Skip to main content

The absence of a “no” does not mean a “yes”

Written by Claire Scaramanga

Over the last few months, I have been giving a number of talks to various business groups, including members from Croydon and London Chamber of Commerce this week, about the marketing aspects of GDPR.

What is GDPR

GDPR – the General Data Protection Regulation – is EU legislation that came into effect in May 2016 and becomes enforceable from 25th May 2018. It will replace current data protection legislation and its implementation will not be affected by Brexit.

The new legislation is wide ranging and covers all personally identifiable data. It will have a companion piece of legislation in the form of the ePrivacy Regulations, which were due to come in next May, but may be a little late as they are still not finalised.

My reason for doing all the talks has been to raise awareness, so that companies can start to look at all their data, but particularly their marketing data, and prepare for the changes.

These changes are not insignificant – for a start, under GDPR you must have a lawful purpose for processing a person’s data. There are six lawful purposes, and these include contractual obligations, such as performing a service for a customer or holding an employee’s data.


In this article, I will focus on the four pillars of consent, one of the lawful purposes for processing people’s data.

With prospect sales and marketing data, where you don’t yet provide them with any services, it is likely that your lawful purpose might be based on the hardest of the 6 – consent.

Consent has four pillars:

1. Control

This means that the data subject (i.e. your prospect) has control over whether or not they give consent. This translates into an opt-in positive tick to say “yes”. No more pre-ticked boxes with ultra-small text that says you’ll get marketing material ad infinitum unless you tick this tiny, well-hidden box!

2. Transparency

This entails giving the details of what the person is consenting to, how they can opt out if they choose to in the future, and the details of any third parties (by name) that you intend to share their data with. You must give all this information at point that you are asking the person to give consent, and not hide in the murky depths of clause 101 of your terms and conditions!

3. Verifiable

GDPR places a great deal of emphasis on audits. Audits of all the processes you have in place for handling data, including auditable records of the time and date that consent was given and the privacy policy that you had in place at time. If you don’t have a CRM system in place, GDPR might be the catalyst for considering implementing one to help you manage your data and audits.

4. Freely given

You must not bundle consent as a condition of buying a service. A good example of where this currently happens would be when you are settling down with your tablet, coffee and croissant in that cosy café on the corner that offers free wi-fi. Except that when you sign up for it, the supplier asks for your email address and the insistence that you can only have free wi-fi if you agree to be added to their marketing list. GDPR is bad news for these companies!

Obtaining consent

In my next article on GDPR, I will look at how and where you can obtain consent, depending on whether your data subjects are natural persons (broadly speaking, consumers) or legal persons (broadly B2B) and how you can go about making your existing prospect marketing database GDPR compliant and the effect of the ePrivacy Regulations.

If you would like to learn more about GDPR, there is some excellent information on the Government’s ICO website.

Or if you’re really keen, why not read the legislation itself!