Consent - are you using it properly under GDPR rules?

By Andrew McClelland

Since the enforcement of the GDPR in May 2018, retailers and marketers have been actively looking to further understand the details behind the application of consent and have been asking questions such as ‘if I use a 3rd party marketer, what are my responsibilities?’, ‘do I really need to list out all of my data processors?’, ‘what steps do I need to take if I engage in a joint promotion with another business?’ and ‘I have a relationship with the customer, and their phone number, surely I can call them to tell them about my products and services?’.

There is often an over-reliance on using legitimate interest as the lawful basis of processing, and the accompanying impact assessments are not always rigorously undertaken. Consent may be a more appropriate legal basis, and if it is used, the options must be presented clearly, for the benefit of the data subject and the brand.

Through enforcement notices over the past 10 months, the ICO has given marketers greater clarity on their expectations when businesses are undergoing direct marketing activities. It is also evident that if data controllers do not deliver sufficiently, fines may be incurred.


Based on these learnings, we have 5 top tips for marketers:

1)   When using 3rd party marketing solutions, remember that as the instigator of ‘electronic’ direct marketing activity (calls, emails, texts) you should check that consent is valid and in accordance with PeCR regulations.

2)   Check that your consent is fully informed and that you are not using generic terms or categories.

3)   Review your privacy policy to ensure that your data processors are listed clearly. Consider using sections for each piece of information to aid clarity and visibility. This should be reviewed regularly.

4)   Use the Mail Preference Service (MPS) and the Telephone Preference Service (TPS) as needed to cross-check data permissions.

5)   To ensure that your users experience a clear and comprehensive journey, run through the UX customer journey to double-check the details and exposures.

The Data Project is run by Andrew McClelland and Camilla Nightingale - experienced Digital specialists each with over 20 years of experience in managing data. The Data Project offers a full suite of services including reviewing policies and processes, undertaking audits, providing training resource, and outsourced DPO and DPO Support Services.

For any enquiries contact: or visit

Andrew McClelland, Consultant, IMRG

IMRG Retail membership banner

Join thousands of other Online Retail professionals

Get unique insights straight to your inbox for free, and improve your understanding of online retail. Subscribe to Online Retail Weekly now.

Fashion Connect 2020 scroll banner