GDPR – It’s all about Purpose & Consent

by Carl Roberts, Chief Information Security Officer at SMT.

The EU general data protection regulation (GDPR) is nearly upon us. It represents a shift in focus from guarding the assets of the enterprise to ensuring the rights of privacy for the individual. This will require a change in mindset from those who handle personal data. They will need to step into the customers or employees shoes and think about what data they are being asked to hand over and why.


Purpose is all important under GDPR, it underpins the legal basis for having access to and the processing of personally identifiable information. The primary reasons for a commercial enterprise are in order to fulfil the obligations of a contract or via freely given consent.


Subscribing to a newsletter

If I am subscribing to your newsletter, I need to give you my email address to receive the information. But why would I give my phone number or company name? I am not giving you consent to call me, so you don’t need my phone number.

Sorry marketers, if you want my phone number for someone to call me, you have to ask for it. I also don’t need to give it just to download a whitepaper. Under GDPR, consent to be marketed to, needs to be broken away from other benefits such as receiving a service or downloading an object. If you tie one to the other then consent is not freely given. If I can’t receive something without giving you access to something unrelated, then there is no free will, it is a necessity.


Consent must be free, informed and specific.

Each purpose must be explicitly asked for and consent to one, must be broken from the other.
Say I ask for your email, phone number and company. There are three purposes involved in the scenario to subscribe to a newsletter.

  • Email – this is how you will receive the newsletter;
  • Phone number – so that we may contact you for offers;
  • Company name – so that we can profile you.


However, if our scenario is to register for a course then

  • Email – this is how you will receive information;
  • Phone number – so that we may contact you if circumstances change at the last minute, for example sickness or bad weather;
  • Company name – so that we can profile you.


In our registration scenario it is reasonable to ask for the phone number and this would be beneficial in the event of late changes. However, it does not give you the right to hold on to the phone number past the course completion date. If you want to hold it longer then you need a reason which is explicitly mentioned and may require consent.

The email address may be necessary for the execution of the contract as this is how the training materials for the course will be delivered. Thus it is reasonable to insist that a validated email address must be provided for registration to complete. This should still be explained clearly to the customer during the registration process, for example;

“We require your phone number to alert you for any last minute changes or
urgent communications regarding the training course”

If there is another reason for the data, then you must state it and have a separate opt-in available. Consent must be freely given, the person giving consent must be under no pressure when consenting. There can be no risk of deception, intimidation, coercion or significant negative consequences if consent is not given. Thus if you want to contact them later, state this, break it out and make it optional. For example;

“Furthermore we request your contact details that we may contact you later for offers. By not consenting
you do not negatively impact your participation in the course in 
any way and we will remove your
contact details in line 
with our data retention policies outlined in our privacy policy.”

Additionally, this consent may be withdrawn at any time in a manner that was as easy for them to do as it was to give the consent in the first place.


So what steps should you take?

Look at how data gets into your organisation, is it a web site, an email list from a third party, a sales persons notes?
Ask yourself:

  • Do I need that data and why?
  • Is it required for a contract or do I need to ask consent?
  • Can the customer withdraw consent and how is it enacted?
  • How do I prove any of this?


Quite apart from lowering your exposure to censure under GDPR, minimising your data can actually help your business processes. This can help you avoid annoying people with marketing they don’t want and help you focus on a smaller set of warmer prospects.


To be continued…


March 2018