A frequently asked question is whether or not an organisation needs to seek fresh or renewed consent from clients or customers once GDPR is in force. Panic has spread as organisations realise that databases may have to be trawled through as consents are sought and recorded.
To be clear – you are not required to automatically refresh all existing DPA consents in preparation for the GDPR. However, it is important to check your processes for gaining consent and records of consent gained to ensure that existing consents meet the higher bar set for consent by the GDPR.
Recital 171 of the GDPR states that “where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”
This means that for some, consent which they collected pre-GDPR will continue to be valid and they can continue to rely on that consent, but only if the consent obtained pre-GDPR was obtained to a GDPR standard. All other consents however, that were not up to the GDPR standard, will be invalid and if processing is to be performed on the basis of consent, new consents obtained in line with the new higher standard set by the GDPR will be required in order to be compliant.
However, if you believe that your pre-GDPR consents are indeed invalid, there are a few options available to you. Firstly, you can re-seek GDPR compliant consents. Secondly, you could consider whether you could rely on a different legal basis for future processing. Under the GDPR, you must be able to point to a legal basis in order to processes personal data. There are six potential lawful bases to choose from including consent, legitimate interest, contract, legal obligation, vital interests or public task. It may therefore be possible to avoid the issue of having to seek fresh consent, by instead relying on an alternative legal basis for your processing, if there is an appropriate one available for your purposes.
If processing is for the purpose of direct marketing, it may be that legitimate interest could be used as an alternative legal basis, and in fact Recital 47 of the GDPR gives direct marketing as an example of a valid type of legitimate interest. A light at the end of the tunnel it seems.
Sadly however, it is not quite this straight forward for marketeers. If you are undertaking direct marketing, as well as being able to point to your legal basis for processing under the GDPR, you will also have to comply with the e-Privacy Directive which contains more rules governing consent requirements for e-marketing. Furthermore, the e-Privacy Directive is also currently being reformed and is to be replaced with a new e-Privacy Regulation (currently still a proposal) which, once in force, marketeers will require to adhere to.
Fear not though, there may another light in that tunnel. Both the Directive and new Regulation contain provisions relating to direct marketing requiring opt-in consent for e-mail and text marketing, UNLESS an individual’s contact details were collected in the context of a sale (note that the Directive also allows negotiations for a sale to be relied upon, but the proposed Regulation wording restricts this exception by requiring an actual sale to have occurred), and as long as the new marketing relates to their own similar products or services and the individual was given the ability to opt-out at that time. If they were, then no opt-in consent is required and marketing by e-mail or text is allowed on an opt-out basis (referred to as the “soft opt-in” exception).
There is however, a problem here. Whilst the above suggests that for those who have in the past used non GDPR-compliant consent for direct marketing purposes, the obvious solution seems to be that they must now seek GDPR-compliant consent from those individuals. However, ICO guidance states that organisations cannot email or text an individual to ask for consent to future marketing messages as that email or text is in itself sent for the purposes of direct marketing, and so is subject to the same rules as other marketing texts and emails. Therefore, the method used to seek fresh consent becomes problematic.
In conclusion therefore, data controllers currently relying on consent for any of their (non-marketing) data processing must review the processes used to obtain the consent to see if it meets the criteria for valid consent set out by the GDPR. If so, they can continue to rely on it. If not, they have a choice of whether to seek new GDPR-compliant consent or establish whether they are in a position to validly rely on an alternative legal basis for future processing.
Those undertaking direct marketing have an extra hurdle to cross and must also familiarise themselves with the e-Privacy Directive, and soon the e-Privacy Regulation and ensure that they are adhering to this extra set of rules. Those who have previously relied on the soft opt-in exception based on a past sale should be able to safely carry on. However, for those who previously relied on opt-in consent for direct marketing, or if they have relied on soft opt-in consent based upon past negotiations for a sale, they now find themselves in a difficult situation. They are faced with a choice of whether to delete their entire database and start from scratch, relying on data obtained via new sales, or alternatively risking non-compliance and the tough sanctions which may ensue.
If you have any further queries about the GDPR or e-Privacy Regulations and how this may affect you or your business, please contact Andy Harris at firstname.lastname@example.org or Sarah Cashmore at email@example.com