Within the GDPR there are six lawful bases on which data may be processed. For most enterprises the lawful basis to process an individual’s personal data initially will be ‘Contract’ – you require a client’s personal details to fulfil contractual obligations, or to provide a quote in order for the client to make a decision about whether to engage your services. But beyond this this initial contract how should you seek to maintain an ongoing relationship with a client? Going forward ‘consent’ is the legal basis upon which data may be held or processed and you must be able to demonstrate that consent was lawfully obtained and is still extant.
So what is Consent? Can you continue to talk to people you’re already engaging with? And how long for?
Regulation 11 of the European General Data Protection Regulations defines consent of the data subject as - ‘any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; Seems clear enough you’d think, but to maintain an ongoing relationship you have to be able to justify how you came by the details of each and every person on your database, that they freely consented to being on your database and also be able to demonstrate that consent is still ongoing.
Inviting individuals to sign up to a competition with the generic statement ‘you may receive contact from our selected third party marketing partners’ will no longer be acceptable. Under the Data Protection Act 1998 it might have been worth the risk but now that fines could be up to £20 million or 4% of your worldwide annual turnover its worth making sure compliance with the GDPR is correct.