What’s consent got to do with it? Digging deeper into GDPR

Published 03/08/2017 by Gordon Wilson, Chief Executive Officer, Advanced

The introduction of the new EU General Data Protection Regulation as of May 2018 heralds in a new era of data protection compliance, building on the requirements of the Data Protection Act, in a way that will have a global impact. The new GDPR will affect any organisation holding personal data relating to an identifiable, living individual within the EU and despite the triggering of Article 50, the UK will still need to comply, as the Information Commissioners Office (ICO) has made clear. Failure to comply with the new GDPR can result in fines of up to €20m or 4% of an organisation’s global annual turnover which is far in excess of the current penalties. Therefore, it is vital that practices and protocols are swiftly introduced to show proactivity ahead of the change.

The way in which GDPR will affect businesses across different sectors and industries will of course vary depending on the types of data you own and how you use that data. With the change in regulation being a vast alteration for a lot of UK organisations, there are many things to start considering to ensure your business or charity is compliant for May 2018.

Our latest blog series draws on the knowledge and expertise of our market experts at Advanced to offer insight on some of the big topics which we know will be keeping our customers up at night as they begin their journey to compliance.

Potentially one of the biggest causes for concern when it comes to GDPR is the issue of consent and what that really means. Under the new Data Protection Regulations, businesses will need to ensure they have the consent of the individuals they wish to contact through different channels before the legislation takes effect (thereby preventing data protection breaches). This might not sound difficult initially – however, finding a way to engage with your customer base to opt-in in the first place may become challenging. Unfortunately, this is not a simple ‘tick box’ exercise – businesses will need to give individuals a lot more options than they have before, making it harder for organisations to not only obtain consent from individuals, but also track and record consent.

What do we mean by consent?

There are multiple dimensions to how ‘consent’ is defined within the General Data Protection Act. In order to have permission to contact an individual, it is crucial that marketers and fundraisers ask themselves these important questions and plan an execution strategy:

Channel – How can I contact my customers and prospects? E.g. phone, post, email, SMS.

Address – Is the consent address specific? Consent for any of the above may be related to a single address be it postal, email, phone number etc. rather than all communication channels or devices.

Subject – What? The ICO has made it clear that a blanket opt-in to send any communication will not be acceptable, therefore it’s important to be clear on what types of communication your contacts are opting into e.g. general information, promotions, events, etc. The trick is to get the right number – too few and the ICO will take a dim view, too many and your customers will drop out before completing the form. The consensus among Advanced’s larger charity clients is that between five and ten seems to be about right.

Duration – How long can I contact them for? Consent is never deemed to be indefinite in duration. It has to be re-validated at various intervals as appropriate or depending on context. There is no duration specified in the regulation, but two years seems to be considered a reasonable default interval.

It’s mainly about marketing

Digital marketing is likely to be most affected by consent. For a lot of organisations, having a rich database has been an opportunity to send out communications for campaigns, events, promotions and much more – however, with the new rules over consent, marketing needs to become much more stringent and selective in order to remain within the law. How this affects different businesses will depend on how much direct marketing they do and actually rely on for income. For example, charities rely heavily on voluntary donations from supporters to ensure they hit their fundraising targets. At present, most of this income is a result of ongoing marketing to their database.

In recent years, automated marketing has become almost a necessity for a lot of big organisations with the rise of digital marketing tools such as Mailchimp and Marketo – however, the legislation specifically states, “a requirement to obtain prior consent from subscribers to use automatic calling systems without human intervention, fax or e-mail for purposes of direct marketing.” In essence, this means that sending an email or making a phone call off the back of a marketing campaign is a breach of the law if the individual being contacted hasn’t specifically opted into the use of rules based marketing as well as obtaining consent to that channel or subject of communication. This is where it could start to get complex for businesses using direct marketing if they don’t prepare their database in the next 10 months.

Profiling

The other aspect of marketing which will be difficult for organisations under GDPR is profiling individuals. One of the markets which might be hardest hit by this is the third sector as many charities use publicly available data to profile potential high value donors. Charities often use services such as ‘WealthEngine’ and ‘Prospecting for Gold’ to run their databases through to access additional data and kick start major gift campaigns, but GDPR disallows profiling of any kind without consent from donors.  Charities have already seen the consequences of this with eleven charities receiving fines from the ICO between £5,000 and £20,000 for doing this, with fines potentially growing for a second offence. Understanding and tracking consumer behaviour and how individuals engage with communication is often key for planning and executing a marketing strategy. However, using individuals’ personal data without their consent will be prohibited, so how are businesses going to adapt to this change?

What are other businesses doing about it?

There is no simple answer on to how approach the issue of consent as different organisations will need to do this differently depending on the current state of the data they hold and how important direct marketing is to their business. We have already seen some public examples of how big brands are approaching this: JD Wetherspoon’s have simply said they will no longer do any email marketing as organising their database is a large and messy task and ensuring they are compliant is more trouble than it is worth.

Whilst this might work for a popular high street chain whose revenue largely depends on people walking past and stopping in (a more spontaneous source of income), this might not necessarily be the right approach for others who need to communicate with the public in order to raise awareness and encourage engagement. Again, alarm bells will be ringing for charities in particular as they largely depend on direct marketing to ensure support from donors. With no direct marketing and no new donors, fundraising targets are bound to be significantly impacted. One public example of this comes from RNLI, who have decided to delete a large proportion of their database following a very public commitment to consent-based marketing and an appeal to their whole base to make the choice to opt in. Again, this might seem like a good idea, but is this necessarily a wise choice for small charities who don’t have a large database and a reliable stream of fundraising income? The challenge now for commercial, public and private sectors is how they can approach gaining and recording consent that will work for them.

Fortunately, businesses are not alone in this endeavour and resources such as the ICO’s draft guidance on consent under GDPR is available.

“As providers of solutions for both commercial organisations and the third sector, we understand that consent is a huge concern for a lot of our customers in the run up to GDPR, with businesses looking to avoid the large fines which have already been implemented within the not-for-profit sector. Our knowledge and experience working with a wide range of customers means we are fully aware of how consent may affect our customers and are working with many already to provide tips and guidance on using our software solutions in their journey to becoming compliant.”
Mark Dewell, Managing Director for Commercial and Third Sector at Advanced