GDPR: The Consent Paradox

The GDPR will help drive up consumer trust in marketing but there remain potential pitfalls for those that don't put enough thought into their processing. Much of the myth and misinformation about the GDPR stems from the obsession with consent as the be-all and end-all for marketing.

This fundamentally misunderstands the GDPR and opens businesses up to binds and knots that could tie them up in the future. Consent may actually bind you to things that may not suit your business in the future, and this is the paradox of consent - people consent to what's written down in front of them, but not yet-to-be-imagined future scenarios.

ICO Deputy Information Commissioner Steve Wood told an OpenText conference in October that there is an enduring myth of, "Consent as the silver bullet". So many articles we read in the trade press talked about, in all circumstances, organisations having to have consent to access personal data.

"That's not what the GDPR says," he said.

The GDPR is concerned with processing and automated decision making. This could mean anything from simple segmentation to complex algorithms or automation systems that rely on personal data to make decisions.

There are two important points to make here. Firstly, if you don't use personal data, then you don't have to worry about consent or legitimate interests for processing - you can just get on with it.

Secondly, you will need permission to send marketing messages, but under the Privacy and Electronic Communication Regulations (known as PECR), not under the GDPR. It is possible to gain permission under PECR to send messages, but then use either consent or legitimate interests to process information before it's sent.

But let's for a minute imagine that the processing you carry out may become more complex. In this case, consent may not be the best way to process information as you will need to re-consent if or when your processing changes.

Now imagine that your processing is complex. How would you explain this to a customer or potential customer in simple, plain, language while keeping what you propose specific?

The simpler your proposed processing, the more likely consent is the best choice. But because consumers consent to the specific wording you present them with, then you are tied to that wording. Going outside what you propose risks breaching the GDPR. Alternatively, you could go back to your customers with a new wording for re-consent. Neither option will be palatable for marketers.

As Wood explains, "At the ICO we've always believed when you use consent, it should mean consent. Consent should not be illusory. If Consent is used in all circumstances, it's not actually likely to be true consent. We always say when you use consent, mean it."

Legitimate interests give marketers more flexibility, as long as you always err on the side of the customer.

"It's the concept of a legitimate interest in the GDPR, which is essentially a balancing test where you consider how necessary it is to your legitimate interest as a business to actually process the personal data in that particular way and actually considering what the impact is on the individuals and also what safeguards you can put in place to actually process the data, " he added.

"A legitimate test, relying on that condition in the GDPR, can be another legal basis and alternative to consent in some situations," he says.

There is no definitive answer for businesses here. The GDPR has to be applied to each and every business, and each and every business has different needs and strategies. Consent might be right for your processing today. But in the future will it be legitimate?

Whether you're responsible for marketing or data management, it's imperative you understand the new rules and how they will impact your role and responsibilities.

Find out more about IDM Professsional Qualifications here.

Download the IDM Qualifications & Training Catalogue

Back to blogs

Why do it with the IDM?

Marketers who choose the IDM as their training partner make a real difference to their business, their customers’ lives and their own career.

The IDM is leading the ‘do revolution’

What counts today more than ever is not what you think, or even what you say, but what you can do. IDM qualifications and short marketing courses are designed for marketers who want to do more, faster, better.

Over the last 30 years we’ve trained over 100,000 delegates across 28 countries, from Microsoft to the BBC, John Lewis to Lego.

What will you do next in your digital, direct or data-driven career? Find out about IDM qualifications and training courses or IDM membership.

"The information was pitched at the right level for someone with limited stats knowledge so that I could understand the theory as well as the application"

Martin Radford,
Data Services Manager, CDS Global

Train Your Teams

Upskill your teams marketing capabilities with a tailored IDM training plan that suits your business

T-6a0e2d55-230c-42e8-a31c-10df0377a1f0-1.jpg Corporate Training

Enhance your career with the IDM

Your training partner in filling digital and direct marketing skills gaps, setting you apart as a doer

T-70b2be21-1173-4376-bbda-a80bd2ca6f3d-1.jpg Marketing qualifications

We use cookies to help enhance your experience and improve the functionality of our website.
For more details and help to manage your cookie options read our Privacy & Cookies information.

Report a bug