As the new sheriff in town, the GDPR casts a dark shadow over businesses processing direct marketing data. The regulation has companies wondering if they must obtain new consents for their entire marketing database. The answer is, “it depends.”
This problem arises from Recital 171 of the GDPR which states: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of this Regulation.”
The premise is that if you acquired consent for processing data pre-GDPR, then you can continue to rely on that consent post-GDPR. All is okay up to this point. But the dark cloud above all this is that the pre-GDPR consent remains valid only if it was obtained to a GDPR standard. The GDPR requires that an indication of consent must be unambiguous and involve a clear affirmative action. With the added requirements for consent, it follows that all consents obtained pre-GDPR are likely no longer valid, and businesses must obtain new GDPR-based consent.
The GDPR will fine businesses processing marketing data with no lawful basis up to EUR 20,0000,000.00 or 4% of the total annual worldwide turnover. Rather than accept the risk of noncompliance, let us remove that dark cloud of noncompliance and help your team comply now.