Clarifying the meaning of the GDPR
The General Data Protection Regulation (GDPR) is a new EU imposed legal framework that will come into effect on 25 May 2018. This regulation will cover all companies that process EU citizen data.
Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The GDPR will have implications on all business lines. The regulations seek to increase the company transparency on using personal data and improve the effects of data protection. The first will consist in how businesses explain and justify the data processing of email addresses gathered via email marketing campaigns.
What will change
GDPR will put to an end to buying emails in bulk and mass audience emails to firms’ inboxes. This new regulation will mean a prioritization of data security over increasing marketing results.
The GDPR is defined as follows by the Information Commissioner’s Office, the UK’s regulatory authority for the GDPR, consent…
“should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
So the usual unsubscribe or stop notifications options will no longer be enough. Since May 25th ,the companies willing to send a marketing message or interaction will have to be aware about:
• How to public profile of the company is exposed, meaning an increased concern about the contact details
• The user should have the option to choose what will happen with their acquired data
• Data storage and access
• The purpose of collecting data and the period of the storage
• The data subject’s rights
The new terms of using private data will have to be clearly expressed by companies and easily comprehensible, eventually in a separated document and not be included into the terms and condition paragraphs.
How the regulation will apply to the already acquired personal data
The consent gaining will not be allowed after May 25th so the companies that intend to maintain the marketing dialogue will have to ask their partners’ consent before the regulation will have been applied… It’s actually a renewal of the present data using approval. The consent should be explicitly conveyed by the user, in a written and signed document.
Other ways of getting data consent
• Through a partnership contract which automatically implies data processing
• A legal obligation
• The individual interest protection
• The need to protect public interest unless it undermines the individual rights or freedom
The consent guidelines by the WP29 emphasize that explicit consent could be obtained through methods such as electronic forms, checklist option, emails or the upload of scanned documents.