Getting GDPR ready. The fog around consent
Getting ready for GDPR consent
To help our customers and users, I’m on the road to becoming a Professional practitioner of GDPR. The course is being operated by the IDM (Institute of Direct Marketing), which is the educational and training side of the DMA (Direct Marketing Association) here in the UK.
From my time sitting on the DMA Email Council, I know that they work closely with the ICO and were heavily involved in the shaping of the EU decision making on the finalisation of the GDPR.
So on the accreditation front, I know we are in the right hands to get the knowledge we need to get ourselves and the businesses we are supporting to get our “GDPR ready” t-shirts and mugs printed.
(in fact, we’ve since writing this we’ve recorded our first GDPR webinar – take a look here)
So far so good. However…
Confusion and Delay around the rules of consent within GDPR
GDPR arrives on 25th May. That’s not far off. I can’t complete my course, as the exam isn’t available yet. The exam isn’t available yet as the course is in ‘beta’.
The course can’t be completed because the guidance from the ICO in certain areas hasn’t been completed yet. It’s behind schedule.
After running 4 workshops last week about GDPR, and trying to complete an official accreditation in Professional GDPRness, it’s incredibly frustrating that the full GDPR rule book hasn’t get been confirmed.
A chaotic situation given the size and complexity of the legislation, and also given it’s around compliance. If you take ISO9001 as a reference point, on average that takes 9 months. At the time of writing, we’ve got under half that.
You can’t be 100% GDPR ready yet
Bottom line is this. If you think you are GDPR ready, you aren’t. You can’t be, as the ICO hasn’t finalised the final rules of the hottest game in town as yet.
That is not stopping us moving forward, getting ready and advising others to on how to get ready. It’s just a bit embarrassing that the businesses of the UK are in this position in relation to GDPR, and with a ticking clock.
So what don’t we know?
What is the final decision on consent?
I don’t know the final decision on consent. The final guidance isn’t there. It should have been concluded in December. It’s now 27 January, and people are getting jumpy.
They know they want to get this sorted but they can’t, not for sure anyway.
I’ve noted two references in relation to consent posted within the DMA website on 9th January 2018.
How do you get consent? Well, you just get consent.
One explaining the rules of consent, pretty much adopting best practice.
Don’t use soft opt-in, record and store explicit consent, allow people to manage consent. Make sure you always offer opt-out.
That type of thing.
Or maybe you don’t. Play the Legitimate Interest card.
The other article (posted the same day) focuses on the term ‘legitimate interest’.
According to the article, Legitimate interest will allow to assume consent based on the behaviour of your audience.
Sometimes that makes sense.
If I buy something from you online, it’s perfectly reasonable for you to send me that item without having to ask consent.
I’ve given you details on where to deliver it to, and I’ve paid for it. Frankly, if you don’t send it, I’ll be pissed off.
In that case, Legitimate interest kicks in.
However, in the article, one of the examples explains that you’ll be able to market to an existing customer, simply because they are an existing customer, that hasn’t already opt-ed out.
I didn’t think that was the case. If it is, then great. But we are waiting for the rules of the consent game to be ‘inked in’, they are currently in pencil.
Crack on. What’s the worst that could happen?
I’m thinking about it as a ‘reasonableness’ measure. The reason I use the term “reasonableness”, is the term ‘Legitimate Interests’ will be the Waterloo of many a seemingly ‘compliant’ business. I can picture the corporate lawyers at bootcamp preparing their UFC style ‘legal’ takedown defense for any attempt at ICO action.
The game of Legitimate interests could get very messy. So please tread carefully if you think this is a card you’d like to play with your audience and their behaviour.
Oh, and have you met the ePrivacy directive?
I know this is a separate entity to GDPR but it’s a very close relative. It’s also stopping me from finishing my course as it’s a module that needs to be completed. Problem is, the module hasn’t been released yet.
So I’m expecting it to outline the following
That people are going to need to gather consent against ‘cookies’, and the logging of IP address related tracking.
That means that businesses are going to need to be clear and explain what a cookie actually means and does. And explain it in a transparent way that my Granny can understand for example.
I don’t know if that’s right or not. I don’t have the final information on ePrivacy. However, The EU directive suggests this is right.
So if you are actively using tools that use IP reverse look-up or tracking (such as Facebook Pixel) then the effectiveness of these tools is likely to significantly change in the post GDPR world.
What happens next?
GDPR has quickly gone from ‘what’s that’ to ‘OMG’. In my experience, people want to get ready and get on with their business. But we need to know the full rule book. It might not be perfect, I’m sure it will change (evolution not revolution, yawn, sorry), but we need a starting point.
So come on ICO get a move on.
We understand the GDPR is a complicated framework, and you are going to have to Police it.
We understand it’s legislation and some Brexit stuff is going on that’s held up key decisions.
But help us out ICO. What’s your take on this?
Can you please get that consent guidance inked in, explain ePrivacy properly and let’s get implemented.