Tuesday, 6th February, 2018

GDPR: is fresh consent on the menu?

An area of confusion among clients is whether the GDPR (due to be implemented on 25 May 2018) will impose an obligation to seek a new stricter form of consent from their customer database in conducting direct marketing.

This short article will hopefully provide some comfort that such re-consent will in most cases not be required - but also highlight that for direct marketing (promotional material you send to customers) the GDPR is not the only legal regime which will apply.

Direct marketing and the GDPR

Direct marketing under the GDPR is treated the same way as any other data processing - you will need to show that you have a lawful basis for collecting data from customers, with consent being one such lawful basis.  Obtaining valid consent under the GDPR will be far more difficult than under the current data protection regime, and the view among advisors is that it should be avoided where possible.  Fortunately, restaurateurs will likely not seek to rely on consent as a basis for processing customer data for direct marketing and will instead opt for the more flexible ground of “legitimate interest”.

The GDPR recognises that “legitimate interest” may be relied on for the processing of personal data for direct marketing purposes i.e. it is reasonable to assume that customers would expect you to promote your restaurant to them using their basic details which you have obtained from them as your customer.  Specific consent from a customer is not required under this ground.  However it can only be relied on to the extent that the processing is necessary for the purpose of the company’s “legitimate interest”, and it is balanced against the individual’s rights, and freedoms.  You should also keep a record showing your compliance with this test. 

If you wanted to send restaurant vouchers or other promotional marketing by post (not email - see below), you would not need to seek specific consent from your customer (the data subject).  You would however need to allow them the opportunity to opt out of receiving this material – if you would like advice on how to structure the opt-out, please contact us.

Don’t forget about e-Privacy

The GDPR applies to direct marketing primarily as it involves collecting and processing personal data: the contact details, browsing behaviour, and location you use to make your marketing material targeted and personalised.  There is also a separate e-Privacy regime which applies to sending e-marketing materials (emails, SMS, and automated telephone marketing).  The e-Privacy regime adds a layer of consent to your lawful data processing obligations under the GDPR.
Under the e-Privacy regime email and SMS marketing requires opt-in consent, unless you have previously obtained an individual’s details as a customer, you are marketing related products (stick to restaurant marketing, not financial products), and they have been given an option to opt out (so called ‘soft opt-in”).  The soft opt-in can only be relied on by you as the organisation that collected the information and not third parties. There are separate rules around phone and fax direct marketing which are less relevant to the restaurant industry.
The e-Privacy regime is also undergoing reform and will be replaced with a new European e-Privacy Regulation (optimistically also due to come into force on 25 May 2018, to coincide with the GDPR).  Broadly speaking, the published draft e-Privacy Regulation maintains the status quo for e-marketing and therefore it is anticipated that the soft opt-in will still be available after its implementation. However, you are advised to keep an eye on any developments, as the legislation is still in draft, and so the rules may evolve further before its implementation.
In summary therefore, on the implementation of the GDPR on 25 May 2018, you will likely not require your customer database to re-consent to you sending them direct marketing, but rather you will rely on legitimate interest under the GDPR, and the soft opt-in, under the e-Privacy regime.  And either way you must always provide a customer with the opportunity to opt-out.
This is an area of law which can be confusing, and if you have any queries concerning your data protection obligations or direct marketing – we would be very happy to take orders.