02 January 2019

Opt in vs Opt out … A Jazzbones Guide to being GDPR compliant.


Great Britain may (or may not?!) be about to leave the European Union, but one piece of new European regulation is here to stay, and it effects the way all businesses process and handle data about their customers, members, supporters and potential clients. We refer, of course, to the General Data Protection Regulation, which doesn’t exactly roll off the tongue, hence the abbreviation, GDPR.

The GDPR came into force in May 2018 and was designed to modernise laws that protect the personal information of individuals. The previous data protection rules were created during the 1990s and had struggled to keep pace with rapid technological changes. GDPR alters how organisations can handle the information of their customers. It also boosts the rights of individuals and gives them more control over their information.

A number of the new requirements have a concrete impact on direct marketing, including specific requirements surrounding your transparency with consumers, stricter rules for consent, data governance obligations and enhanced privacy rights that need to be upheld.

So, is your business GDPR compliant? To help you answer this question Jazzbones has compiled this handy checklist.



Existing data 

Understand the personal data your organisation holds and why you process it. Analyse who, what, where, when and how personal data is/was collected and assess if you can keep using it compliantly under the GDPR.



Legitimate interest

Crucially for marketers, GDPR states in Article 47 that direct marketing may be considered as a legitimate interest. Legitimate interest allows organisations to contact people when they have a valid reason to do so, as long as that person might reasonably expect them to.



Data collection

Ensure you tell individuals in easy to understand, plain language about your lawful bases for processing their data, give them choices and respect their rights. Test your opt-in messages, including the new requirement to inform prior to the individual giving their consent. Ensure the right to easily revoke consent is offered.



Opt in vs opt out

The GDPR lists specific requirements for lawful consent requests, but must also be given with a clear affirmative action. In other words, individuals need a mechanism that requires a deliberate action to opt in, as opposed to pre-ticked boxes. Although the GDPR doesn’t specifically ban opt-out consent, the Information Commissioner’s Office (ICO) says that opt-out options “are essentially the same as pre-ticked boxes, which are banned”.



Lawful consent

Examples of lawful consent requests include:

  • Signing a consent statement on a paper form
  • Clicking an opt-in button or link online
  • Selecting from equally prominent yes/no options
  • Choosing technical settings or preference dashboard settings
  • Responding to an email requesting consent
  • Answering yes to a clear oral consent request
  • Volunteering optional information for a specific purpose
  • Dropping a business card into a box



Proof of consent

Your systems must be able to store proof of consent and revocation, including communication channels. Ensure your systems can record consents and subsequent objections tied to specific purposes stated at time of collection associated with select communication channels (email, text, mobile phone, landline, social media, etc.)



Privacy notices

Post an updated privacy notice as soon as possible, so that data collected can be used compliantly. The GDPR requires more detailed privacy notices, including how long you retain personal data, details of any sharing of personal data with third parties, an explanation of any profiling activities undertaken, how individuals can exercise their rights, and where to send complaints.



Put data protection at the heart of your brief

Apply the principles of privacy by design to keep data protection for individuals top of your mind from the moment you create, develop, modify or buy products and services.



Make your staff ‘privacy aware’

Train your staff about the importance of data privacy and to promptly report any policy inconsistencies. Everyone has a role to play in safeguarding and respecting the personal data of their colleagues, clients, and business contacts, so deploy training to new personnel and regularly to all members of staff.

Summing up, despite the fears surrounding GDPR’s introduction, the legitimate interest basis provides a great opportunity for responsible marketers to use – or continue to use - direct marketing for well targeted marketing.

When combined with the latest technology, creatively and thoughtfully put together, personalised and targeted, direct marketing remains a highly-effective channel to acquire new clients or supporters.