October 3, 2018

Deliverability 101: Consent and data collection under GDPR

Here we sit. It’s just a little more than three months after GDPR came into effect and the world has yet to end for digital marketers. Hooray!

The legislation does seem to be having its desired effect on a global scale by making businesses scrutinize their internal processes, how they collect data, how they use that data, and how long they retain it. However, the GDPR is also having some unintended side effects, like a significant increase in complaints (6,281 in just one month), and day-one lawsuits against both Google and Facebook.

In this short sub-series within Deliverability 101, we plan to tackle some of the most commonly asked questions we see from marketers when it comes to GDPR, and items to consider when looking at compliance programs and current data practices.

First up, we’ll cover lawful processing of data collection, use, and notice to consumers.

How can I determine the proper type of consent to use?

Many marketers are still confused over requirements of proper consents when messaging their clients and prospects. In short, Article 6 states data must be collected and processed in a lawful, fair, and transparent manner. Combining your understanding of GDPR’s requirements and the requirements of the Directive (95/46/EC) adds an additional layer of complication to many compliance programs, as the Directive describes the requirements to be transparent: “The data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection.” (Article 38 of the Directive).

In short, this is telling you to be clear on what data you’re asking for, how you plan on using it, if a third party might be processing it on your behalf, and how a person can withdraw their consent in the future.

We told you these posts were going to dive deep!

Article 6 of the GDPR outlines six key types of lawful processing, and recital 40 through 48 further describe each of these terms:

  • Consent: The data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • Performance of a contract: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Compliance with a Legal Obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject
  • Vital interests of the data subject: Processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • Public interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • The legitimate interest of the data controller: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

But which is the best type for my organization?

From a marketer’s perspective, not all of these are going to fit into the standard types of data collection rules they use on a day-to-day basis. The most common types currently being utilized by marketers fall into one or more of these three categories: Consent, Performance of a Contract, and Legitimate Interest.

However, it’s also important to keep in mind the idea of public interest or legal obligations when you look at your data. At some point, you may need to send a safety notification, recall, or another legally required message to your members or your business. These are potentially subject to processing data under a different piece of legislation (recital 45). Just be sure you’ve taken the time to understand the limitations and proper situations where these rules apply when it comes to managing and using client data under these classifications.

The final type of lawful processing, vital interest, is unlikely needed by most marketing organizations, as the common interpretation covers items only relating to “life or death” situations (recital 46). This type of scenario would likely be reserved for extreme situations, like contacting individuals via an alert system in cases of a pending disaster.

I’ve heard mentions of sensitive data, but what does that mean?

GDPR also covers two additional sensitive data classifications: Data collected regarding minors (article 8) and topics such as race, genetics, health, religion, sexual orientation, and others (article 9). In most member states, the recommended age for data collection authorization is 16, however, some member states may choose age 13 as their minimum. Where an individual is under the local law’s minimal age, the consent of a legal guardian is required for data collection and processing (recital 38).

Special category data is prohibited by default, unless the collection and use of that data satisfies one of the listed exemptions under 9.2, which includes explicit consent, or one of several others listed within the legislation. Recitals 51 through 56 explain each of the special categories listed in article 9.2 further and how they could be applied by an organization or the member state themselves.

Stay tuned for future GDPR explanations, where we’ll discuss things like the rights of a data subject to access, update, delete, export their data, and the differences between controllers and processors.

*Editor’s note: This is not intended as legal advice, but a practitioner’s interpretation. It is highly recommended you seek your own council’s opinion and understanding of your responsibilities under the GDPR.

Author: Matthew Vernhout

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matt is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.

You may also like...

The Year in Email 2019

It’s hard to believe we are nearing the end of yet another exciting year in email, and 2019 proved to be one of the most momentous and active years to date. Over the past year, the number of new technologies, mergers and acquisitions, mailbox provider (MBP) announcements, news, and highlights is evidence of the versatility […]

[Infographic] Global Privacy Relationship Status: It’s Complicated

I recently gave a presentation on global privacy regulations to a post-graduate marketing class and one of the things I noticed while preparing was that even within a single country, privacy is complicated. On a global scale, it is really complicated. For example, Canada has one federal private sector privacy law, three similar provincial laws, […]

The Year in Email 2018

*Update: This article was featured on email influencer Jordie van Rijn’s emailmonday blog! To see it in action, plus a great round-up of other articles and thought leadership looking forward to the future of email, click here.* The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders […]

Ready to get started?