GDPR – Do You Need To Get Fresh Consent From Your List ?

Transcript of the Video

Good afternoon, ladies and gentleman. Suzanne Dibble here, data protection law expert coming to you live and uncut from the woods at the back of my house. The reason for this, slightly out of breath, I just climbed a big hill. The reason for this is, I have a 13 hour flight tomorrow and I haven't yet packed so time is somewhat at a premium so I'm just doing this quick video for you and the topic of the video is something that I've been inspired to do by an email from one of our great members and a subsequent conversation that I had with her.

It's about the issue, still and we've raised it a number of times, but this issue of going back out to your list for a fresh consent. Now, this lady said to me that they've been very careful about getting consent previously. They've got records of when the consent was given and there's not used tick boxes but what they probably haven't done and the GDPR says that they need to do is not bundle the consents together. They might not have had the granularity of consent that we think might be requested by GDPR. She was asking me, "Does she need to go out and get fresh consent?" My answer is, it's really not clear because I've seen a very well respected marketing guy post in another group, to say that he phoned up the ICO and ran exactly the same scenario past them in terms of the fact that he could show people consented. He hadn't used tick boxes.

He was sending them information about goods and services that were likely to be relevant to them on the basis of what they had signed up for and the ICO said that sounded fine, he wouldn't need to go and get fresh consent. Now, I saw in another group that someone had phoned the ICO and they said something completely different, so the answer is that we don't really know. Now, I would say, as you know I always like to come at these things from a risk analysis point of view, and I would say that if you have got that consent, the fact that you haven't maybe been as granular in getting that consent as you should have been, does not mean that you are going to get fined 20 million euros on the 26th of May if you don't go out to your list and get fresh consent.

Well, of course, it doesn't. If you have a stroppy customer or prospect on your list who you email after the 25th of May and they say, "Hold on a minute, you didn't get in touch with me and ask for my fresh consent," and for some reason, they are so outraged that they complain to the ICO. Well, A, would the ICO actually come and investigate you anyway? In my view, probably not, unless there were a large number of complaints about it or you're doing something particularly impactful with the data that was impacting on the rights and freedoms of those data subjects. Would they come and investigate you in the first place? No, but even if they did, I think the position is unclear. There are clearly people who are being told that it's okay from the ICO not to get consent.

It's so unclear that if the ICO did come and investigate they would probably say, "Well, in theory, you should have gone to get fresh consent but here's what you need to do by such and such a date. Go and do it." The challenge, I think, if you fail to go out to your list and get fresh consent, the chance of you being in any way, having any kind of sanction is very, very slim. Now, me personally, I'm taking GDPR as an opportunity to re-engage my list and to make sure that the people on my list are actually getting what they want because I know that by having people who are disengaged on my list that is negatively impacting on the chances of the people who actually want to see my stuff, seeing it. I'm going to be doing a good list hygiene, some good list hygiene before GDPR. I'm going to be putting into place a re-engagement campaign and the people that don't opt-in, I'm going to take them off my list because I think that's what's going to be good for my business.

If you're saying to me, "Suzanne, are you saying to me that I definitely need to go out and get fresh consent from my list or something awful is going to happen to me?" No, that is absolutely not what I'm saying. Okay? So, it's for you to decide what to do. I think the guidance, certainly that we seem to be getting from the phone lines of the ICO is varying, and I think that if you are a typical small business that is processing, not processing data on a large scale, not processing sensitive data, not doing anything dodgy with data that people would complain about. Then, in all likelihood, you're going to be absolutely fine if you decide not to go out and get fresh consent. I'll say, it's a risk analysis for you, they are my views as of this moment. Now, if we get any updated guidance or I hear of any other matters that impact on this, then I'll update the video. As of today, which is the 27th of March, that is my view, as of today. Hope that helps and yeah, I'll see you on the other side.