Consent checklist: What your business MUST do to comply with GDPR

The way you currently contact your clients and prospects is changing, with the introduction of the EU General Data Protection Regulation (GDPR) in May 2018.

Whether you’re sending marketing communications such as blog posts, deals and offers, or providing information about new services, your clients must now specifically agree to be contacted by you. If you contact them without explicit permission, you could be in breach of the rules.

Though it may sound like a hassle, gaining real consent will not only avoid hefty fines – it can actually help build customer trust and engagement in the long run. To obtain compliant consent for your marketing communications, follow these steps:

Clients must actively ‘opt in’

However you currently collect your data, you will need to get rid of forms which pre-populate the “I agree to be contacted for marketing purposes box”, or which state providing details gives consent by default.
Clients and prospects must actively opt in to communications, for example by ticking a box which agrees to a clear and specific Consent requests should be kept separate from other terms and conditions.

Ask your existing database

You’ll need to ask your existing contacts whether they are happy to continue receiving marketing updates. They may have already agreed, if they have specifically opted in.
But those who are contacted purely because they have given you their details or use your service, but haven’t agreed to marketing updates, will need to do so before you can contact them post-GDPR.

Are you contacting a customer with information essential to your service?

Though you CAN’T contact customers who haven’t opted in for marketing purposes, you CAN communicate details which are essential to the service you’re providing to them.

Make it clear that individuals can refuse or withdraw consent

Requests for consent should use plain language, and should explain:
– Why you want the data and what you will do with it
– The name of your organisation and any third party controllers
– That individuals can refuse consent without it affecting their service
– That individuals can withdraw their consent in future, and how to do this

If you are unsure about any of these points, always refer to official guidance from the Information Commissioner’s Office (ico.org.uk).