The last piece of the GDPR jigsaw – the Information Commissioner’s Office’s guidance on consent – has finally been put in place, with a warning that companies embarking on a barrage of repermissioning emails could be wasting their time.
In a blog post unveiling the advice, deputy commissioner Dave Wood strikes a note of caution.
He said: “From marketing agencies, to clubs and associations, to local authorities, consent has been a hotly debated topic. Some of the myths we’ve heard are, ‘GDPR means I won’t be able to send my newsletter out anymore’ or ‘GDPR says I’ll need to get fresh consent for everything I do’. I can say categorically that these are wrong, but if misinformation is still being packaged as the truth, I need to bust the myth that you not need to automatically refresh all existing consents in preparation for the new law.”
While conceding that “GDPR sets the bar high for consent”, and stressing the importance to check processes and records to be sure existing consents meet the GDPR standard”, he added: “Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.
“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.”
Reiterating Commissioner Elizabeth Denham’s assertion that consent is not the silver bullet for GDPR compliance, Wood added “consent is one way to comply with the GDPR, but it’s not the only way”.
“Scaremongering about consent still persists but the headlines often lack context or understanding about all the different lawful bases organisations could use for processing personal information under the GDPR,” Wood concluded.