Under GDPR there are six lawful grounds on which to process data. One of these is consent/opt-in that gives sufficient consent to use your customer data for marketing. The ICO, however, sets a high standard for consent under the DPA clause: consent “must be freely given, specific, informed” but it also goes further to include being unambiguous with a clear affirmative action (no pre-ticked boxes), keeping a record of consent and avoiding making consent a condition of a contract. The ability to withdraw consent must be easy and not incur a penalty, and regular consent reviews should be implemented. 
Fresh consent from your customers could be costly and unnecessary to an already legitimate database. If you have consent that satisfies GDPR, be sure to continue to maintain it making any of the required changes such as consent reviews, possibly every six months. 
Keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented. Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. 
It is crucial to remember - You cannot contact someone who has already opted out, regardless of your motive. You may think it’s being helpful to check if they want to opt back in, to update their details or inform them about your GDPR strategy – it’s definitely not - it’s breaching the law. 
Morrisons and Flybe have been penalised for this. 
Tagged as: GDPR
Share this post:

Leave a comment: 

Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings