Communicating Your Actions: The Essentials (GDPR Article #3)

We have previously covered the lawful grounds for processing data and what’s behind GDPR, but it’s also important to let your customers know how you plan to go about these changes, as well as gain any needed consent that is lacking or was previously gained in an opt-out manner (a pre-ticked box, for example.)

Note: This is an article of a three-part series. Be sure to read the first and second part as well.  

Looking at GDPR’s language:

“Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

This means that any consent that is gained by inaction or via pre-ticked, pre-registered, or pre-signed means, is no longer valid, so new consent needs to be gained. This can be a bit tricky to do, though, and might drive down conversion rates, which is why communicating in a clear and informative manner is key.

As most of us need to make changes to our Privacy Policies and Terms and Conditions, clients need to be notified of these changes before the 25th, or before they come into effect in your company (hopefully before the end of the month.)

A good way to receive new consent for marketing purposes without sending unsolicited emails is to explain the new system briefly in the same email and give people a simple option to opt-in to your marketing communications. Like, a box they can click on, or a link that will take them to a registration page. Since this explicitly given consent needs to be verifiable, be certain that your email software logs opt-ins and that subscribers can simply unsubscribe.

Another way to gain consent is to use an in-app, dashboard, or website pop-up after a user logs in, which gives the user the same clearly stated option to opt-in to your marketing communication. Just don’t go overboard with the notifications, as they can become intrusive.

For new users, a tick-box is still fine, but it can’t be pre-ticked, nor can ticking it be mandatory to use the service (for marketing.) The information on what consent means needs to be specific and clearly worded to cover the specific and informed aspects of the definition.

And last, but not least, get your documentation in order, if you haven’t yet. The Privacy Policy and Terms and Conditions need to be up to date and contain all needed information on data processing required by GDPR, as well as any other Data Protection law associated with your service. Pay special attention to the lawful basis for data handling, storage, security, and data retention times.

Uku Tomikas
2018-05-22 00:00:00 UTC