GDPR Myth: You must get fresh consent from your clients to comply!


As an IASME Certified body we are ‘all things GDPR’. Having said this I know that it has become increasingly infuriating for a lot of small companies who get bombarded with information, which isn’t necessarily correct!  So, I thought I’d do a bit of myth busting for you.

GDPR Myth: You must get fresh consent from your clients to comply!


You do not need to automatically refresh all existing consents for the new law. GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.

What meets GDPR Standards?

Where you have an existing relationship with a customer who have purchased services or products, fresh consent may not be needed.

Remember, it may not be appropriate to seek fresh consent if you are unsure how the information was collected in the first place. This indicates that the consent wouldn’t have met the GDPR standard under our existing Data Protection Act. In all honesty you probably don’t have the right to keep, or use the data!

Some of the Myths we’ve heard are, ‘GDPR says I’ll need to get fresh consent for everything I do’ – categorically this is incorrect.

Think about whether you need fresh consent before requesting it. Don’t forgot to put in place terms and conditions for people who may wish to withdraw their consent. Ensure your unsubscribe option is fully operational.

Please be mindful that if information isn’t clear and easy to understand, organisations risk non-compliance as it isn’t clear what they are consenting too.

Being open and transparent is a key element of the GDPR – informing people how their data will be used. Before sending emails, you should consider the best point of contact for the customer. When emails are the best point of contact, consider embedding useful information and links on your company’s emails so customers are aware of how you use their data.

Some have said that they will lose customers by collecting fresh data and following GDPR guidelines, on the other hand customer engagement and trust are key. Is having a database of 8,000 unengaged clients better than a database with 500 who reply on a regular basis to your offers and promotions?  Quality is key.

Scaremongering about consent persists, but headlines still often lack context about the different lawful bases organisations could consider for processing personal information under the GDPR.

For processing to be lawful under the GDPR, you need to find a lawful basis before you get going. There are six lawful bases available, which you would choose depending on your purpose and relationship with the individual.

If your still on your journey to compliance you should continue with your efforts to comply. The 25th May deadline has been and gone but that doesn’t mean you can ignore it. Remember this date was the start rather than the end of GDPR Compliance. Organisations need to sustain this is the best way to take people with you on your business journey.


ERIC ARNOTT ~ Director
CT Business Solutions (N Mcr)