In our last post on the road to GDPR compliance, we looked at the role of data processors and data controllers and some of the articles of the GDPR with which you will need to familiarize yourself. In today’s post, we’re going to focus on the number one thing on everyone’s mind and some of the recurring questions in our free GDPR webinar: How does the GDPR affect our marketing efforts? What data can and can’t we store? Can we market to people who gave us their business cards at a tradeshow? All these questions relate to one key concept in the GDPR: consent; and while consent is not the only thing that matters when it comes to the GDPR, it is extremely important.
To understand the role consent and how it relates to lawful grounds for processing data, I recommend that you familiarize yourself with article 7 and recitals 32 and 43.
What does article 7 require from us?
I. Express Consent
First, it requires that you are able to demonstrate that the data subject actually gave you permission to process their data. Remember: the “data subject” is the person whose data you are processing.
Say you go to a conference and a bunch of people give you their business cards. Can you create a database on your computer and send them your marketing materials? If your marketing materials are newsletters or any other type of regular, un-personalized publication or mass mailing list, then obviously the answer is no.
But, if instead of creating a database and cold emailing strangers with un-personalized and unsolicited marketing materials, you find a good reason to contact those people individually, that’s fair game.
Why? Because what the GDPR aims to do is protect us all from those somewhat clueless and oftentimes overenthusiastic marketers that can’t tell when they are simply annoying people. In terms of compliance, the GDPR is the legal equivalent of “reading the room.” If you just don’t get when people are uninterested or simply being polite, then the GDPR is here to tell you when to back off and give them breathing room.
III. An Escape Route
Third, article 7 stipulates that the data subject should be able to withdraw their consent at any time. And it should be really easy for them to do that. What that means is that the person should be able to easily opt-out of whatever they opted into without getting the runaround from you. You know when you try to opt-out of something and you get those annoying “are you sure?” or “why are you leaving us?” messages? Well, you won’t be getting those anymore.
IV. Fair Play
Lastly, article 7 governs consent and contract. At a first glance, article 7(4) looks like a prohibition of consent bundling. What in the world is consent bundling? It’s combining contracts with consent. Like if you don’t agree to X then you can’t get Y.
But if you take a closer look, what it’s prohibiting is consent bundling only in cases: i) in which the data processing isn’t covered by the contractual purpose and 2) the contractual data being processed is combined with the processing of contractually irrelevant data. Confused? Let’s simplify it. As a language professional, here’s what you need to bear in mind:
1) What is the subject of the contract (translation? proofreading? etc.)? Based on that, what data do you actually need to perform that contract?
2) If you want to process that data for anything other than what you were hired to do, just don’t. And if you’re somehow tempted to automatically add your clients to your mailing list or newsletter because for some reason you think that hiring your services equals consenting to your future marketing efforts, just resist that temptation. Trust me.
Have more questions? Leave a comment and I’ll try to get to it in my next GDPR post!