GDPR: Best practice on existing EU contacts

Top Contributor

Hi,

Is there a recommendation for best-practice to get consent from contacts that we already have in the system? Is it mandatory to ask everyone to consent going forward even if they gave their info in the past?

If it is mandatory to get people to re-consent under GDPR, and since open rate for emails is not very high, how do you prevent losing a big chunk of the contact list?

Reply
0 Upvotes
13 Replies 13
Highlighted
Regular Contributor

Here my interpretation of Art. 5 which says: "Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); [...]" and Art. 6 explains that as:

(1)Processing shall be lawful only if and to the extent that at least one of the following applies:

    1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    3. processing is necessary for compliance with a legal obligation to which the controller is subject;
    4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
    5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

That means existing data only may be used if one of the consents mentioned above has already taken place.  It must be an active Opt-In (not neccessarily a Double Opt-In as long as you have the proof that the consent checkbox has been marked and a timestamp which Hubspot does provide). Silence, already ticked boxes and inactivity of the data subject do not constitute effective consent. A pure "opt-out solution", as many companies strive for, is therefore by no means sufficient.

btw: see it as quality > quantity improvement.

Reply
0 Upvotes
Top Contributor

So practically it means reaching out to all EU base contacts and ask for their consent. How do you battle open rate which will reduce the amount of these contacts in about 80% ?

Reply
0 Upvotes
Regular Contributor

That's the tricky part. I had a conversation with our DPO and propably we will make it that way: We will send an email to inform that we store personal data that we garthered at (we name the specific) source. Being a responsible company we would like to inform and give the chance to give consent, change data or request delete. I guess that 99% of the people don't give a f**k and don't respond. If they don't, it's an opt-out which is fine.

Contacts with performance of a contract or when we have a legal obligation have been sorted out. That's by far the majority in our case. They have to opt-in for marketing mailing but we have legal obligations to store certain data (e.g. tax regulations).

* edited *

Reply
0 Upvotes
Top Contributor

Agreed that it is tricky, I wonder if it should be accompanied by some asset to encourage them to go back and show interest and not just consent.

Or maybe offer an asset "present" when they consent

Reply
0 Upvotes
HubSpot Moderator

Hi @gil100 and @sebastianulbert  

HubSpot has released its GDPR product roadmap. Find out more here:
https://www.hubspot.com/data-privacy/gdpr/product-readiness

 

Ed Justen


Did my post help answer your query? Help the Community by marking it as a solution
New Contributor

What is the ruling for emailing prospects using info@...... and sales@..... ?

Reply
0 Upvotes
Regular Contributor

@PracticalNet is there any personal data on those accounts or just the info@ address? 

Art. 1 GDPR Subject-matter and objectives

  1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
  2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
  3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

Art. 4 GDPR Definitions
For the purposes of this Regulation:

 

  • ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Reply
0 Upvotes
New Contributor

No personal data, thats why we chose this as the first line of communication. Also we dont understand why we need an opt out button if we email info@ or sales@ because it is a freely given email address from their website. What we dont really get is the PECR view of all this

Reply
0 Upvotes
Regular Contributor

Be careful not to mix up GDPR and Anti-Spam regulations. As a sender, you are obligated in most countries of the world to give the recipients the possibility to opt out from your mailing lists at no cost, easily, and in each advertising email.

Reply
0 Upvotes
New Contributor

Does that apply to sending an introductory email about our servives and attaching a brochure

Reply
0 Upvotes
Regular Contributor

If they didn't opt-in it's spam.
If natural persons didn't give consent it's data protection violation. Be careful: legitimate interests as mentioned in Art. 5 and in Recital 47 doesn't mean that you can cold-spam someone.

They Facebook story right now didn't help either. Everyone gets more sensible and with GDPR people get legal power. Personally I like that. Go more for inbound marketing. Smiley Wink

Reply
0 Upvotes
Regular Contributor

Sebastian,

As I understand it, sending an email asking them to OPT-OUT is NOT legal. You have to ask them to opt-in. You need proof (documentation) that they opted in to receive emails from you about topics other than the one they originally completed a form for (such as blog or download ebook).

 

Yes you'll probably lose 80% of your list. The people who don't open your emails.

Reply
0 Upvotes
Regular Contributor

ShariM, 

yes you are right. I after reading my oldest post I get your point. It was a bit confusing and I edited it. Thanks.

We have to think in 2 lines: (one) is sending marketing material, and (two) is having personal data stored in your CRM. For (one) you need a opt-in and probably will have to send a refresher-email asking for consent in getting marketing material and opt-in. And I too think mailing lists will shrink significantly.  We had several sessions here how to store proof of given consent and to which version of the privacy policy consent was given. The consent information and the privacy policy in detail give information about the further use for marketing. You also have to get written consent from people you met at tradeshows and here too you have to store the proof, timestamp and version of privacy policy agreed on.

Reply
0 Upvotes