Industry news

02 February 2018 Andy

Consent & legitimate interest: what's the difference in the GDPR?

Senior Internet recently published a feature article on the GDPR, the new set of regulations giving consumers more control over how their data is used online, and how it affects membership organisations like your own. We are now following it up with some more specific questions, starting with “What is consent and legitimate interest in relation to GDPR?”

The following is advice aimed at membership organisations but also holds true for most sectors. If you haven’t read our original article or haven’t heard about GDPR then I would suggest starting there.

Consent – obtaining and withdrawing

The ICO’s official stance on consent:

Consent must be freely given, specific, informed and unambiguous.

ICO

Specific advice for consent is as follows:

  • Opt-ins: They should be clear as to what the user is opting-in to, and must be a positive opt-in. Consent cannot be assumed by someone not saying they opt-out of marketing. Avoid automatically checking any boxes on the user’s behalf – they must check any consent boxes themselves. Consent should be given to something specific, like email marketing about events, and not simply consent for any future marketing. So if someone agrees to receive email marketing about your conference, it does not mean you have consent to email them about your latest products.
  • Specific opt-in: Consent must be given separately from any other user action. You cannot group together something like terms agreement and consent into one check box. Consent cannot be obtained by assumptions based on user actions. Avoid ambiguous opt-in text aiming to trick the user into giving consent.
  • Historic consent: If your current data does not have consent attributed to it, or it has consent but not according to GDPR guidelines, then this should be updated by requesting consent again. Consent is not unlimited and therefore should be revisited for each area of marketing every 6 months or so.
  • Opt-out and ending consent: The user has a right to withdraw consent at any point effectively immediately. It should be made clear how to do this and also the process should be simple. Don’t put barriers in the way to withdraw consent. Consent also has a timeframe attached to it and a common sense approach is needed. For example, if someone has given consent to sign up for emails about an event, once the event is over then consent can be assumed to have withdrawn.

For further specifics on consent, consult the ICO’s consent guide, which has clear guidelines on what you should and shouldn’t do to adhere be GDPR compliant.

Legitimate interest

Legitimate interest is another crucial part of the GDPR which defines how and what you can market to people, businesses and organisations. There are different regulations depending on whether you wish to market towards individuals or businesses:

  • B2B: If your product or service is of relevance to the recipient professionally then you can market to them without opt-in consent for particular channels, like email and text. An opt-out option must be used though, of course. This applies only when marketing to corporates; limited companies, LLPs, partnerships in Scotland and government departments.
  • B2C: Opt-in consent is required with all the consent rules above applying. Once marketers have received a subject’s consent to process their data, they may use other personal data such as the subject’s purchase history or location to tailor their marketing as long as they can prove it’s of legitimate interest to the subject. This applies when marketing to sole traders or partnerships.

Thoughts for membership organisations

 When marketing to your members (and potential members), consider the following:

  • Cleaning up your data: Do you need everything you have on record? If there is a lot of data you don’t need then consider cleansing it.
  • Historic consent: Do you have consent (according to GDPR regulations) for your current activities? If not, go about starting to obtain consent as soon as possible or risk losing marketing effectiveness. Membership organisations like your own are in a good place as often users want to receive information as part of the reason they joined.
  • Approaches: Do you just have B2B or B2C? Your organisation might have (potential) members that fall in different camps. You will then need to think about having two approaches to your marketing given the legitimate interest differences between B2B and B2C.
  • Systems and processes: Do you have systems (for example your website and CRM) in place to actually manage the GDPR regulations? Is it currently easy for you to log consent, legitimate interest and which channels members are consenting to receive marketing from? If not then chat to Senior Internet and we can help.

Further information

The notions of consent and legitimate interest will be the backbone of future B2B and B2C marketing, so staying in the know is vital for membership organisations. We’re looking to produce a series of informative articles in the coming weeks about the GDPR and how it will affect membership organisations, so keep an eye out on our news section, LinkedIn, Facebook and Twitter. Also consider checking out the ICO’s steps for preparing for the GDPR.

And of course if you wish to chat about redeveloping your organisation’s website to make membership tasks much more GDPR friendly and less hassle for your membership team, then simply get in touch.

Want to receive monthly articles and updates containing advice and inspiration for the membership, nonprofit and charity community? Why not subscribe to Senior's mailing list?