Obtaining Consent

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by DavidWH, Jan 5, 2018.

  1. DavidWH

    DavidWH UKBF Enthusiast Free Member

    1,275 232
    We use a CRM app to manage all our quotes and production.

    If a customer e-mail's us asking for a quote, we simply enter their name, company, e-mail, phone number, address, into this and generate the quote. This is retained, and every year we erase the records for those that never placed an order.

    Customers who placed an order we retain on the system, along with a record of their job, costing, specifications etc. Some never return, others we deal with weekly, other can be every few years.

    Reading GDPR, we need to obtain consent from the customer, and record how consent was obtained. Consent cannot be deemed or a default option either.

    I get why these regulations are being implemented... I'm now thinking how are we going to obtain consent before entering them into our system? I can see many competitors who don't use CRM won't bother, and the customer's not going to want to fill in form just to get a quote.

    Or have I over complicated things?
    Posted: Jan 5, 2018 By: DavidWH Member since: Feb 15, 2011
  2. deMesquita

    deMesquita UKBF Newcomer Free Member

    4 2
    You can have a note at the bottom of the quote template, advising whoever requested the form that their name, company and email will be retained for the purpose of tracking this quote. In the case of non-purchase the data will be erased after 12 months. Should you wish for your information to be deleted prior to this period, please send an email to....

    The retention period of this data should match the validity of the quote. If a quote is valid for a period of 3 months, the retention of the personal data should be set to the same period. As you cannot justify keeping the data longer and under GDPR you need to have valid grounds and prove the necessity of keeping this data.

    Basically you can do this, as you have grounds to keep use this data for the provision of a service which is the quote generation, you are notifying them in the quote what data is being kept, for how long and for which purpose, informing them about the right to object and providing them with an easy means to do so.

    I'm assuming that the email address is displayed on the website. To be 100% safe I would add a note saying that if in your message you're requesting a quote the name, surname, company and email address, shall be stored in the quote generation system for the purpose of generating a quote. This way you're advising them before hand.

    hope this helps.
    Posted: Jan 5, 2018 By: deMesquita Member since: Jan 5, 2018
  3. DavidWH

    DavidWH UKBF Enthusiast Free Member

    1,275 232
    Helps greatly thank you.

    I suppose if someone call's we'll have to explain that verbally?

    Where orders are placed, we hold that indefinitely. We often get similar jobs for other customers, and it's easier quicker to remember who we did a similar one for, and copy their quote. We could in theory erase names/emails/phone numbers, and just keep company names. I'll need to speak with the software provider on that.
    Posted: Jan 5, 2018 By: DavidWH Member since: Feb 15, 2011
  4. Alan

    Alan UKBF Legend Full Member - Verified Business

    6,125 1,694
    I'm not in anyway a GDPR expert, so happy for other to chime in, but I think you are overthinking this. As far as I understand opting in relates to marketing data, and a quote is transactional data not marketing. As long as you don't constantly follow up marketing products they didn't ask for quotes on.

    You are doing the right thing in deleting it when not required.
    Posted: Jan 5, 2018 By: Alan Member since: Aug 16, 2011
  5. Cassim Adepegba Snr

    Cassim Adepegba Snr UKBF Newcomer Free Member

    1 0
    Hi Alan,
    I have noted advice on differentiating between marketing and transactional data but in most cases they are the same data and only different on how they are applied. If you use any entry system for your client or customer transactions there is every likelihood that the data is retained in the system but the person affected has to be told of such retention no matter how many times that he or she make repeat or other orders as giving consent for the data to be retained at one point does not mean the person would always wish to do so. Also while it is good to have something written in print on order forms or similar documents, it does not mean that everyone would read and/or properly understand it so it is best advisable to also in addition verbally tell the person making the order and get the consent before proceeding to either collect the information or place the order. The issue of how long a client's data is held is very relative to the type of service as well as if it is one-off, ongoing or somewhere in-between. The best practice is to review this periodically to ensure that all the data is still correct and let the person know of the option to opt out. With GDPR, the most important thing to do is to ensure that a person consents of having his or her data kept in part or whole, agree or refuse to have it shared except on the basis of 'need to know' which often include giving such information in order to save life. The tricky part of the GDPR is how the retained information is used in-house. What data is retained and how long this can be done to be considered reasonable, what data can be shared and who it can be shared with as well as how it may be used in-house in the short, medium or long term requires bespoke ongoing professional assessment and advice. Any concerns?
    Last edited: Jan 24, 2018
    Posted: Jan 24, 2018 By: Cassim Adepegba Snr Member since: Jan 21, 2018
  6. nelioneil

    nelioneil UKBF Enthusiast Full Member

    577 75
    I presume even if a customer buys a product or asks for a quote, they have still not consented to want to receive marketing emails, unless they have opted in at some point.
    Posted: Jan 27, 2018 By: nelioneil Member since: Jan 22, 2013
  7. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    83 22
    I have mentioned this on quite a few other threads on here. Consent isn't mandatory for all data processing. Generally marketing (if you have collected the data) requires mandatory consent/opt in, however don't forget there are six lawful basis' for processing data. Generally consent is the most difficult! If you want to use the data to send marketing emails/communications, then certainly do get consent for that, however a simple data privacy statement that is easily available advising why you collect the data, what you do with it, how long you keep the data for and how they can contact you should they wish to enforce their rights (erasure, correction, objection to process etc) will suffice if you genuinely need the data to fulfil a service (i.e. supply products etc)
    Posted: Jan 29, 2018 By: Simon Plummer Member since: Dec 6, 2017
  8. Nomiki

    Nomiki UKBF Newcomer Free Member

    1 0
    I would like to ask whether an agreement is the same as contract in GDPR context as a lawful basis for processing personal data. Thank you.
    Posted: Feb 28, 2018 By: Nomiki Member since: Feb 28, 2018