Every hour on the hour I’m asked the same question (sometimes twice an hour on busy days)
“With this GDPR thing, do I need consent to carry on emailing my data?”
My answer remains the same. “Yes”.
“Oh”, followed by a nervous pause, is often the reply.
But here’s the scoop, under current law you have needed consent to email your database since 2003.
The Privacy and Electronic Communications Regulations (PECR) we all currently abide by (and will continue to abide by after May 25th) requires consent for email marketing.
I guess PECR back in the day didn’t have a good PR agent like the GDPR has…
(Amazing what the threat of a WHOPPING FINE will do to an attention span)
So do you have consent as the law stands? In a nutshell:
The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals, unless:
- they have specifically consented to electronic mail from you; or
- they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.
You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.
Tick those boxes? Congratulations – looks like you have consent.
But do I need to get my database to re-confirm consent under the GDPR.
No, you do not.
I understand the confusion, it’s only been in the last 2 -3 months that published media on the subject has stopped saying consent is what you need under the GDPR and started talking about the other 5 (YES 5!) lawful basis that allows you as a business to process data under the GDPR.
The biggest one being Legitimate Interest. And here it is, in another nutshell:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
So you as a business (you’re the controller mentioned above) have a legitimate interest in emailing your database. In the bluntest of terms, they have money and you have product, you need that money to survive.
Of course it is not that simple, but it’s not hard to implement either. I recommend reading the guide on Legitimate Interest produced by the DPN.
So the marriage of PECR and legitimate interest is a viable option. Using both of these correctly means you do not need your entire database to re-confirm / confirm consent.
Ironically, this is the mere tip of the iceberg. Even with consent you could still face a fine from the ICO if the rest of your ship isn’t in order.
The GDPR is all about Protection not communication. (That’s why it’s the GDPR not the GDCR)
Ask yourself, “if the ICO came knocking with a complaint do I have”:
- A documented breach policy
- An appointed Data Proctection Officer (DPO)
- A documented access request policy
- A documented data retention policy
- A documented clear roadmap of how and where data is collected and stored
- A list of my data processors.
They will look for these as well as consent, without them you could be facing one of those WHOPPING FINES…
Operations Director at NewZapp