Skip to content

GDPR is changing the concept of consent

GDPR is changing the concept of consent
Katie Porter

Katie Porter

How this affects you and the way you gather your data.

Sea change in ‘consent’

When GDPR automatically comes into force in May 2018, there are a lot of new compliances that companies will need to consider. One of the major factors of GDPR is how consent is given by a customer for a company to process and use that personal data.

What is personal data?

Personal data is anything that can be traced back and attached to a single person. These things include;

  • Personal email addresses
  • NI number
  • Address
  • Phone Number
  • IP address

A lot of current marketing databases are made up of data that is attached to implied consent. Under the new GDPR act, each person has to have give explicit instruction of whether they give their consent for their personal data to be used.

How is consent changing?

Customers now must have the option to tick a box if they wish to give their consent, forcing them to take a step back and really think and be sure if they want their data to be used in the future. Every person will therefore have the ability to know what they gave consent to, along with how and when they allowed it. This means the elimination of pre-ticked boxes!

When companies are creating the content for the consent tick boxes, the wording must be written in a clear format which clearly indicates the purpose that the data is being gathered for, allowing the individual to fully understand what they are giving their explicit consent for.

What if my company purchases its data?

You may be wondering if this is safe to do anymore when GDPR is rolled out? If you are a company that purchases large amounts of data for marketing purposes, it may be very difficult to trace if, how, and when consent was given by each individual. We would recommend not using bought data for marketing activities under the GDPR ruling, and to use organic data where you can be sure that explicit consent has been given.

Using personal data without given consent to do so will result in breaching GDPR, and could result in companies being fined, ranging up to 20 million euros or 4% of global turnover, whichever is the greater. No-one wants to be on the receiving end of that, so you need to be careful what data you use and be mindful of where it has come from.

How do I go about gaining consent over the phone?

Gaining consent for the use of personal data via a phone call will also require some process changes. Telephone operators will need to create scripted content to ensure they obtained the explicit consent of the customer over the phone, as there will be no physical tickbox to click!

The content of the scripted phone call may change from “your call may be recorded for training and monitoring purposes”, to “please note that this phone call will be recorded for our records”, ensuring that the organisation has proof that verbal consent such as, “yes, I give my consent for my data to be used” is given.

The most important thing to remember is that all consent must be auditable!

What does it mean for marketers?

It is reported that 70% of marketers are worried about the changes that GDPR is bringing. Marketing activities such as email marketing campaigns, direct mail and social media marketing will fundamentally change as a result of GDPR.

Although the rollout of GDPR is still 8 months away, there are a number of things that marketers can start doing now;

  • From now on, only obtain data where you have explicit consent from the individual. Start as you mean to go on!
  • Begin to cleanse your current data. It may seem like a big job but once you start it the process will appear easier.
  • Be more creative with the messages you are putting out to the world, make it so your customers want to engage with you.
  • Use GDPR as an opportunity to build upon the trust between customers and your brand. Through being transparent in your marketing messages, people are more likely to want to hear more from your company and give their explicit consent in the future.

Social Media and GDPR

All of the current data protection regulations were written before the postmodern marketing theme of social media was established. The individual social platform will embed their own ways of adopting the new GDPR process into their channel to avoid breaching any part of the regulation.

On LinkedIn for example, direct messaging one of your connections would not breach the GDPR clauses, as long as you don't do anything further with that information. Each third party platform will be responsible and have their own processes in place to protect themselves from any penalties. It is each person's own responsibility as to who they allow to connect with on social networks such as Linkedin, which is why the use of direct messaging on that platform is allowed. However, if a company was to take the personal data such as the email address, or phone number of that person and add it to their marketing database without receiving explicit consent to do so, then they are failing to comply with the rules of GDPR.

How social media will fully be affected is still yet to be confirmed and we suspect that the ICO will later release more information about how GDPR and social media will coincide.

What can you start doing?

There are many things that you can start doing now in preparation of the automatic rollout of GDPR:

  • Speak to every department in your business.
  • Start thinking about getting a process in place.
  • Consider recruiting a data protection officer.


Follow us on social media and keep a close eye on our blog for the next installment in our series of articles on GDPR and how it might affect your business and its data gathering.

If you would like more specific advice around how GDPR will affect your unique business, please get in touch.