In a blog post by DPN member Rosemary Smith – a former DMA chair and director of Opt-4 – the group explains that the issue of whether existing data will be compliant with the new Regulation is a "dilemma facing many businesses and not-for-profit organisations".
Smith explains that the ICO has made it clear in its draft Guidance on Consent, that "if existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing".
The regulator has also insisted that there will be no "grace period".
Smith writes: "If you are relying on consent as the lawful basis for processing, you will need to assess what data you hold (and whether all, some or perhaps even none) meets the GDPR standard.
"If consent was 'freely given, specific, informed and unambiguous' it will be okay. The ICO has said this means individuals will have actively opted-in, were given a genuine choice and that it was clear and specific what they were consenting to. And, not to forget most crucially that individuals are always provided with the opportunity to opt-out," she adds.
However, Smith warns that if companies have been vague about what individuals were consenting to and if consent covered a range of processing activities that were not clearly defined, the consent they have will not be valid under the GDPR. She says: "Consent also should not be a pre-condition of a service and pre-ticked boxes are a completely no go under the GDPR. If you’ve used them in the past the consent you collected won’t be valid."
Even so, Smith adds that any firm considering a repermissioning campaign via email "should be careful", citing the ICO case against Honda which sent an email to customers aimed at clarifying their marketing permissions. The company considered this to be a "service" message not a marketing communication. The ICO disagreed and fined Honda £13,000.
"Safer alternatives could be to include new permissions statements within postal communications, add permission pop ups for customers when visiting your website and/or to renew consent over the telephone with a GDPR compliant script," Smith explains.
"It may be the case that for some of your existing data that you might be able to rely on Legitimate Interests to continue to process it under the GDPR, but this approach needs careful consideration and should not be viewed as an easy alternative to consent."
The DPN recently published its own guidance on legitimate interests. The ICO's guidance, however, will not be available until the new year.