Information Notice: The information and opinions in this blog are for general information purposes only and not provided as part of any contract or service. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. It is for each organisation to take its own decisions and its own advice on GDPR and regulatory compliance more generally. The views given in this blog do not represent those of Experian Ltd.
We recently brought you the first in a two-part series of blogs about the changes now in place to data processing rules under the new GDPR and how organisations need to review the basis and permissions that govern their processing of personal data. In this second instalment, I’ll be diving into consent in more detail and look at how the combination of sound data management practises and cutting-edge technology could help your organisation towards a Permissions Strategy to support the GDPR.
As with the previous blog in this series, there is going to be some useful content for everyone involved in personal data but you may find that some of this is most applicable to you if you work in marketing where consent has been so important over the years. Whilst the other five lawful bases for processing data are just as important (and can be applicable to marketing too) my conversations with clients over the last couple of years have thrown up consent as the initial focus area for many.
Let’s begin by exploring how an organisations historic consent data and the inherent challenges within can be tackled as part of the preparation for a Permissions strategy.
Moving toward a Single Consent View
With many organisations having collected consented marketing data for a number of years; potentially under different Privacy Policies and opt in / out tick box arrangements and stored in different databases and systems, there is clearly some room for confusion. As with any data management project, gaining a holistic view of all your data is a critical first step – consent is no different to the rest of your contact data.
If you have consent records you are likely to have some or all of the following data elements:
- Yes or No to marketing
- Channel Preference
- Date of consent or last change
- Privacy Policy version that consent was given against
This consent data will either be linked to a full contact record (e.g. in your CRM) or partial contact record such as an email address or mobile number. Some systems may link consent to a non-personal identifier or unique key.
Regardless of the content, organisations with more than one source of data or the possibility of duplicates within a single source will want to bring together that data to discover any issues that may be there.
Common issues that you will likely find when you analyse consent data include:
- Discrepancies in the consent status of an individual between data sources
- A difference over time in what Yes means (i.e. is Yes opt in or opt out?)
- Some records with date stamps and/or change history, some without
- Some records with a Privacy Policy version, some without
- Discrepancies between records around channel permissions and preferences
- Underlying contact data may differ between data sources
How you then fix any issues will depend on choices backed up by your DPO and Legal team. For example, do you want to prioritise one historic source over another where there are duplicates? How do you go about re-consenting any data that does not meet the requirements of the GDPR for a date stamp and Privacy Policy version (amongst other requirements such as transparency of the original consent and the reasonable expectations of the individuals who consented)?
In a number of circumstances, it may simply be easier to assume consent has not been given and remove individuals from your marketing pool. Regardless, care must be taken as some approaches to re-consenting data have led to action by the ICO.
At the end of this process, what you should have is a pool of consented data that you can trust – a Single Consent View, backed up with high-quality contact data. It’s now time to bring this into your wider permissions strategy.
What’s the role of a Permissions Platform?
As I discussed with J Cromack from MyLife Digital in the previous blog, consent is just one of the legal bases for processing data under the GDPR. Dealing with changes to consent as well tracking the status and potential challenges to the other bases will require solid processes, policies and reliable tools as part of a company-wide permissions strategy.
One such tool is a permissions platform like Consentric by MyLife Digital. Where a typical CRM will only store consent flags, Consentric can contain all of the information related to lawful processing bases including the Yes/No to marketing, audit trails, any dates of expiry (for example contract expiry for a warranty) and challenges to bases like legitimate interests.
From here, other applications can make use of this data to control data processing activities, such as marketing campaigns or analytics, on the fly. Individuals and relevant staff can also access this platform (e.g. via a My Account page) to change permissions where relevant.
As an added bonus, the data within a permissions platform like Consentric is also anonymous. Using a unique pin contained within the platform, there is no need to store the personal contact data of individuals – the pin can link permissions back to the individual in the relevant applications.
If we reflect back on the Single Consent View work, ensuring that your existing marketing database is reliable and compliant is the first step. Going forward, loading this data along with all your other lawful basis information into a permissions platform enables you to build upon a solid foundation.
If you’d like to know more about how you can prepare your contact and consent data for a wider permissions strategy or the Consentric permissions platform by MyLife Digital, please contact us.