5 Myth-Busting Facts about the GDPR
It's now less than a week until the GDPR goes live, and our inboxes are overflowing with emails asking us to confirm we still want to get that newsletter we can't even remember. A smell of panic is in the air as businesses battle the deadline and unscrupulous consultancy firms use threatening language to get one-person businesses to pay money they've yet to earn.
The new data protection legislation has many myths. Whether you're a startup founder or an experienced marketer, these myths can be so widespread that it's difficult to figure out what is fact.
We've used some of the questions we've had from clients to do some digging into the most pervasive myths surrounding the GDPR, and we'd like to present our findings.
While the GDPR legislation is a relatively easy-to-read, 88-page PDF, we prefer quoting plain English guidance from the UK's data protection authority, the ICO.
Please bear in mind that we're not lawyers, so this is not legal advice; instead, it's intended as documentation of our own research and communications guidance for the practical side of things.
Myth #1: If there's no tick box, it's not GDPR-compliant consent
Tick boxes are just one way to collect consent.
Article 4(11) of the GDPR defines valid consent as
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (our emphasis).
"Whatever method you use must meet the standard of an unambiguous indication by clear affirmative action. This means you must ask people to actively opt in. Examples of active opt-in mechanisms include:
- signing a consent statement on a paper form;
- ticking an opt-in box on paper or electronically;
- clicking an opt-in button or link online;
- selecting from equally prominent yes/no options;
- choosing technical settings or preference dashboard settings;
- responding to an email requesting consent;
- answering yes to a clear oral consent request;
- volunteering optional information for a specific purpose – eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box."
In other words, an email simply entitled "yes" to refresh consent to receiving a newsletter can be sufficient. People don't necessarily have to go to a form, tick a box and put their details in again. And a newsletter sign-up form can have a simple button saying "sign me up" instead of a tick box.
Two typical use cases for tick boxes are:
- You want to use the personal data for more than one purpose — such as separate newsletters on different lists, newsletter plus matched Facebook audiences or email newsletter plus text messages.
- You're processing sensitive data and need to obtain what's called 'explicit consent'. If your email marketing runs on names and email addresses alone, those do not constitute sensitive data.
Myth #2: I should be getting emails from EVERYONE asking me to confirm I still want their newsletter
"Some people are sending me mails saying I don't have to do anything, even though I signed up to get their freebie."
The GDPR demands that if you can't track the opt-in of every single subscriber, and their consent isn't up to GDPR standards, you have to get fresh consent from them.
Some companies won't need to ask you for fresh consent as your existing consent was already in line with the GDPR requirements. The ICO have published a useful checklist for getting, recording and managing consent.
Other companies may have decided to send their marketing emails on the lawful basis of legitimate processing instead (more on that below). Those won't ask you for consent either.
Myth #3: There's only one legit way to record consent
"I've had people just send a mail that says, 'If you want to continue receiving my newsletter, answer this email, so I clicked on reply and there was a subject line that read 'I want to receive your newsletter'. I hardly think that this is legit. And then with others, I just have to click a button and then get sent to a 'thank you, you're still IN' type of website page."
Asking people to reply to an email can be legit: it's time-stamped and shows how they consented. It's important that the email people are replying to has all the information necessary to make sure their decision is an informed one. We still wouldn't recommend this method simply because it's quite unwieldy for large lists of subscribers.
In the words of the ICO: "keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented." There are no detailed rules about the format of those records.
Because even after 25 May 2018, you won't need explicit consent for everything you do.
Whenever we process personal data, we must be able to explain on what lawful basis we're allowed to do so. There are 6 legal grounds for processing:
- Legal obligation
- Vital interests
- Public tasks
- Legitimate interests
Processing someone's data to reply to their message is essential for your business (= a legitimate interest). You can't reply to them without that processing. And it probably poses a very low risk to the rights and freedoms of that person.
Relying on legitimate interests requires extra diligence on your part. Check out the ICO guidance and checklists here.
Myth #5: I'm not allowed to offer a freebie for signing up to my newsletter any more
"One lawyer said we could encourage people to sign up to our newsletter on a freebie landing page. Another lawyer says there is NO advertising whatsoever allowed during the opt-in process. If we're not allowed to do that, there's no need to have them sign up for a freebie."
You're allowed to incentivise the newsletter. Just make sure people are aware they're signing up for the newsletter and that your communication is crystal clear.
"The ICO’s view is that it may still be possible to incentivise consent to some extent. There will usually be some benefit to consenting to processing. For example, if joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing. The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal. However, you must be careful not to cross the line and unfairly penalise those who refuse consent."
Whatever you do, don't panic
This post should clear up some of the 'last-minute' myths surrounding the GDPR.
For more in-depth info, check out Suzanne Dibble's Facebook Group about the GDPR. You can also watch her GDPR Mythbuster video and buy a pack of 20 GDPR-compliant legal templates, documents and checklists from her for £197.
(We're affiliates of Suzanne's because her work is so amazing, so we do earn a small commission if you decide to buy through that link.)
Are there any myths we missed? Let us know in the comments.