GDPR and Sole Traders – No 3

It’s all about Consent!

This blog post is the third in a series of posts on the lovely subject of GDPR.  If you are a sole trader, like me, living in Ireland, you will be keen to find out how to become compliant before the deadline on 25th May 2018. I will be sharing the information I have gathered over the past few months in a series of posts. These views are my own I won’t be using legal jargon or providing information that really only affects bigger companies, as they have their own HR and IT staff to handle their compliance.  I hope you will find the posts helpful and feel free to add comments or tips below.

This third post is all about Consent, a hot topic at the moment!

Consent and GDPR? What’s that all about?

The wording goes, more or less like this:

Consent must be freely given, specific, informed and unambiguous.

Eh, OK, so what does that mean?

As mentioned in Blog post No 1, the regulation has been put in place to protect an individual’s personal data.

With so much of our time spent online, we have become used to giving away our personal data without a second thought.

How many times have we signed up for an online subscription and clicked submit without reading the terms and conditions or data privacy policy?  Millions of times!

How often have you seen pre-ticked boxes pre-determining that you give consent to receiving marketing emails or news updates, just as you click submit?  Loads of times!

As sole traders, we will now have a responsibility to ensure that any collection notices (requests for personal data) clearly state how the requested data will be used so that the person is informed.

Let’s use an example to explain this in more detail. 

When you visited this website to read this post you should have received a Pop-Up box (or you will!) suggesting that you subscribe to my blog so that you can receive upcoming posts directly in your inbox.  I have used a text on the collection notice that I feel clearly states the purpose of the collection notice, see the details below:

By subscribing here, you agree to receive Gillian B’s blog posts. (Specific)

After the personal data text fields, there is a subscribe button stating

Yes, I want to subscribe (Consent is freely given)

And under the submit button is the following text

By subscribing here, you agree to receive Gillian B’s blog posts by email. We take your privacy seriously.  These personal details will be used exclusively to send you upcoming blog posts by email.  You can unsubscribe at any time.  Your personal data will be deleted within six months of unsubscribing. (Specific, informed, unambiguous)

So what I have done is let the person know what they are subscribing to.  I have ensured they click on a subscribe button that clearly shows their consent to subscribe. I have then reiterated what they are subscribing to, in this case, my blog posts, and I have informed them that they can unsubscribe at any time after which, the data will eventually be deleted. They will also be given a Double opt-in by MailChimp (the 3rd party Data Processor) when confirming their subscription. I can also provide more detailed information on subscriptions in my Data Privacy Policy, but more on that in the next blog post.

Thinking back to Blog Post No 2, your data audit sheet can be updated when a subscriber completes this type of collection notice.  You will have the data type, the date consent was received, where it originated from, etc. in other words you have proof of consent.

When and where do I need to ask for Consent?

You need to ask for consent for every piece of marketing/promotion material that you send to a customer both offline and online.  This is important.  Just because a person has consented to receive my blog posts, I can’t add their details to a separate newsletter mailing or marketing email because they are different marketing activities.  If I only have their consent to include them in my blog mailing list then that’s all I can send.

Similarly, if a person is an actual client/customer who buys my products or services, that doesn’t give me the right to use their data to send them marketing communications.  I must get consent first.  If I want to send the client/customer a newsletter I can use the email data to ASK them if they would like to subscribe to a newsletter.  That way, I am giving them the opportunity to consent to subscribe to the newsletter.  You could also add a collection notice at the point of sale giving them the choice to opt-in for the newsletter (online sales).  Many businesses do this, but the opt-in can no longer be pre-ticked boxes!

This brings me to another point.  Many of you will already have mailing lists that individuals signed up for at one point or another.

It is now your responsibility as a sole trader (perhaps after your data audit) to contact those individuals to get a fresh opt-in to your subscriptions.  If a person is signed up to several of your subscriptions then you need a renewed opt-in for each one.  It is good practice anyway to renew subscription lists every two years.

Next steps to becoming compliant

In my next post, we will look at updating forms and collection notices or other materials that include collection notices, it’s just a bit of a checklist.  Coming soon! Promise! 🙂