[Q & A Recap] Understanding Informed Consent and Transparency Under GDPR

Shortly before GDPR regulations went into effect on May 25, 2018, FormAssembly’s CEO and founder Cedric Savarese co-hosted a webinar with Elements.Cloud CEO and founder Ian Gotts and Ashley McAlpin, FormAssembly’s VP of Marketing. They discussed the concept of informed consent and the requirements for transparent information under the GDPR. Read below to learn helpful answers to common GDPR questions.

Q: If my organization isn’t based in the European Union and doesn’t conduct business there, but we have one EU resident in our database, is the GDPR applicable?

A: Speaking generally, it’s always a good idea to run specific situations by an organization’s legal counsel. However, the criteria for determining whether the GDPR applies is whether an organization is doing actual business within the EU, which usually involves a product or service marketed specifically within the EU. There is a reasonable threshold to meet for doing actual business in the EU.

Q: How do I use consents to drive marketing lists?

A: With the GDPR, there has to be a single source for marketing submission in a CRM. This is a big change for marketing organizations, as they have to somewhat relinquish control of those lists. It’s still possible to dynamically drive information for lists from Salesforce data (either one master list or multiple dynamically-created lists). The lists must be driven from the consent agreements that are stored in Salesforce.

Q: Students that participate in an educational program would qualify for the contractual legal basis, but when they’ve completed the program and are alumni, does that still qualify as a contract?

A: It depends if there is an official contract that an alumni would sign. Graduation does not mean that marketing is approved to contact that person. The lawful basis could be contracted if the alumni has signed a contract, and it could be considered legitimate interest since the former student does have legitimate interest in receiving information. If alumni sign up for newsletters, they are under consent. Since legitimate interest is a gray area, it’s important to involve legal counsel.

Q: If a user notifies that they wish to be forgotten, do we as an organization need to inform FormAssembly that the user wishes to be removed, or is that user required to contact FormAssembly directly? What is the best approach?

A: Your organization would need to contact FormAssembly. As the data processor, FormAssembly would not take responsibility for deciding what to do with the individual’s request. If the request were to come to FormAssembly directly, FormAssembly would forward that request to the organization (data controller).

Q: I was recently told that the options included within the legal basis for processing data do not necessarily apply to nonprofits, particularly the policy on legitimate interest. Is this true?

A: There’s nothing in the GDPR that sets different rules for nonprofits. There are some exceptions, but especially when it comes to government entities or nonprofits that work for some sort of benefit to the population, but those are usually exemptions rather than additional constraints. Legal counsel is always advised to clarify policies that personally apply.

Q: It was mentioned that an organization can only ask for consent once, and if the individual doesn’t reply, they must be deleted. Is that correct?

A: Once you’ve asked for consent, and someone doesn’t give consent, you can’t keep asking again and again. When you go to ask, you need to be very clear so that you get a ‘yes’ or ‘no.’ It feels unreasonable as a consumer to continue receiving requests for consent. GDPR implies that if the consumer says no, they mean no. However, if they engage the relationship again at a future event or occasion, you can re-establish whether they want to receive information.

Q: Where can I find other resources about GDPR?

A: All of our GDPR resources are located centrally the FormAssembly GDPR FAQ page. Not only is there a comprehensive list of GPDR questions and answers, but there are several great sources including blog posts, webinar downloads, and an infographic, ebook, and whitepaper.

FormAssembly would like to thank Ian Gotts for sharing his GDPR expertise during this webinar and question and answer session, and for all of our attendees who submitted excellent questions for review.
Are you ready to discover more information about informed consent and transparency under GDPR? Listen to the webinar recap by downloading below.

Don’t just collect data — leverage it.