It’s certainly the first question I get asked by people on a regular basis, the conversation goes something like this:
Q: We know we are going to need to reconsent all of our data, we are wondering how best to do it?
Me: You don’t necessarily need to do that.
Q: But GDPR is all about consent isn’t it? That’s what everyone has been telling us.
Me: No, it’s not all about consent, it’s all about choosing the right legal basis for processing and making sure you meet the needs of that basis.
Q: But if we reconsent our whole marketing database, we’ll be GDPR compliant, won’t we?
Me: You’ll most likely lose 80% of your marketing database, half of your revenue and have nothing more than consent to send marketing communications to those people. Is that all you want to do?
Q: No, but we don’t have a choice, do we?
Me: Actually, you probably do…
What processing are you doing?
The chances are, that you would like to do more than just send marketing communications to people. The chances are, you want to undertake processing such as:
- Tracking links clicked and webpages visited
- RFM analysis and classification
- Predictive analysis
The list goes on…
I say this because you are reading a blog posted by the Institute of Direct Marketing, and all the clever stuff on that list makes Direct Marketing what it is!
That list is the processing that the GDPR is meant to cover. It’s the activity that you are likely to be undertaking using legitimate interest, under the Data Protection Act 1998. The consent most marketers are talking about is the consent you sometimes need to send people electronic marketing, such as email, SMS and social, under the Privacy and Electronic Communications Regulations 2003 (PECR). That law is not due to change for 12 to 24 months.
Let’s put the stuff covered by PECR aside and focus on the other clever stuff mentioned on the list above.
The conversation continues:
Q: That’s fantastic, we thought the idea of reconsenting our database was going to be a disaster! Great, we’re saved, so we don’t have anything to do then, phew!
Me: Hang on, that’s not what I said (I love marketing’s optimism).
‘Consent’ or ‘legitimate interest’ are the two legal basis for processing that are likely to be of interest to marketers. It’s possible, that under certain circumstances, consent might be required for marketing data processing, but for most situations ‘Legitimate Interest’ will be most suitable. I must stress at this point, that choosing the right basis is very important, because if you make the wrong choice you might find it difficult to meet the needs of that basis.
Unfortunately, both sides are a subjective choice as you are either balancing your legitimate interests against the rights and freedoms of the individual, or making a choice about how much information equals ‘informed’. How specific does it need to be to be specific? As for being unambiguous, I’m not even going there!
It’s not all scary confusion, but it does require that you undertake some work to decide what you need to do to get it right. The first stage is to look at why you process personal data for direct marketing.
Consider the different types of processing that you do; you may do some, or all items on the list above. Is all the processing ‘necessary’ for carrying out direct marketing properly? Is what you’re doing with the data, likely to be reasonably expected by your customer? Is it relevant to your relationship with them? If this is the case, it is likely that legitimate interest could be the way to go. This is not an exhaustive list of requirements, so you will need to undertake a proper impact assessment to find out if you qualify to use legitimate interest.
The Data Protection Network (in conjunction with the DMA and others) have produced some great guidance on legitimate interest, with a really handy template to help you with the Legitimate Interest Assessment on your data. In a nutshell:
- Find out what data you have got and what you use it for
- Apply the tests using the template in the DPN guide
- Make your decision – can you justify legitimate interest, or will it need to be consent?
At least you will know why you are making the decision, which will help you in writing your privacy notices and consent statements if required.
Make the right choice
You should decide which way to go based on need. If consent is the best way to go it should be because your use of data presents a risk to the rights and freedoms of the individual. If this is not the case and your Legitimate Interest Assessment says you can use legitimate interest, then use it.
Why put the business through unnecessary pain and your customers through unnecessary inconvenience, if you don’t need to?
For more GDPR resources from me head to the RedEye Insights page.
If you are still unsure about how the GDPR will affect you and your business, or you need start practical preparations, check out the IDM’s full GDPR training portfolio. Ranging from an entry level basics course to an expert level professional qualificaion, there is something for everyone no matter which part of the preparation journey you are currently at.