Wednesday 21 February 2018
As May draws ever closer, we still don’t have a final version of the ICO’s ruling – which, coincidently, we won’t be getting until at least April – GDPR is generating even more noise. But, Simon opened his session talking about something else: PECR (The Privacy and Electronic Communications Regulations). Conversations about GDPR and PECR should be concurrent. Decisions taken to make ourselves compliant with GDPR should also consider the impact PECR will have when it comes into force, which is predicated to be in 2019.
Let’s start with the good news: The already-available WP29 guidance on both consent and transparency are important documents in preparing for GDPR, and there should be very little variance between the guidance on Article 29 and the ICO rules. That’s the good news.
When do you need consent?
There is no significant rule as to ‘when’ you need consent under GDPR, as long as you can prove when consent was obtained. The impact is on the type of consent you receive.
Current opt outs:
However, “corporate subscribers” are very difficult to identify in CRM systems, which can be muddled with Alumni, personal emails and sole practitioners, none of which fall under the definition of “corporate subscriber.”
Under legitimate interest:
There is no legitimate interest ground that applies under PECR, meaning marketing activities may require active consent under PECR.
Soft opt in:
But what about PECR? PECR will be more impactful for marketers because soft opt-in or active consent will probably be required. Plus:
Why get active consent for B2B?
Getting active consent for B2B marketing now removes the reliance on “corporate subscriber” exemption. It also means that your data will be compliant under PECR, should soft opt-in consent be removed, and you need active consent. And, it demonstrates a willingness to become compliant to a regulator which is discouraging non-permission-based marketing.
What is an active consent?
Currently, active consent can take many forms, but under GDPR active consent will need an un-pre-ticked opt in box, or some form of alternative unambiguous indication of consent (e.g. typing their email into a box). Consent cannot be compelled, but you can incentivise the user to give it. Equally, consent cannot be captured through combined purpose forms (e.g. when buying something, a customer ticks the T&Cs and which also gives consent for marketing).
What do I do with legacy data?
There will be no “grandfathering” under GDPR, so any data with implied consent will need repermissioning to gain active consent, especially if B2B exemptions are removed under PECR. Consent must be decoupled from acceptance of other terms (e.g. signing up to an event and agreeing to marketing cannot be combined), and you must give a choice of options in terms of channel, content and frequency.
What is Grant Thornton doing?
Grant Thornton has introduced preferencing forms, which all capture a time stamp and searchable field for date and source of submission. This has helped it migrate to channel-based marketing, targeting readers with what they want for a better experience. It has also stopped emailing contacts who don’t read its mailers, thus targeting smaller, more engaged audiences. Cold contacts are classed as ‘passive unsubscribes’ and CRM contacts are archived when there is no ‘live’ relationship or recent update.
The organisation has also gone through a process of auditing its legacy data, to work out which data is compliant, and which isn’t, and re-confirming marketing consent with those whose data is not compliant. There is a three-staged approach to doing this: A footer on all marketing with a one-click confirmation; followed by push emails to both readers and event attendees at regular intervals between now and May. Grant Thornton is also preparing a core manual – coupled with procedures and training – to help ensure internal compliance, as well as an Amnesty, identifying and helping current non-compliant behaviour.
Other things to note:
By Genna Stainforth, Senior Account Executive at Acritas