GDPR Issues in getting consent.
One of the biggest difference between the old Data Protection Act
and the new General Data Protection Regulations (GDPR) is the issue of “informed unambiguous consent”. This change will have a massive impact on how some organisations deal with their client base. Most CRM systems will become redundant (see previous article), as they will not have permission to contact more than a very few “prospects” on the system. Many organisations will have to build their client base from scratch as they will not even be able to contact those people on their database to get their consent for further contact as they don’t have consent to contact them to ask for that consent in the first place. To add to the complexity, consent to contact can only be given for the purposes defined by the data controller (see previous article). For example, if Vodafone gets permission to contact its clients with regard to mobile phone offers that would be fine, but say they then changed their business model to capture client feedback on health services in that area, this would not relate to the consent already given, so customers would need to be contacted again to “opt in” to this new service.
Informed and unambiguous
That is the part where “informed unambiguous consent” comes in. No longer will just an automated tick box be sufficient. There would have to be an explanation of what the clients are getting themselves into and then they would actively need to “approve” for the right to be contacted. For some organisations that would be easier than others. Take your various coffee shop chains for example. If they offer free Wi-Fi then they might have as part of their T&Cs that the chain can contact clients with special offers. Then the client can then decide on this basis whether to use the service or not. They would have the choice to “opt in”. However, if the chain sent out an offer via Bluetooth to all and sundry walking by, then that would not be on the basis of active consent as the general public would not have had a choice about whether they received the content or not.
In many instances, this will present a field day for lawyers as companies update their contracts, website and engagement letters, but remember the new content has to be “clear and unambiguous”, in other words in everyday language. Endless qualification of terms in legal jargon covering every possible scenario is not the point. It may be an idea for you to draft up what you think you need, get a lawyer to review, test it on colleagues and customers and then go live.
An opportunity to review
This may also be a good time to review how you connect with your customers and suppliers. To make sure you have consent, special discounts or incentives could be used to re-engage with your contacts. At the moment we are offering a complimentary “Excel A&E” surgery service on our website. To access the service, potential clients have to fill out a web form with their details and give permission for us to add them to our Newsletter subscription list. Their information then links directly to our CRM system. Not only have the given consent, but also the responsibility for filling in the correct details rests on their shoulders, alieving an internal admin task. Others are having to come up with similar innovative ways to engage with people that will not only “tick the right boxes”, but give the public confidence that they will be dealing with a trustworthy and reliable organisation.
About the Author
Malcolm Ford has worked as a project manager on a number of software builds and now is bringing his experience to assist companies in dealing with the changes which the GDPR regime will bring.