Data collection and permissions

Making sure the customer understands what permission they are giving and for what

The potential use of customer records for direct marketing and audience development, and any sharing of personal data between organisations relies on three things:

  • the circumstances in which data was obtained
  • the notifications given to the customer at the time of collection
  • the permissions obtained.

GDPR sets higher standards for obtaining consent than the preceding legislation. Individuals must understand clearly and unambiguously what they are consenting to – so notifications must be simply articulated and specific – and consent should be given in the form of a clear affirmative action on the part of the data subject. In practical terms, this means asking for a positive “opt-in”, and it also means that the use of pre-ticked boxes should not be used.

Two pieces of current legislation are involved: the 2016 General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (“PECR” 2003).

Both are pieces of legislation implementing EU law to protect individuals’ privacy. The practicalities of collecting data will vary depending on whether this is happening online, in person or by phone.

For all methods, clear, specific notifications to the customer are a fundamental legal requirement.