Skip to content

GDPR overkill vs informed consent as the bare minimum

November 6, 2018

I was at a kind of reunion type event and one of my old friends greeted me in the pub with the opinion that my approach to GDPR was overkill.

I can see what he means.  To the casual observer I’ve probably destroyed my mailing list* and… well that’s about all they’ve seen me do.

I’ve been thinking on that one, and thought I’d make a couple of observations.

I realise that to most people, all they’ve seen of GDPR is squillions of businesses desperately spamming them about mailing lists in the week before the new rules came in. Followed by no discernible change to the amount of crap they were getting in their inbox.

I got in early with GDPRifying my mailing list, months before these lot.  I sent one email, asking people to opt in to a new list in a GDPR compliant way.  At this time there was no other chat out there about proportionality, and subsequently I’ve seen a bunch of stuff about how it is (probably) OK to proceed with an existing list even if you don’t quite exactly know where it originated.  Heh.  Well I went with the info I had at the time.  And the reason I needed to get in early was that I wanted to get the mailing list side of things done and dusted and out of my hair, so I could concentrate on what GDPR is really about.

My mailing list is such a teeny tiny component of my GDPR responsibility.  I generate new data every day through doing primary research, and I have to plan and document a whole bunch of stuff which is different each time and is complicated by involving special category data.  I had to put a lot of time into preparing for this and I had bigger fish to fry than worrying about my mailing list.  Thing is, my mailing list is also such a teeny tiny cog in my marketing plan and it really isn’t the way I get close with my potential customers.  So yeah, I just wanted it out of the way.

But the other – and more important – point is that I was going with what my gut instinct was telling me to do, even if it wasn’t the obvious path.  And I now have words to describe that!

Research is an extremely ethical business and everything we do is based around ‘informed consent’.  I abide by the Market Research Society Code of Conduct, which tells me the various places that I need to gather informed consent and advises me on ways to achieve it.  We are explicit about how we would like to collect / analyse / store data, always.  And actually, what the MRS asks of us actually goes beyond what GDPR asks of us in some cases.  For example, I don’t need to take GDPR into account if I ask people to fill in an anonymous ten-minute questionnaire.  But the MRS would (quite rightly) still expect me to explain to the respondent how I would like to collect / analyse / store the questionnaire-generated data, and that they can drop out at any time, and that sort of thing.  What I’m saying is that the MRS expects me to prioritise informed consent in the same situations that GDPR does and in many many more situations too.

So when GDPR prompted me to spring-clean my processes I went with informed consent all the way.

I’ve created a set of new process for my business that meet both the MRS and GDPR requirements and that means in some cases what I am doing goes beyond GDPR.  What I’ve ended up doing is applying the new GDPR processes to the places that GDPR asks me to… but I’ve also mushed up GDPR and MRS so that GDPR applies in some MRS situations and MRS applies in some GDPR situations.  Whilst it is indeed overkill it just feels more consistent and more user friendly for my various stakeholders.  And it is certainly more ethical.

And as a small part of all that I looked at my mailing list and thought ‘I can’t be sure that there’s informed consent there’ so I revised it.  It wouldn’t feel right to do otherwise.

Overkill that might be, but it ensures that informed consent and ethical practice is through-and-through what I do.


* Note, the main people I wanted to sign up have signed up so it’s fine.



No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: