November marks six months since GDPR came into force. Our Digital Account Director, Paul Edge gives us a quick refresher on best practice to help keep on top of it.
First off, a bit of housekeeping…this is not legal advice, this is practical advice from my experience at Pegasus helping clients transition from the 1998 Data Protection Act to GDPR. Most of the guidance on data capture in this article is actually freely available from the ICO website, which should be your go-to website for GDPR compliance.
Here, I’ve set out how to ask, record and manage consent of data capture under GDPR. Hopefully you’re doing most of this already and this serves as a helpful reminder.
1) Tips on asking for consent
- Only ask for the information you need
- Don’t ‘trick’ people into subscribing; confusing wording, hidden boxes, small fonts
- Tell people the frequency and nature of the content
- Be explicit about marketing permissions
- No pre-ticked boxes
You might be keen to collect as much data as possible, but under GDPR you can only ask for data you reasonably need.
2) Tips on recording consent
- Keep a record of when and how you got consent from the individual
- Keep a record of exactly what people were told at the time of data entry
It’s a bit of extra work, but I recommend taking a screen shot of every website form you create and filing that away by campaign. If you create regular campaign forms for things like competitions, this will be invaluable if you ever get audited for a GDPR complaint about a particular email you’ve sent. It will allow you to prove what you asked at the point of data capture.
3) Tips on managing consent
- Regularly review consents
- Consider using preference centre tools
- Make it easy for individuals to withdraw their consent
- Don’t penalise individuals who wish to withdraw consent
A good question here is ‘how long does consent last’? According to the ICO, how long consent lasts depends on the scope of the original consent and the individual’s expectations. For example, I manage the email marketing for a children’s shampoo brand that’s only relevant for children up to a certain age. To help maintain an engaged and healthy list, I recently emailed the database to ask if the content is still relevant and gave people the chance to unsubscribe.
It’s good practice to go back to your database each year and ask people if they still want to keep hearing from you. You will lose people in the process but it’s more important to have a list of engaged ‘fans’ rather than a large list of non-openers. Engagement vs list size is important because email clients like Gmail and Outlook monitor open rates and click rates; if your emails perform, they won’t block or filter out your marketing emails.
And finally, if you are looking for advice on improving GDPR compliance for your digital marketing, then just drop me an email at firstname.lastname@example.org.