In our recent phenomenally successful webinar—The Path to GDPR: Ask the Experts from Return Path—we received a load of questions from both the webinar sign-ups, as well as during the webinar itself. We were able to answer a couple during the webinar but we wanted to address the rest of the great questions we received in this blog series. In the first post, we responded to questions about consent and legitimate interest. In this second post, we will answer questions about re-permissioning.
But first—a quick disclaimer!
The materials appearing in this article do not constitute legal advice from Return Path, any of the associations we are members and or reference materials from, and are provided for general information purposes only. It is recommended that you contact your general or legal counsel.
What are some best ways for marketing to roll out re-permissioning to all existing EU opt-ins?
In short: 1) Do it now!; 2) Don’t just rely on a “one hit” approach; 3) Learn from some of the great examples we showed in the webinar.
Note that one of the requirements of the GDPR is that a company should only hold onto data for as long as is necessary, but there is no defined measure for what can be deemed ‘as long as necessary’. Can a company justify sending sales emails to someone who subscribed to a newsletter six years after the fact? If a person was signed up for a mailing list more than two years ago and they had either not purposely opted in or are receiving email that they had not opted in for, it is best practice for the company to seek permission to maintain contact via email and then to repeat this action every two years thereafter. Otherwise, to comply with the regulation, this data would have to be destroyed.
Only re-permission those who have previously given you consent. In the B2C world, sending a re-permission email to an individual who has opted out (or once subscribed but has since opted out) is already a breach of existing rules.
Make your subscription options granular. You should be doing this for GDPR anyway (i.e. unbundled consent), so think about giving people preferences for all your marketing channels rather than a single ‘unsubscribe’ option. While someone might object to phone calls and emails, they might accept SMS, for example.
You can look to incentivize consent to some extent as there will usually be a benefit to consenting to processing. For example, if joining a loyalty scheme entitled you to money-off vouchers. However, people must be able to say no without suffering a detriment. In this instance, the fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal.
Do you need consent to email news updates to your existing clients, some of which you might not have worked with for 12 months?
It depends on whether you were you GDPR compliant when they originally signed up. Ideally, you would want to be doing this as a matter of best practice anyway. Also, remember—per our earlier response—that one of the requirements of the GDPR is that a company should only hold onto data for as long as is necessary. Although there is no defined measure for what can be deemed ‘as long as necessary’ you should consider how a normal customer would interpret this, and then process their data on this “reasonable man” basis.
1) What best practice methods can you share for ways to get our existing databases compliant? 2) What are the best methods to get new leads and/or clients compliant?
This comes back to the point we have made several times that GDPR is a force for good. Many of the requirements that are now becoming law have been advocated as best practices for years already. This is why we are seeing the performance uplifts that we have showcased with the likes of Man Utd, Lloyds Bank, and the RSPB.
From now until May 25, 2018, you have a small window to get adequate permission from your subscribers—so, consider running campaigns to grab their attention using things like incentives, offers, or content upgrades.
You should always target customers that subscribed to your mailing list at any point during your old, non-GDPR-compliant days of “pre-checked” opt-in boxes at the point of sign-up. If you can’t identify how, when, and where consent was obtained, the best option in order to be compliant is to ask again. It’s also wise to offer these contacts a clear unsubscribe route to ensure you are clearing your database of anyone who doesn’t care to receive messages.
It’s fine to send contacts friendly reminders if they still need a nudge to make a decision on re-confirmation of consent. Ensure you are spacing out these reminders to avoid a barrage of communications hitting your contacts’ inbox in a short period of time.
You don’t have to just use email. Consider making the most of your other channels to drive confirmed opt-ins. You can use social media, email, mobile push, text messaging, or pop-ups to leading contacts to a quick form.
How does GDPR affect already existing data of customers, which signed up for newsletters (double opt-in)? Is there a need for a repermission campaign for those customers before May 25th?
There is an important point here to reinforce, which is that GDPR is far bigger than just consent—it is a major overhaul of the broader data protection regulations that govern how personal data can be processed. Similarly, double opt-in does not equate to consent—it simply meets the requirements for positive opt-in, plus the recording of consent.
In terms of the need for re-permissioning, ICO guidance has the following to say:
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard. Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. However, you will need to be confident that your consent requests already met the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily. On the other hand, if existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.
In short, there is no requirement to re-permission if your original acquisition process was GDPR compliant, and you can prove this was the case.
What would become of previously gathered contacts? Will they remain accessible or should they be put aside?
Per an earlier response:
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard.
What happens with the contacts whose proof of consent have not been saved because they were opted in before GDPR?
Per the previous response—if you are going to continue relying on consent as your basis for processing this data, then you will need to be able to demonstrate the consent was acquired in a GDPR-compliant manner. Failing that, you will need to re-permission these records.
If you would like more information about GDPR you can browse our GDPR category on the blog or watch our recent webinar. And if you have questions of your own, feel free to leave it in the comment section below.