Under the General Data Protection Regulations (GDPR), firms must ensure that they have verifiable consent from all clients to market services and products.
The GDPR states that, “consent has to be freely given, specific, informed and an unambiguous indication of the individual’s wishes. Consent under the GDPR requires some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent.”
Consent must be verifiable. This means that some form of record must be kept of how and when consent was given. So, you can obtain written or verbal consent, the key is to ensure this is recorded and you can produce appropriate reports indicating the gaining of consent.
Where you already rely on consent that was sought under the DPA or the EC Data Protection Directive, you will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements under the GDPR. However, given that the consent mechanism under current legislation is less onerous, it is unlikely that the consent held will be at the equivalent level required by GDPR.
We would recommend that all firms start to consider now how best to update client consent. By the end of the renewal cycle, you will have been able to capture practically all existing clients.
Looking at the new business process, you can incorporate the new consent mechanisms into your scripts and fact finds now, rather than at the next renewal.
We will be issuing guidance to assist soon, as obtaining GDPR compliant consent should be built into your renewal processes as soon as you are able. Waiting until the regulation comes into force in May 2018 may leave you without any compliant data at all!
Terence Clark
Chairman
