The GDPR clock is ticking - this is why you need to act now

If you are sending marketing e-mails to your customers and contacts, then you need their consent under the current rules, but many businesses will have sought that consent through pre-ticked boxes or as part of their terms and conditions – in other words on an opt out rather than an opt in basis.

In a year’s time on 25 May 2018, new more stringent rules come out under the General Data Protection Regulations, which are likely to make many existing consents invalid and your current marketing lists useless.

Under the new rules, the consent must be unambiguous and involve a clear affirmative action.

So when a customer agrees to your terms and conditions, they will need to actively tick a separate box or take some other action to show that they have consented. It is also important that it is clear what the consent is being given for.

For example if a customer drops a business card into a prize draw at a coffee shop, this would count as consent to being contacted for the purpose of the prize draw. It would not be sufficient consent for sending marketing e-mails or special offers to that customer.

When the new rules go live in May 2018, you will be able to rely on consents given previously, provided that those consents would have been compliant under the new rules and you have records to prove it.

I would therefore recommend that businesses look carefully at their processes now, so that all new consents given now are compliant with the new rules and proper records are being kept.

If you are consumer who is fed up with receiving spam e-mails because you failed to untick that hidden box, then the new rules will be welcome. The rules include other rights for data subjects such as the “right to be forgotten” and the right to transfer your data to a new service provider.

Businesses will also be required to make it as easy for customers to withdraw their consent as it was for them to give it. The penalties for companies which fail to comply with the GDPR can be up to the higher of four per cent of global turnover or €20m.

The new rules apply to data processing generally (including data held on employees) and include important new provisions in relation to privacy policies and data security. Data is being referred to as the “new oil”, but you could slip up if you don’t act now to ensure you continue to be compliant.

If you want to contact Jon Rathbone the author of this blog regarding GDPR or any other company and commercial law matter, you can contact him by email.