Companies may be unnecessarily decimating their database of customers, a leading expert in GDPR has warned.

We are all getting them: emails requesting consent to continue sending us emails. It feels like a contradiction. If you don’t have permission to email someone, that means you don’t have permission to email them asking for permission to email them, either. Marketers have to be more creative than that in securing consent.

If you do have permission, then you don’t need it twice.

Yet that is precisely what companies have been doing. And in the process, they are subjecting us to lots of emails, few of us either have the time or inclination to read them, so the sought after permission is not granted.

According to Nicola McKilligan-Regan, Senior Partner at the Privacy Partnership, as well as the founder and CEO of Smart Privacy, some companies “have taken bad advice.”

Ms McKilligan-Regan, who is also the author of ‘A Pocket Guide to the Data Protection Act,’ told GDPR Report that they have “decimated their databases by seeking new unnecessary opt-ins.”

Under GDPR, there are several legal bases for processing personal data. Consent is often cited as the gold standard, the ideal legal basis, but under GDPR no one legal basis is better than any other.

Consent carries a number of strict conditions: it must be proactive, freely given and specific. You may have consent to process data for a specific task, but if that task changes slightly, the consent may not be insufficient.

Another legal basis, legitimate interest, may be more appropriate. Recital 47 of GDPR states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

But the legal basis can’t be a bit of both. It can’t be half consent, half legitimate interests. When companies email customers asking for ongoing permission to carry on emailing them, they do seem to be suggesting that legitimate interests are not sufficient in this case, otherwise why ask for permission in this way? If they don’t get a response, which given the number of such emails that are being sent out seems likely, then they do seem out of options.

To find out more about what marketers should be doing to comply with both GDPR and PECR, attend the next GDPR Summit London which aims to provide actionable, practical advice for organisations to continue their drive to achieve ongoing GDPR compliance and gain a strategic advantage over competitors.

By Michael Baxter, Editor, Fresh Business Thinking

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.

comments powered by Disqus