Consent under GDPR Call to Action

Vincent Rejany, principal product manager at SAS 

How many of us have already failed to unsubscribe to newsletters or other email solicitations? For sure the link is there at the bottom of these emails, but who knows what happens when asking for unsubscribing.

Consent has been for years limited to one “Do not call/contact” flag at the customer profile level. In the best cases, you could have this information at the channel level, but still with neither notion of validity or object, nor official proof of the consent. Moreover, the consolidation of consent information acquired through X number of channels, web, call centres, face to face interactions, direct request is still a challenge for any organisation.

The new European General Data Protection Regulation (GDPR), which will be enforced in May 2018, does no longer leave any room for interpretation. Have a look to chapter 1 article 4(11), consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

GDPR is now calling for better consent data governance, and each company will have to set proper consent master data management process, to know which customer can be contacted through which consented channel about which consented topic and until when. Managing withdraw consent process is also mandatory as it should be instantly considered and propagated across the organisation. Here are some key questions to be asked:

• Have you identified data processing activities which relies on consent?
• Is consent specific, freely given, informed and unambiguous?
• How do you collect customer consent, and do you have proofs of customer consent? (Written authorisation, email confirmation)
• Where and how do you store consent data?
• Do you inform your customers of their right to withdraw consent at any time before consent is given?
• What is your process in case of a customer withdrawing his consent?
• Do you need to collect children consent for activities?

I see a huge opportunity for companies switching from a blast communication approach, one message to all with unknown results, to a sharper approach: targeted messages to each customer with one expected result. As customers, we are definitely asking for more intuit personae communication, and yes, we don’t read mass emails. According to Average Email Campaign Stats of MailChimp Customers last report, email-marketing open rate is less than 22% with an average click-through rate of 2.8% across industries. Difficult to understand why so many marketing departments in the modern customer digital age are still running such strategy and most of the time in an uncompliant way.

Transparency, accountability and lawfulness must be demonstrated when processing personal data and more especially when the legal basis is consent. The supervisory authorities are considering that consent should be exclusive and the last legal basis to be selected. Mind that violation of the GDPR rules around consent will generally subject organisations to the higher level of fines, 20,000,000 EUR or 4% of global turnover, so it is time for action!

Vincent Rejany, principal product manager at SAS 

How many of us have already failed to unsubscribe to newsletters or other email solicitations? For sure the link is there at the bottom of these emails, but who knows what happens when asking for unsubscribing.

Consent has been for years limited to one “Do not call/contact” flag at the customer profile level. In the best cases, you could have this information at the channel level, but still with neither notion of validity or object, nor official proof of the consent. Moreover, the consolidation of consent information acquired through X number of channels, web, call centres, face to face interactions, direct request is still a challenge for any organisation.

The new European General Data Protection Regulation (GDPR), which will be enforced in May 2018, does no longer leave any room for interpretation. Have a look to chapter 1 article 4(11), consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

GDPR is now calling for better consent data governance, and each company will have to set proper consent master data management process, to know which customer can be contacted through which consented channel about which consented topic and until when. Managing withdraw consent process is also mandatory as it should be instantly considered and propagated across the organisation. Here are some key questions to be asked:

• Have you identified data processing activities which relies on consent?
• Is consent specific, freely given, informed and unambiguous?
• How do you collect customer consent, and do you have proofs of customer consent? (Written authorisation, email confirmation)
• Where and how do you store consent data?
• Do you inform your customers of their right to withdraw consent at any time before consent is given?
• What is your process in case of a customer withdrawing his consent?
• Do you need to collect children consent for activities?

I see a huge opportunity for companies switching from a blast communication approach, one message to all with unknown results, to a sharper approach: targeted messages to each customer with one expected result. As customers, we are definitely asking for more intuit personae communication, and yes, we don’t read mass emails. According to Average Email Campaign Stats of MailChimp Customers last report, email-marketing open rate is less than 22% with an average click-through rate of 2.8% across industries. Difficult to understand why so many marketing departments in the modern customer digital age are still running such strategy and most of the time in an uncompliant way.

Transparency, accountability and lawfulness must be demonstrated when processing personal data and more especially when the legal basis is consent. The supervisory authorities are considering that consent should be exclusive and the last legal basis to be selected. Mind that violation of the GDPR rules around consent will generally subject organisations to the higher level of fines, 20,000,000 EUR or 4% of global turnover, so it is time for action!