12 months on – consent, client lists and GDPR

Having recently wished ‘Happy Birthday’ to the delightful piece of legislation that we know and love as GDPR, its worth having a think about what’s changed and what’s still ‘work in progress’. What about consent, client lists and GDPR. 12 months on.

You may have joined the throngs of organisations in that tsunami of email that went out to all contacts and clients on databases asking for consent to remain on your mailing list. Did you end up with a decimated client contact list? Have you started again? With the tick box righteously checked to ensure you have a basis for processing. Consent, client lists and GDPR were the buzz words of summer 2018.

Did you know that’s not the only basis for using (processing) that client information?

If the folk on your client database pre GDPR gave consent under the old rules – which did not require  ‘opt in’ or active consent to receive your materials – you can still rely on this consent as a basis for processing.

The ICO themselves say…

You do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.

Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.

It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act.

Think about how you created the client list in the first place. Did you work for them? Did they sign up to receive material from you – albeit maybe without a tick box.  If people ‘signed up’ to receive newsletters or updates from you pre May 2018, and did so in compliance with the pre GDPR legislation requirements,  you may still have a legitimate reason to keep them on your data base and process their data, post GDPR implementation,

SO LONG AS you always give them the unsubscribe option when communicating with them

AND you make that as simple (one click) as possible

AND you action the ‘unsubscribe’ promptly.

Take a look at this great blog from the ICO to help you

I’m sure you have had the experience of the email that you click to unsubscribe, but that just keep coming ‘right back atcha’ – that’s ICO territory for complaint if ever there was any! – so make sure you have a good admin process if you do decide to use such data. Evidence your thinking and justify your action.

What else to report?

Well in 12 months, the ICO haven’t issued a single fine under GDPR in the UK yet….. but they have logged a fourfold increase in data breaches, and twice as many consumer complaints were made to the ICO in the last 12 months.

Your customers are live to the issues…BE CAREFUL!

But that was the ICO’s stated objective for the first year or so after implementation, saying they were only interested in compliance – especially for small businesses.

So, by now you should have a GDPR complaint website with a proper Privacy Policy and a compliant ‘Contact us’ page – if not where have you been? In a hole for 12 months? Go check THIS helpful tool out…..

You should also have reviewed and amended your client T and C’s to reference your Privacy Policy and remind clients what you are doing with their personal data.

Have you taken the online test to see if you need to register with ICO and pay a fee? Get that done asap…..here.

There are also new tools and tips on the ICO page regularly so do check them out too and keep an eye on our blog for regular updates.