I have lost count of the number of emails that I have received from organisations asking for me to re-consent - not to the processing of my personal data (GDPR) but to continue to receive direct marketing (PECR).
In the majority of cases I am pretty sure that I consented to receive direct marketing emails or that I had received services from an organisation and when they subsequently sent me marketing emails offering similar products or services they offered me a simple opt-out to no longer receive subsequent emails.
Don’t get me wrong I have taken a lot of pleasure receiving emails from organisations that (although I consented to receive direct marketing) will no longer be sending me emails unless I reply (and I won’t be). This includes the many businesses that I gave consent to at trade fairs (in exchange for a pen or a t-shirt).
On the other hand the charities that are unecessarily asking me as a donater to re-consent is unfortunate as they will surely lose donations as through apathy not everyone will respond.
There has also been some very good emails from organisations not asking for any form of re-consent but instead informing customers of the work they have carried out to meet the GDPR and continue to keep their customer’s information safe, pointing customers to updated privacy notices and informing them of their individual rights.
To summarise the legal position:
GDPR - consent is one of 6 lawful conditions for processing personal data. ‘Legitimate interests’ is another one of those conditions and can apply to this situation (and a legitimate interests impact assessment is a useful tool to demonstrate due diligence for this legal basis).
PECR - rules for sending direct marketing including emails, sms txts, phone calls. Legislation expected to be updated later in 2018.
To conclude I am very wary of any emails from organisations asking for me to re-consent to receive direct marketing and quoting the GDPR and I continue to welcome receiving emails from organisations who let me know the efforts they are making to keep my information safe and informing me of my rights as a data subject.