GDPR & Consent: Knowledge is no longer power, it is Risk.

Graham Carroll11th May 2018 - Graham Carroll

GDPR & Consent: Knowledge is no longer power, it is Risk.

Consent, Compliance & the GDPR. What’s going on?

With the GDPR’s arrival, there was still plenty of confusion out there about marketing consent and handling customer data.

And with the recent scandals at Facebook and Independent Newspapers, businesses and marketers are freaked that they’ll have their pants pulled down for non-compliance. Or worse, a hefty fine.

I met with MB Donnelly, Head of GDPR Awareness & Training with the Data Protection Commissioner (Ireland) to help get clarity, and give some of our own guidance around consent.

At Friday there is one question we were being asked all the time: “What’s going on – are we compliant with GDPR?”

That was usually followed by “Can you help us get compliant?” and finally; “I hear we’ll need to get opt-in consent for all of our mailing lists.”

So there’s plenty of confusion. And with some experts directing marketers to seek consent or throw up crazy opt-in pop-ups, that confusion is natural and understandable.

“If you’re not following existing regulation you are breaking the law now, so you don’t need to wait until May 25th to panic.”

The GDPR is not just about consent, granted, but consent and how to handle it is the area where we see the most misinformation.

In short, what GDPR relates to is a set of rules for organisations on how they collect, use and store personal data. Organisations must now be fully transparent about how they are using and safeguarding personal data and must demonstrate accountability for their data processing activities, particularly for marketing communications.

Assuming that you are doing the above correctly at the moment, you only need to move from compliance with the 1988 and 2003 Data Protection (Ireland) acts, to GDPR compliance by updating your Privacy and Data Retention policies.

If not, you are already breaking the law now, and you don’t need to wait until May 25th to panic.

Some Clarity on GDPR

I met with MB Donnelly, the Head of GDPR Awareness & Training at the Data Protection Commissioner Office in Ireland.

We’ve delivered a number of marketing and engagement campaigns for the Commissioner’s office over the past couple of years, particularly aimed at driving awareness on the GDPR in Ireland for individuals, and we knew she could help bring some clarity.

What’s the most popular question that you’re asked in relation to the GDPR and consent?

The question I am most asked is “Does the GDPR really apply to me?” The simple answer is that it does, for every business.

Personal data, and in particular ‘special category’ – i.e. race, gender, medical records, sexual orientation – require special obligations. And if you rely on consent, you need to be very careful that you have the correct obligations.

If there is one simple piece of advice you would give businesses on GDPR, what would that be?

Knowing your data. People need to know their own data and understand where it is stored and what it is used for.

Knowledge is not power, it’s actually a risk. Review your data, know what you keep and why, and be able to show proof of how you came to hold it. There is a handy downloadable checklist on the website.

When people hear words like ‘risk’ and the penalties that can be imposed for non-compliance they take notice. But do you think that the GDPR initiative will ultimately have the impact it is designed for?

Absolutely I do. There are risks and penalties for non-compliance of course, but organisations should actually see the GDPR as a genuine opportunity.

We are living in a generation of digital (and now privacy) natives. Generally, today’s consumers are more informed about the risks of digital life and, where that trust has been hurt, we see a knock-on effect in terms of falling customer numbers.

So it is in every business’s interest to demonstrate that they care about their customers’ information and how it’s used.

Trust the thing that you’re building. And it’s those who are pushing the trust and demonstrating that they take consent and privacy seriously that will ultimately stand out.


A video we produced as part of our GDPR Awareness Campaign.

Audit your Data

A big part of the drama is that many marketers don’t have the information needed to make a call on the correct (and compliant) reasons for having and processing customer data.

Getting to that point might take a bit of work, but the process is pretty straightforward – you need to perform an audit.

Doing a data audit:

  • What personally identifiable information do you hold, and what is it used for?
  • Do you keep that information longer than is necessary?
  • Do you hold more information than is necessary?
  • Can you demonstrate that the user asked or expects that it will be used in the way that you are using it?

At least you will know why you are making the decision, which will help you in updating your privacy notices and consent statements. Whatever basis you choose at this point will need to be applied to your current data as well as new data added to your database.

Legitimate Interest
In the case of legitimate interest, you will need to communicate to your current customers that you have new privacy and data retention policies and give them the opportunity to object to marketing. These should be included on your website and also highlighted on your news or social media channels.

You will need to record what you sent, to whom and when. You should only use data that you have permission to market to, this is a marketing communication, not a service one, so choose the right channel to reflect the permissions you have.

Getting Consent

If you know that you cannot demonstrate that all or some of your existing customers have given consent, then you will need to get them to opt in. That will mean advising them of the reasons you’re using their personal information so that they can then be fully informed before they opt in.

You can use a layered approach, where the communication content (e.g. email), or the website landing page they’re sent to includes the full detail of the marketing comms. Then direct them to your Privacy and Data Retention pages which should set out your comprehensive policy details.

It’s important to make sure that people are given enough information to help them to make an informed decision on what they are signing up for, and what marketing comms they’re likely to receive from you.

You do need to record who opted in, and what they were informed of at the time they opted in, and include a form of verification (e.g. double opt-in) so that you have an audit trail.


You need to decide which way suits you best. If consent is the right way for your organisation, it should be because your use of information presents a risk to the rights of the individual.

You don’t need to put your business or your customers through unnecessary hassle if you don’t need to. But do an audit, get informed and take the opportunity to show that you take data privacy and consent seriously.

For more concrete detail on the GDPR, have a look at which has a lot of helpful information and resources.

Graham is the Head of Strategy and a Co-Founder at Friday Agency.

If you want to check out more of his posts go here.


Graham Carroll
Graham Carroll

Graham is a co-Founder and Head of Strategy at Friday Agency. He writes mostly about Strategy, Content and UX here, and he talks, lectures and sometimes shouts about these things too.

Strategic Display Advertising
Previous Post
We Need to Talk About Strategic Display Advertising
Next Post
Whats the difference between UX and UI design?