Small businesses fretting about GDPR are wasting time and resources seeking consent from customers, potentially decimating their databases needlessly, say experts.
Christian Mancier, a partner in the Corporate and Commercial Law department of Gorvins solicitors and who also acts as a trainer in GDPR and data compliance, says the issue of consent is something of a misnomer.
“I’m meeting so many people who are terribly worried about GDPR and the impact it will have on their business and this is being compounded by the countless e-mails they are receiving from other organisations asking them to opt-in and re-consent.
“As a result they are potentially panicking and devoting time and money to sending out countless emails to those in their database asking for consent to continue communication and receipt of material.”
“However, consent is one of the six legal grounds under which you can legitimately process data under GDPR. The others are contractual necessity, where there is a legal obligation, in the vital interests of the data subject, public interest and legitimate interests.”
“For many small businesses, especially those dealing business to business where the amount of “personal data” held is relatively small, legitimate interests is possibly a far safer ground to rely on for processing data.
“If you are relying on a ground other than consent then this negates the need to risk decimating your database by asking customers to opt-in, where response rates have been quoted at well under 50%.”
“If you are relying on consent and you look carefully at the legislation, it says that it isn’t necessary ‘for the data subject to give his or her consent again’ if you collected consent for data processing pre-GDPR.”
However, he adds, you just have to make sure that consent was obtained in a way which was clear and unambiguous. For example it must have been obtained via a positive action (i.e. no pre ticked boxes or “unless you tick here we will…” type scenarios) and which makes it clear what the individual is consenting to.
The rules around e-marketing are set out in a different piece of legislation known as the Privacy and Electronic Communications Regulations (PECR).
This contains a really useful provision where businesses can send e-mail and other electronic marketing to their existing customers, and those people who have enquired about their goods and services, without having to have consent, provided the individual is given the ability to opt-out from such communications each time a communication is sent.
Mancier says: “For most small businesses these categories of recipient will make up a vast majority of their database and I hope those small businesses jumping on the bandwagon of asking for consent once more in light of GDPR don’t decimate their database and cause themselves some permanent harm for the future.”
GDPR is Europe’s new framework for data protection laws – it replaces the previous 1995 data protection directive, which current UK law is based upon.
Polls targeting smaller businesses and start-ups in the UK revealed a misunderstanding about how to prepare for the new legislation, with 86% of organisations worldwide concerned that a failure to adhere to the new legislation could have major negative effects on their business. One in five fearing that non-compliance could be enough to put them out of business altogether.
Mancier says: “We are constantly told that small businesses are the bedrock of the economic recovery. But many of them are unduly anxious about the ramifications of GDPR and some business out there are reportedly receiving some shockingly bad advice.
“So they are devoting time, money and resources they can scantly afford to making sure they are complying with the regulations, and in many cases end up going far beyond what GDPR requires to their detriment.”
“But the truth is that a great deal of marketing being sent out is already lawful and there is often no need to obtain fresh consent. The starting point is to establish what ground you process personal data under (contractual necessity or legitimate interests instead of consent perhaps), what you do from a marketing perspective and whether the exemption in PECR applies such that you may be able to carry on doing exactly what you have been doing both legally under GDPR and PECR and without decimating possibly one of the most vital assets of your business – your database.”