Autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et dolore feugait

GDPR – The Consent Trap

Having got past 25 May 2018, the day the GDPR came into effect, the flood of GDPR emails is beginning to diminish. But were all these emails necessary, and in particular, was it actually necessary to seek consent? In many cases it was not necessary to seek consent to “stay in touch”.

Under GDPR consent is one of 6 legal bases for processing data. In most cases, organisations will be able to rely on the “legitimate interests” ground to remain in contact with their contact list.

The recitals within the GDPR expressly say that processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. Many businesses can therefore rely on the concept of ‘legitimate interest’ to justify processing client personal data on their mailing lists without the need to re-affirm the consent. GDPR expressly acknowledges that businesses may have a legitimate interest in direct marketing activities, which could include circulating invitations to events, new products and services, or updates. This is an appropriate basis for data processing where you use data in ways that people would reasonably expect and has a minimal privacy impact especially as a recipient should always be able to easily opt-out of future marketing emails.

If you are seeking consent, remember that different rules apply depending on whether the marketing is sent to an ‘individual’ or a ‘corporate’ subscriber. For GDPR compliance purposes, marketing to a corporate email address does not need consent. However, if you are sending unsolicited marketing emails to individual subscribers, then you will need the individual’s consent, unless the so called “soft opt-in” applies, where the individual is an existing customer or has shown an interest in your product or service.

To summarise, assuming that you can justify a “legitimate interest” for the continued contact, consent is not needed to continue marketing to existing customers or to contacts at corporate email addresses. Consent will only be needed to send direct marketing emails to personal email addresses of individuals who are not already customers.

In an effort to be compliant, many companies have been sending an email out to all their contacts requesting consent to future marketing. However, this may itself be unlawful if consent was not originally in place, and the ICO has fined organisations for engaging in this.

If you need any help and advice in relation to the GDPR, please do not hesitate to contact me or the employment team on 0113 350 4030 or at hello@scesolicitors.co.uk.

If you have enjoyed this article and would like to be kept updated on HR and Employment Law issues please subscribe to our monthly newsletter.

SCE Solicitors is a boutique employment law practice based in Leeds which advises clients nationwide.  Please note that the information in this blog is to provide information of general interest in a summary manner and should not be construed as individual legal advice. Readers should consult with SCE Solicitors or other professional counsel before acting on the information contained here.

Richard Newstead
Latest posts by Richard Newstead (see all)
Richard Newstead

Richard qualified as a Legal Executive over 20 years ago and has significant experience in Employment law and Litigation. Richard acts for both employers and employees drafting and advising on settlement agreements, contracts of employment, consultancy agreements, directors service agreements and general workplace policies. He acts for commercial clients in the employment tribunal dealing with unfair dismissals, constructive dismissals and claims for discrimination.

%d bloggers like this: