One of the most significant changes under the GDPR is the new standard for obtaining consent for the processing of personal data.
Most businesses who engage in email marketing to their clients or customers (data subjects) rely on their consent to such marketing. All such businesses will now have to review the consents that were obtained from the data subjects to identify whether or not the consent meets the requirements of the GDPR. Where they do not, fresh consent must be sought in order to comply with the GDPR.
Advertisers should also be aware that under the ePrivacy Regulations there are potential criminal sanctions for illegal direct marketing.
This article sets out the steps a business should take where they engage in email marketing on the basis of the consent of the data subject.
Step One: Review your marketing lists and databases for evidence of consent
Where you rely on consent as a basis for processing personal data the GDPR requires you to be able to demonstrate that you have valid consent from each data subject. The consent should include details on who consented, when, to what, how they consented and it should be checked whether they have asked that their consent be withdrawn.
Where consent was given you should examine whether the consent meets the requirements of the GDPR. In particular:
Did the data subject clearly demonstrate their consent with a statement or affirmative action? Failure to untick a pre-ticked box is not affirmative action. Was the consent separate from other terms and conditions? For example, you cannot make the provision of a service contingent on consent being given where email marketing is not necessary for the service being supplied. Did you tell the data subject that they have a right to withdraw their consent and tell them how to do this? Did you tell them the purposes for which you would be using their information and are those purposes the same now? Step Two: Refresh any consents that do not comply with the GDPR
If you hold consents which comply with all the requirements of the GDPR then you may continue to process this information. However, where the consents cannot be shown to comply with the GDPR (which is probably more likely) you need to commence a re-permission exercise.
Each individual for whom you hold personal data should be contacted and asked to provide a renewed consent that will comply with the GDPR. In order to meet the requirement of "informed" consent you will have to provide a...