DP2017: Consent under the GDPR with Rosemary Smith from Opt-4

One of the breakout sessions at Data Protection 2017 was hosted by Rosemary Smith, founder of Opt-4, a data protection consultancy. Her session focussed on consent under the GDPR and how to make it work for organisations.

She pointed out that there are six legal bases for data processing in the GDPR, consent is one of them, but they are all equally valid. So why choose consent as a legal basis? This is the question Rosemary sought to answer in her talk.

Firstly, she dealt with what will no longer will be a permitted form of consent. Pre-ticked boxes are not allowed, neither is any form of opt-out consent valid. The data subject must take an affirmative action for consent to be valid. This could be ticking a box or saying yes over the telephone.

Furthermore, consent cannot be conditional on receiving a service. For example, downloading a whitepaper cannot be conditional on agreeing to receive marketing communications. Opting-in to receive marketing should be separate from downloading the whitepaper and therefore a genuine choice for the data subject.

Language is also extremely important when crafting a consent statement. Rosemary said, “Think about your target audience and use language that is accessible to them”.

Remember too that when an organisation gains consent it must also remind people that they can revoke consent. Revoking consent should be as easy to do as it was to give consent. So if consent was given by tick box, then opting-out should be done via a similar method.

But, coming back to the positive, why choose consent as a legal ground? Consent is black and white, and therefore it is less business risk to rely on this legal ground for your marketing. Whereas, legitimate interest is a subjective legal ground and this can muddy the water. The organisation needs to justify its legitimate interest so it is not a water tight legal ground like consent.

In terms of building consent statements that work and are GDPR compliant. Rosemary felt there are four key sentiments that affect opt-in rates. They are: transparency, trust, control and security.

Rosemary said organisations should reassure people in their consent statement that privacy and data protection are a core brand values and possibly reference a document that explains the brand values in a consumer friendly way.

She referenced research conducted by Opt-4 exploring how customers feel about opt-in. Such as, “I would rather opt-in than opt-out. Opting out is a sneaky way of doing business.” These types of comments were increasingly common in testing run by Opt-4.

While using a more robust standard for consent and not using other opt-out methods may lead to a smaller data pool, it will mean a quality pool of data made up of engaged customers.

A case study she mentioned of an organisation getting it right was the BBC. The BBC’s statement clearly details why you are being asked for a specific piece of information, such as, date of birth or email address. Throughout the process the consumer is informed, while at the same time the tone of voice of the BBC comes through.

In summary, consent may be the right option depending upon the organisation in question and the target audience.