GDPR: Consenting to the Use of Personal Data
The ICO has reported that Royal Mail have been fined £12,000 after sending more than 300,000 nuisance emails. In July of 2017 Royal Mail sent 327,014 emails to people who had already opted out of receiving direct marketing.
These emails advertised a price drop for parcels. However, the company did not have the recipients’ consent to send them – therefore breaking the law.
The ICO launched an investigation after receiving a complaint from a member of the public, who had received a marketing email from Royal Mail despite having opted out.
ICO Head of Enforcement, Steve Eckersley, said:
“Royal Mail did not follow the law on direct marketing when it sent such a huge volume of emails, because the recipients had already clearly expressed they did not want to receive them.
“These rules are there for a reason – to protect people from the irritation and, on occasions, distress nuisance emails cause. I hope this sends the message that we will take action against companies who flout them.”
With this in mind, let’s think about the consent legislations under the GDPR. Companies should be mindful of how they are gaining consent from their customers. The definition of consent is ‘permission for something to happen or an agreement to do something’. The GDPR sets a very high standard for consent.
Asking for Consent
Consent must be the most appropriate lawful basis for processing. The request for consent must be sperate from terms and conditions, and pre-ticked boxes are prohibited. Clear, plain language is mandatory to specify why the data is needed and what is being done with it. The organisation and third parties intending to use the data must be named. Individuals should be informed that they can withdraw consent, and they can refuse consent without detriment.
It should be easy for anyone to withdraw their consent at any time and publicise how to do this. Withdrawals of consent must be acted on as soon as possible and individuals withdrawing their consent must not be penalised. Regular reviews of consent must be conducted, and a process should be in place to refresh consent at appropriate intervals.
A record of when and how the consent was obtained is mandatory. A record should include who consented, when, how, and what they were told.
Relying on inappropriate or invalid consent could destroy trust and harm your reputation – and may leave you open to large fines. We can help you combat this.
ilicomm have over 25 years of delivering cost effective information security and regulatory compliance solutions. Contact us to discover how we can ensure your business’s security is at its maximum.
Find out which packages are suited to you…