The GDPR will help drive up consumer trust in marketing but there remain potential pitfalls for those that don't put enough thought into their processing. Much of the myth and misinformation about the GDPR stems from the obsession with consent as the be-all and end-all for marketing.
This fundamentally misunderstands the GDPR and opens businesses up to binds and knots that could tie them up in the future. Consent may actually bind you to things that may not suit your business in the future, and this is the paradox of consent - people consent to what's written down in front of them, but not yet-to-be-imagined future scenarios.
ICO Deputy Information Commissioner Steve Wood told an OpenText conference in October that there is an enduring myth of, "Consent as the silver bullet". So many articles we read in the trade press talked about, in all circumstances, organisations having to have consent to access personal data.
"That's not what the GDPR says," he said.
The GDPR is concerned with processing and automated decision making. This could mean anything from simple segmentation to complex algorithms or automation systems that rely on personal data to make decisions.
There are two important points to make here. Firstly, if you don't use personal data, then you don't have to worry about consent or legitimate interests for processing - you can just get on with it.
Secondly, you will need permission to send marketing messages, but under the Privacy and Electronic Communication Regulations (known as PECR), not under the GDPR. It is possible to gain permission under PECR to send messages, but then use either consent or legitimate interests to process information before it's sent.
But let's for a minute imagine that the processing you carry out may become more complex. In this case, consent may not be the best way to process information as you will need to re-consent if or when your processing changes.
Now imagine that your processing is complex. How would you explain this to a customer or potential customer in simple, plain, language while keeping what you propose specific?
The simpler your proposed processing, the more likely consent is the best choice. But because consumers consent to the specific wording you present them with, then you are tied to that wording. Going outside what you propose risks breaching the GDPR. Alternatively, you could go back to your customers with a new wording for re-consent. Neither option will be palatable for marketers.
As Wood explains, "At the ICO we've always believed when you use consent, it should mean consent. Consent should not be illusory. If Consent is used in all circumstances, it's not actually likely to be true consent. We always say when you use consent, mean it."
Legitimate interests give marketers more flexibility, as long as you always err on the side of the customer.
"It's the concept of a legitimate interest in the GDPR, which is essentially a balancing test where you consider how necessary it is to your legitimate interest as a business to actually process the personal data in that particular way and actually considering what the impact is on the individuals and also what safeguards you can put in place to actually process the data, " he added.
"A legitimate test, relying on that condition in the GDPR, can be another legal basis and alternative to consent in some situations," he says.
There is no definitive answer for businesses here. The GDPR has to be applied to each and every business, and each and every business has different needs and strategies. Consent might be right for your processing today. But in the future will it be legitimate?
Whether you're responsible for marketing or data management, it's imperative you understand the new rules and how they will impact your role and responsibilities.