicit consent. So if you’re processing sensitive information, or special category data, then double opt-in might be appropriate.

But the simple answer is no, GDPR does not in every case require double opt-in. If you’re dealing with sensitive data, then it might be a way of demonstrating explicit consent. Hope that clears things up, if not, comment on the video and I’ll answer your question.


Suzanne Dibble

Suzanne Dibble is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR. The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award. Suzanne has had second to none training and experience at a top City law firm, leading billion pound deals and being on the board of £100m+ business (resulting in her being listed in the Who’s Who of Britain’s Business Elite two years in a row). Suzanne is one of the few lawyers that really understands the online world and the small business world and puts law and regulation in the context of your business. There has been a lot of scaremongering and hype about GDPR (with the headline fines of 20m) and Suzanne brings a practical, balanced approach.

DISCLAIMER: as I do not know your individual circumstances, none of my blogs, my videos, my guidance in the Facebook group or any other materials available to you where I have not taken you on as a one to one client shall be construed as legal advice and I shall have no liability to you in any circumstances should you choose to rely on any of the materials I publish.