Why consent is different from (marketing) preferences

 In May 2018, the newly passed EU General Data Protection Regulation (GDPR) will irrevocably change the relationship between organisations and individuals when it comes to using personal data. It’s never been more crucial to understand your current consent position. Especially when getting it wrong – could prove critical.

A common misconception we are witnessing right now, is that the new requirements under the GDPR are simply being thought of as updating marketing preferences.

In part, it’s understandable – it’s the language organisations are familiar with when talking data and campaigns. By routinely asking customers about how they prefer to receive information, many organisations automatically believe they have their consent.

Which means the vital meaning and importance of consent is being overlooked.

Consent is an issue we really can’t afford to get wrong. Not only because of the GDPR, and the current scrutiny around current practices regarding personal data, but to safeguard our relationships with individuals.

First, let’s make it clear: consent around data is absolutely not the same as marketing preferences. You’re not meeting the new regulations, you’re not immune from data prosecution because you’ve set your marketing preferences. That’s a deep – and worrying misunderstanding. Preferences do not, in any way, confirm consent.

It might be useful to remind ourselves of how the GDPR defines consent: ‘”consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’

It’s easy to focus on the end part. Because ‘processing of personal data’ is what organisations are used to doing, with many having invested in sophisticated systems that make it easy to segment customers according to their preferences and build high-level models to predict future activity. Yet, just because individuals have consented to receive information, that does not constitute explicit and ‘unambiguous indication of the data subject’s wishes’ and nor have they given ‘clear affirmative action’ about ‘agreement to the processing of their personal data’.

Consent is a right.

Consent gives the individual total control. Which means the individual owns their own data, and must give explicit permission for organisations to use their data. That’s any personal data that’s held. From data for marketing, to data used for the provision of services. It could quite easily be financial details and that’s before we even get into specific consents required for sensitive data about sex, race, gender and health.

It’s crucial we’re clear on these facts. The issues around personal data are not just about what piece of marketing literature we can send, or whether they are happy to receive telephone calls or emails. We need to know exactly what data has been collected – across every system and in use by every department. And this all needs to be mapped.

Preferences are, on the other hand, just that – a statement of how an individual prefers one thing above another.
From the moment you’ve collected an individual’s personal information, you need to know exactly how you’re sharing this – internally with other departments and externally with other partners and collaborators. It’s worth being aware that third parties will also be liable for penalties under the GDPR. This means that not only do you have to be compliant, but all your partners and any people who use the data you provide must be compliant also.

Likewise, organisations need to know where permission is granted. This means the exact source and channel. This is not about knowing what source and channel we have permission to use to market to people, but where that data came from to prove the origination of consent and permission.

Finally, organisations must prove they’ve got explicit consent. They have to be able to either amend individual details and their permissions or give the individual access to a system that allows them to control their consent. And they have to be able to erase the information from not just one system but all systems that they operate, should this be requested.

It might help to run an initial consent audit, to establish the ‘FIVE Ws’ of data collection to be sure you have everything covered:
• WHAT data has been collected?
• WHY is the data being collected and its purpose?
• WHO is using the data?
• WHEN the permission was granted (date)?
• WHERE the permission was granted (source)?

The amount of data we collect is growing at an astonishing rate. It is understood a growth of 650% is anticipated by 2020. And the variety of data we can gather has also changed. We can trace human behaviour, not just in a simple transaction, but through the journey that they took to make that decision. We can assess an individual. We can widen it out. We can connect other data and big data sets to look for broader patterns. We can analyse it for insights.

Yet, alongside the growth in data comes an increasing awareness about its meaning, its power and its value. What is important, is that we remember: right at the heart of all this data, sits the individual. If we forget this, misplace their trust and deny them control to their own data through explicit consent, it could prove critical to the future of many organisations. It’s that serious.

Keith Dewar, Group Marketing and Product Director, MyLife Digital