Q&As

What does an organisation need to do to update their marketing consent and opt-out notices to comply with the GDPR?

read titleRead full title
Produced in partnership with Shobana Iyer of Swan Chambers
Published on LexisPSL on 08/03/2018

The following TMT Q&A produced in partnership with Shobana Iyer of Swan Chambers provides comprehensive and up to date legal information covering:

  • What does an organisation need to do to update their marketing consent and opt-out notices to comply with the GDPR?
  • Consent under GDPR

What does an organisation need to do to update their marketing consent and opt-out notices to comply with the GDPR?

This Q&A naturally assumes the organisation is the data controller and has customers (or proposed customers) who are the data subjects.

Organisations, as controllers, in reviewing their marketing consent will need to make sure express consent as defined under General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 is legitimately obtained.

For more information on consent, see Practice Notes: Processing personal data—standard of consent, Processing personal data—obtaining, recording and managing consent and Consent under the DPA 1998 which clarify the requirements of consent.

The Article 29 Working Party (WP29) recently issued Guidelines on consent under the GDPR (WP259) for public consultation. See LNB News 13/12/2017 151: Article 29 Working Party publishes guidelines on consent under the GDPR for consultation. The consultation ends on 23 January 2018. The Direct Marketing Association (DMA) will be submitting its own response to the WP29 on behalf of its members.

The Information Commissioner published guidance on consent and marketing under the GDPR which may be reviewed following the WP29’s recent guidelines:

  1. ICO Consultation—GDPR consent guidance

  2. ICO Draft Guidance—GDPR consent

  3. ICO Marketing with Direct marketing checklists and Direct marketing guidance

For more information, see Journal article: UK regulator's guidance on GDPR consent—is the definition any clearer? Privacy and Data Protection, PDP 17 5 (13).

The GDPR does not

Popular documents