The General Data Protection Regulation (GDPR) came into effect on 25 May 2018, in what appeared to be a panic. thousands of companies have been flooding email inboxes in recent weeks to ask for consent from their email recipients, seemingly to comply with the GDPR.

While it is probably reassuring to hear from those who hold particularly sensitive information (such as banks), perhaps less welcome are emails from companies with whom you may have had occasional contact, highlighting their shiny new privacy policy and requesting that you renew your consent for marketing communications and data processing.

The sudden increase in such emails appears to be a result of many companies acting on a misunderstanding of the effect of the GDPR. Many of the re-consent emails are unnecessary as the majority are being sent to individuals who already have a commercial relationship with the company.

In the UK the data privacy regulator, the Information Commissioner's Office (ICO) recently highlighted this point, in its blog on re-consenting, commenting that companies "do not need to automatically refresh all existing consents in preparation for the new law" and emphasising the high bar for valid consent set by the GDPR. The ICO also importantly pointed out that "it may not be appropriate to seek fresh consent", if companies are unsure of how they obtained the data in the first place, as they may not have the grounds to contact the user at all.

Many are acting as if the GDPR is the first data protection law. However, consent for email marketing is already a requirement under European e-privacy law, the ePrivacy Directive, which allows this type of marketing on an opt-out basis for existing customers.

What counts as valid consent under the GDPR?

The GDPR requires that companies collect affirmative consent that needs to be "freely given, specific, informed and unambiguous" to be compliant. If, for example, you are asked to subscribe to a newsletter in order to download relevant information, then consent is not freely given.

Silence in the form of not responding to an email will not count as valid consent meaning many companies will now likely see rapidly reduced contact lists as individuals have to do nothing to withdraw consent.

The GDPR not only sets out the rules for how to collect consent, but it also requires companies to keep a record of the consent provided. Therefore, it is important to have evidence of who consented, when they consented, what they were told at the time of consenting, how they consented, and whether they have withdrawn consent.

Given the high bar for valid consent, in the context of marketing communications and to help avoid "consent fatigue", an organisation may wish to rely on another lawful basis for processing personal data, namely "legitimate interests". Indeed, the GDPR highlights that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest".

Consent in the employment context

It is widely accepted that in the context of an employer-employee relationship, employees cannot validly give consent for the majority of processing as the unequal relationship between them casts doubt on the voluntariness of the employee's consent. In any event, the GDPR sets a high bar for valid consent as detailed above, making reliance on consent as the only lawful basis for processing personal data impractical in many cases.

In light of that, the legal grounds upon which an employer can rely to process human resources data should typically include performance of the employment contract, for pay purposes for example, compliance with legal obligations such as the need to make income tax deductions, or reliance on the legitimate interests of the employer. The latter must be balanced against the privacy rights of the employee.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.