Everybody’s panicking about the GDPR. Rightly. And the main thing in the GDPR that’s causing the panic is the requirement for consent. The GDPR is really clear that consent must be explicit and unambiguous – you can’t rely on the consumer having read an obscure privacy section of your website, or ask them to give a general consent to you doing whatever you like with their data.
So…do you have to go back to all of your existing customers and prospects to ask them for their consent? And how would you do that, when the ICO has just made it clear that you can’t?
This is where it gets interesting. The specific rule that prevents you emailing people to ask them to consent – if you can’t already prove they’ve consented – only applies to electronic communication. You can’t email or text consumers unless they’ve consented, and you can’t email or text people in their work capacity if they’ve opted out. But that rule isn’t actually from the GDPR. The definition of consent is, but the prohibition of electronic communication without consent comes from the Privacy and Electronic Communications Regulations (PECR). So it doesn’t apply to physical post or person-to-person telephone calls.
There’s a specific provision in the GDPR (Article 6.1(f)) that allows companies to process data without explicit consent if it’s in pursuit of their legitimate interests. The examples used for this tend to be about employment transfer or pursuing delinquent debtors, but there’s a consensus forming that you can also apply 6.1(f) to justify sending physical direct mail or making phone calls for marketing or fundraising purposes. The calls would have to be hand-dialled, because automated calling without consent is prohibited by the PECR.
The PECR may also be changing at the same time as the GDPR comes into force, thanks to the European ePrivacy Directive, but right now it looks as though you can write to people by post, or phone them, provided they haven’t explicitly asked you not to, or signed up to the Mail Preference Service or the Telephone Preference Service.
I can’t see this working for everyone, but if your individual prospects are worth the expenditure and you can manage the logistics, welcome back to the 1980s.
 (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.