Wednesday 21 February 2018, London

As May draws ever closer, we still don’t have a final version of the ICO’s ruling – which, coincidently, we won’t be getting until at least April – GDPR is generating even more noise. But, Simon opened his session talking about something else: PECR (The Privacy and Electronic Communications Regulations). Conversations about GDPR and PECR should be concurrent. Decisions taken to make ourselves compliant with GDPR should also consider the impact PECR will have when it comes into force, which is predicated to be in 2019.

Let’s start with the good news: The already-available WP29 guidance on both consent and transparency are important documents in preparing for GDPR, and there should be very little variance between the guidance on Article 29 and the ICO rules. That’s the good news.

When do you need consent?

There is no significant rule as to ‘when’ you need consent under GDPR, as long as you can prove when consent was obtained. The impact is on the type of consent you receive.

Current opt outs:

  • Postal
  • Live calls
  • Data analytics for Direct Marketing
  • Email and SMS – for “corporate subscribers” only
  • Automated calls – for “corporate subscribers” only

However, “corporate subscribers” are very difficult to identify in CRM systems, which can be muddled with Alumni, personal emails and sole practitioners, none of which fall under the definition of “corporate subscriber.”

Under legitimate interest:

  • Postal is opt out
  • Marketing analytics is opt out


There is no legitimate interest ground that applies under PECR, meaning marketing activities may require active consent under PECR.

Soft opt in:

  • When opt out is offered, but not chosen, this can be deemed as a soft opt in. Under GDPR, this is allowed when prospects are both buying and negotiating, but under PECR negotiation could be removed from soft opt in, meaning you will no longer be able to market to prospects via email unless they have already given you active consent.

But what about PECR? PECR will be more impactful for marketers because soft opt-in or active consent will probably be required. Plus:

  • People will have to be reminded of their consent on a regular basis (somewhere between 9 and 12 months) – How do marketers do this without causing disengagement and high unsubscribe rates?
  • Analysis of any behavioural data may require consent – whether it’s B2B or B2C, but this is not yet certain.

Why get active consent for B2B?

Getting active consent for B2B marketing now removes the reliance on “corporate subscriber” exemption. It also means that your data will be compliant under PECR, should soft opt-in consent be removed, and you need active consent. And, it demonstrates a willingness to become compliant to a regulator which is discouraging non-permission-based marketing.

What is an active consent?

Currently, active consent can take many forms, but under GDPR active consent will need an un-pre-ticked opt in box, or some form of alternative unambiguous indication of consent (e.g. typing their email into a box). Consent cannot be compelled, but you can incentivise the user to give it. Equally, consent cannot be captured through combined purpose forms (e.g. when buying something, a customer ticks the T&Cs and which also gives consent for marketing).

What do I do with legacy data?

There will be no “grandfathering” under GDPR, so any data with implied consent will need repermissioning to gain active consent, especially if B2B exemptions are removed under PECR. Consent must be decoupled from acceptance of other terms (e.g. signing up to an event and agreeing to marketing cannot be combined), and you must give a choice of options in terms of channel, content and frequency.

What is Grant Thornton doing?

Grant Thornton has introduced preferencing forms, which all capture a time stamp and searchable field for date and source of submission. This has helped it migrate to channel-based marketing, targeting readers with what they want for a better experience. It has also stopped emailing contacts who don’t read its mailers, thus targeting smaller, more engaged audiences. Cold contacts are classed as ‘passive unsubscribes’ and CRM contacts are archived when there is no ‘live’ relationship or recent update.

The organisation has also gone through a process of auditing its legacy data, to work out which data is compliant, and which isn’t, and re-confirming marketing consent with those whose data is not compliant. There is a three-staged approach to doing this: A footer on all marketing with a one-click confirmation; followed by push emails to both readers and event attendees at regular intervals between now and May. Grant Thornton is also preparing a core manual – coupled with procedures and training – to help ensure internal compliance, as well as an Amnesty, identifying and helping current non-compliant behaviour.

Other things to note:

  • Do not overpromise rights: rather than saying all data will be entirely deleted, say it will be archived to stop it re-entering your marketing systems at a later date
  • Your privacy policy must explain consumers’ rights and show them how to access their data
  • When passed a business card, best practice will be to send an email with an active consent form following the interaction – this helps build the relationship before someone is marketed to
  • Mitigate risk by making sure you are not targeting ‘cold’ contacts
  • The ICO’s blog is a good resource for assessing your risk in the eyes of the regulator
  • Some European regulators may be stricter than others, and country regulators won’t have sole discretion

By Genna Stainforth, Senior Account Executive at Acritas