GDPR Myth – “fresh consent is required from all customers”
A lot has been made of the upcoming General Data Protection Regulation (GDPR), but it would seem a proportion of it has been to panic companies into action they didn’t need to carry out or companies are acting ‘just in case’ to prevent being fined. It reminds us of the Millennium bug panic which saw a lot of companies making themselves out to be experts, suggested companies needed to attend seminars, have systems checked, redeveloped or scrapped as the whole world was going to fail the moment midnight on the 31st December 1999 ticked over. In the end, yes there were some issues, but not the Armageddon that was predicted. Was that down to the intense preparation, or was the issue just not as bad as it was made out by all those making money from it at the time?
The Deputy Information Commissioner clearly has reacted to the mass of companies falling over themselves to get all their existing customers or prospects to give new consent to be communicated with and all those emails we are getting at the final hour.
Extract of the post by Steve Wood, Deputy Information Commissioner:
Some of the myths we’ve heard are, “GDPR means I won’t be able to send my newsletter out anymore” or “GDPR says I’ll need to get fresh consent for everything I do.”
I can say categorically that these are wrong, but if misinformation is still being packaged as the truth, I need to bust another myth.
Myth #9 We have to get fresh consent from all our customers to comply with the GDPR.
You do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.
Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.
It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act.
So clearly, the key is that companies should have been following the sensible requirements of the Data Protection Act in the first place, and if they did, there really isn’t an issue.
The GDPR that is coming into force on the 25th is far reaching and often not fully understood. Part of that is because it is for companies themselves to work out how it affects them and how they should react. A lot of the regulations are really common sense and perhaps we should all have been following them for some time. The fact that it should make us all far more careful where our clients data is shared or stored has to be a good thing, as those cases where laptops with un-encrypted information have been left on trains, or where website have been hacked show.
However, we still see loads of websites, many created by trusted web designers that don’t even include information that was required by the Companies Act that came into force 1 January 2007 or the EC Directive Regulations in 2002. The same regulations that require regulatory information to be held in email footers. We will post about those soon, so you can check you are compliant.
As a final thought, this post title by the ICO back in August 2017 more or less sums the whole thing up
GDPR is an evolution in data protection, not a burdensome revolution.
Check the blog post, or the ICO website for more details.
Image courtesey of Descrier (descrier.co.uk)