This post is part of our series: Find Out Fast If Your Business is GDPR Ready. Our goal is to help businesses make sense of privacy and data. AE is your Babel Fish for GDPR Legalese.
What Explicit Consent Means
Clearly, telling your customers what you’re going to do with their data makes good business sense. Trust is essential, especially these days.
Email marketing has taken a clear approach to email sign-ups for many years, thanks to changes like Canada’s anti-spam legislation (CASL) and other countries that have followed suit. This clear understanding between an email customer and a business follows this simple pattern: You sign up for an email newsletter, and the business tells you how often they’ll email you, what kind of content you’ll receive and how to unsubscribe. Excellent!
This concept of clearly spelling out how customer data is to be used is now being spread across every part of your customer data thanks to the GDPR. At AE we think this is good thing. Being more transparent and honest is good for everyone.
How To Implement Explicit Consent
You need to be able to tell a customer what you’ll be doing with the data you ask them for. This is especially important during customer registration.
When you implement your policy or terms and conditions you need a check box that isn’t pre-checked. This box must be checked by the user to indicate that they are agreeing. This is the foundation of explicit consent.
Explicit consent: The user must check the box themselves to agree.
Deleting Your Customers, The Right To Be Forgotten
The second cornerstone of the GDPR changes is that every one of your customers has the right to be forgotten. When a customer sends a request asking to have their account deleted, you must do it. Pretty simple and you most likely do this right now. However, you might just be deleting the main customer account, but other information like billing, or an mailing address, or old emails in your support system would be left. With the GDPR it all has to go.
If your business has multiple systems that contain customer data it all needs to go. There are a few instances where some customer data will remain, for example electronic invoices that contain customer data can be kept on file for taxes and accounting, but in most cases you’ll need to remove everything and then notify the customer when it’s been completed.
If a customer wants their account deleted, you have to delete all the data you have on that person.
Good luck setting up explicit consent and reviewing how you delete your customers. These two cornerstones for being GDPR ready can seem difficult to implement and understand but hopefully this helps you get started.
Get more information on anti-spam legislation in the countries where you have customers:
United States of America: CAN-SPAM Act
Argentina: Personal Data Protection Act
Australia: Spam Act 2003
Austria: Austrian Telecommunications Act
Belgium: Belgium Law March 11, 2003
Czech Republic: Act No. 480/2004 Coll. on Certain Information Society Services
European Union: Directive on Privacy and Electronic Communications
Germany: Federal Data Protection Act
Hong Kong: Unsolicited Electronic Messages Ordinance
Malta: Data Protection Act
Netherlands: Dutch Telecommunications Act
New Zealand: Unsolicited Electronic Messages Act 2007
Singapore: Spam Control Act 2007
South Africa: Electronic Communications and Transactions Act 2002
Sweden: Swedish Marketing Act