GDPR: Think about whether you actually need to refresh consent

OK, this’ll be the last post on GDPR for a while, I promise. But having brought you my own thoughts on the subject, and those of an independent expert, it would be remiss of me not to draw your attention to an interesting blog post from the Information Commissioner’s Office itself. Raising the bar – consent under the GDPR busts the myth that “we have to get fresh consent from all our customers to comply with the GDPR”. The blog post says:

“You do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.

“Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.

“It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act.

“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.

“If consent is the appropriate lawful basis then that energy and effort must be spent establishing informed, active, unambiguous consent.”

There are also useful links to the official guidance on consent, and myths around GDPR other than the one above. Meanwhile, from Twitter…