Ben's Compliance Bulletin: GDPR: Consent

If you talk to anyone regarding GDPR, their main concern is that of consent. Interestingly, this is only one of the six lawfulness of processing guidelines, however, for mortgage and/or protection advisers, this is the most likely lawful basis for processing of customer information.

Historically our Customer Declaration has relied upon clients not opting out, or to put it another way, they have had to tick boxes to remove their consent. This approach does not meet the requirements of the new GDPR regulation.

It is therefore important that consent is freely given, specific, informed and unambiguous. To put it another way, you must be clear with your clients what they are consenting to and how their data will be used. The client must then ‘opt-in’ using a consent document which will be suitably specific and granular in its detail.

In addition, the document must stand alone, not be part of a wider declaration and must clearly explain how they can ‘’opt-out’ or withdraw their consent easily.

The guidance from the ICO makes it very clear that if your current process meets GDPR requirements, then you are allowed to continue to rely on these historic documents; however, as our previous document does not meet the new legislation, all advisers will need to ‘repaper’ customer consent using GDPR compliant consent documents.

Consent templates

Please find below an example of a consent document which you could use to obtain consent for your customers.

Consent document

Using the Key to record consent

Additionally, you should also record consent using the Key under Client > Contact > Additional Information. A copy of the client’s consent must also be uploaded to the client file on the Key. The Key will be updated on 29th April (further details and release notes to follow) and the update will meet GDPR requirements, but please see screenshots below:

The key here is that all consent must be easily verifiable.

GDPR frequently asked questions

We have been updating and answering frequently asked questions on the GDPR Hub on our member’s site, so please keep checking back for further guidance.

Consent for marketing

The context in which consent appears to be most relevant for firms appears to be consent to processing data (particularly special category data) and consent to market to a data subject. When thinking about direct marketing it is important to understand that not all communication to data subjects is classified as marketing, especially when we consider communication to existing customers.

Let’s explore that in more detail.

Direct marketing definition – “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.”

Communicating with customers

How you communicate with your customers is based upon the lawfulness of processing conditions.

Some communications you have with your customers will be necessary based upon the need to carry out your contractual responsibilities e.g. informing them that their adviser has changed, a change of contact details for the firm or maybe that there is a change of ownership of the firm itself.

Communications you have for the purpose of marketing to your customers will require you to obtain consent. The ICO has issued a 58-page document along with a 4-page checklist which you can use to assess your business communications.

To make life easier for you, here is a summary of the key points:

Electronic mail marketing

The most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you’re targeting has given you their permission.

However, there is an exception to this rule. Known as the ‘soft opt-in’ it applies if the following conditions are met;

where you’ve obtained a person’s details in the course of a sale or negotiations for a sale of a product or service;
where the messages are only marketing similar products or services; and
where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.

When you send an electronic marketing message, you must tell the recipient who you are and provide a valid contact address.

The rules on emails don’t apply to emails sent to organisations, though you must still identify yourself and provide an address.

The Telephone Preference Service (TPS) and Fax Preference Service (FPS) are operated by the Direct Marketing Association, and allow people to register their numbers to opt out of receiving unsolicited calls or faxes. You must not market individuals or organisations who have registered their numbers with the TPS or FPS.

In summary, we recommend that your marketing campaigns are always permission-based and you explain clearly what a person’s details will be used for. Provide a simple way for them to opt out of marketing messages and have a system in place for dealing with complaints.

Postal marketing

Postal marketing can form an important part of any organisation’s overall marketing strategy. From simple flyers and response forms to competition entries and interactive CDs, postal campaigns can generate important new leads and business.

However, some postal marketing may be unwanted – more commonly known as ‘junk mail’. As with electronic marketing, if the person or organisation you’re targeting asks to be taken off your mailing list, you must comply with their request. There are no exceptions to this rule, and if you fail to comply, they can apply to the courts for an order against you under section 11 of the Data Protection Act.

The Mailing Preference Service (MPS) is a service set up by the direct marketing industry to help people who don’t want to receive ‘junk mail’. People simply register their details to prevent further mailings, and several direct marketing codes of practice specify that marketers should clean their lists against the MPS file. Many of the companies who subscribe to the MPS recognise the considerable benefits of the service as they save money, time and resources by not sending material to people who don’t wish to receive it.

Marketing by mail is acceptable provided;

you have screened the name and addresses using the Mailing Preference Service (MPS)
the data subject has stated that they are happy to receive marketing from you

Having considered the above guidance from the ICO we are satisfied that the consent template provided meets the necessary GDPR requirements.

Like the friendly can do approach, keep it up!

Michael McGuiness, Adviser

What a breath of fresh air! Fantastic positive attitude!

Andrew Smith, Adviser

You are a wake up call to this market and a revelation compared to my previous network.

David Levy, Adviser

Full support from the start and was up and running in no time.

Gary Dobson, Adviser

I feel I am well on the way to regaining my CAS status and establishing a viable business for myself.

Matthew Robinson, Adviser

Only been 3 months but so far so good and the best decision I have ever made.

Martyn Smith, Adviser

Ben’s Compliance Bulletin: GDPR: Consent