Legal Hub - GDPR Practitioner Advice 3
17 May 2018
The DMA Email Council's Legal Hub has created a series of GDPR questions and answers to assist practitioners to understand the GDPR regulation and directly tackle some of the most burning questions in the industry.
Q: How long does consent last for? Do you have a recommended timeframe before re-qualifying, both legally and commercially?
Written by Nick Crawford, member of the Email Council and director at Twist Consultancy
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
Consent is likely to degrade over time, but how long it lasts will depend on the context. You will need to consider the scope of the original consent and the individual’s expectations.
As with all GDPR considerations first be clear if you are defining the consent to process data under GDPR or the consent to direct market under PECR. These two considerations should be unbundled and treated separately.
Marketing consent is simpler to define. You have this until the recipient requests that you opt them out. Make sure that it is easy and simple to provide you with this request and that it’s actioned and retained in your marketing permission database.
For data processing under GDPR, there is a requirement for you to define both the legal basis on which you are processing data (of which consent is one of six options) and to be able to state from the start how long you will retain and use data for.
If you are not using consent as your legal basis, then it’s this data retention period that defines your timeframe. Within marketing, it is common that legitimate business interest will be your legal basis. However, over time this may become decreasingly appropriate as your basis and so consent may then need to become your basis.
Legitimate interest should be established using a balancing test, but at its core the consideration is “has your business a good reason to process someone’s personal data without their consent, ensuring there is no unwarranted impact on them, and that your purpose is fair, transparent and accountable.
If consent is your processing basis, then within the GDPR framework no specific time limit is set. Consent relevance is likely to wain over time, but how long it lasts will depend on the context. So, consider the scope of the original consent and the individual’s expectations.
If we look at the purpose of gaining consent it should put individuals in control, build trust and so enhance your reputation.
- What is the current relationship (prospect, customer, ex-customer)
- How is that individual engaging with you (marketing engagement, web visits, purchasing)
- When was the last time that individual engaged with you
- What is the typical timeframe from prospect to purchase, to next purchase (as a measure of when an individual is not engaging with you.)
- Is it reasonable and fair, in a defined time frame, to still be processing an individual’s data based on their last interaction and engagement with you?
Once you have defined the time frame over which you will continue to process data, document this decision and the basis on which it has been made. A clear audit of your process consideration can be an essential element of any response to the ICO should a complaint be made. Ensure there is a regular review of this approach.
More Practitioner Advice can be found here
Please login to comment.
Comments