DSGVO and GDPR – How we seek and obtain customer consent

Lesen Sie diese Seite auf Deutsch

Today, half the world believes that a horde of greedy lawyers will attack the poor entrepreneurs, associations and website operators, who did not prepare properly for the GDPR. We want to make a constructive contribution and show how we deal with the GDPR and meet its requirements. Maybe you’ll find it interesting and discover some ideas you can use yourself or for your organization. The main point I want to make, is that you need to deal with the topic professionally and seriously. Fear doesn’t help anyone.

Oh, how did we laugh, play, blaspheme, marvel and grumble? Finally it’s here: The law that will justify the biggest wave of cease-and-desist orders in Germany… or not.

Interestingly, most seemed to notice only in the last 10 to 14 days that the EU’s new general data protection regulation (GDPR) will actually and really come into force. You can no longer simply store all shoe sizes and other “lengths” of customers and website visitors without without asking them for their permission.

Ask me, because I am your customer

If I were to summarize the GDPR, I would do it this way: If the customer explicitly consents, (almost) everything can be done. Explain properly, ask questions and wait for approval. That’s what companies have to do. The reactions from the companies who contact me as a customer or user make me partly believe that it is not only American entrepreneurs who don’t care what your customers want. The question is never asked. Neither consent, nor rejection is given.

Show us your solution: What we have done

And yes, we had not asked everywhere we needed to. That’s why we have been sweating in the last months and weeks and our teams has now built a solution that I would like to present with a little pride. I would have liked to have done it sooner. But in good company, with the rest of the world, we’ve only just finished. So, there will be bugs to be fixed and problems will occur. As it always does with software.

We have an internal chat group. For weeks we have collected all emails, which arrive here about the GDPR. And that’s hundreds. One thing (almost) all mails have in common. It’s all just informative. The best thing I’ve seen so far was a request to confirm my subscription to a MailChimp newsletter. We used that template ourselves.

The fact that the basic requirement of explicit consent is so unanimously ignored by all remains is strange. A wave of cease-and-desist but I still don’t expect the world to end. But this may be the reason for the fear of what will actually happen.

Silke’s best suggestion was: “We’d better close up shop.” This best summed up the mood of a group of staffers who had met for breakfast in the morning. “Fear of job applicants’ cease-and-desist letters is rampant…” We could add a few tasks that we needed to do because of this. I don’t even want to know how much time other companies have taken to deal with the GDPR.

No identification, no GDPR

An important assumption we made: As long as we do not have any identifiable information that actually allows us to draw conclusions about a person, the new law does not apply. That’s debatable. And that is what we have done internally. And I am aware that the term “identifiable” is very flexible. I will not go into our internal discussions right now. Even if the sentence above is not complete, it represents my understanding for this article sufficiently. Where and how did we define the scope?

The request for consent comes from our CRM system

As soon as someone is identified, our GDPR process takes effect. In fact, the simplest form is the existence of an email address. As soon as someone fills out a form, has a chat with us, sends us an email, or gives us a business card and we enter their data into our CRM system (Highrise), they automatically appears in a list. In this list you can set the language of the email to be sent:

Setting the language of emails registered in Highrise

This portal is completely internal (and therefore also really ugly 🙂 ). We (currently still I) go through the list manually and categorize the email addresses. We’ll keep doing that while things are going well. We still have 30 days to get our customers’ approval. I’m looking forward to the first response. If you wish, you can also contact us (in the chat at the bottom right with your email address) to see our process for yourself.

After we’ve categorized an email address, the next step is where the customer receives an email (hopefully in the right language). There’s also a dual-language version. Attractive and friendly? Not really. I hope that we will always get the language right – hopefully with more automation and less manual work in the future.

This is our email requesting consent to store and process data

And then the email goes out to the customer. That’s what it looks like right now:

Our GDPR consent request

This is the variant with German and English. Actually, as already mentioned, only one language version should be included.

It is a text-only email. No HTML, no formatting, no tracking. I hope that they will arrive safely in everyone’s inboxes and be taken seriously. Just today I received hundreds of mails: “We have updated our privacy policy” or “Everything is so transparent now”. I’m afraid our first mail will mercilessly drown in the GDPR flood. But that’s what the reminders are for. We will distribute four of these over a period of 30 days. In addition, we will send a deletion confirmation if no reaction is received.

We get on your nerves until we get an answer

Yeah, that’s kind of nasty to our customers, too. Because if we don’t get their consent, we have to delete their data. You could probably still claim operational requirements – its such a grey area of the law, where nobody knows how far it can be interpreted. We will insist on the consent of interested parties (i.e. those who are not yet customers). We can, because we receive so many inquiries anyway that we sometimes do not know who is really interested and who isn’t. Consent replies will make this more visible to us now.

We will even consider calling important customers to get their approval. But not yet.

How the GDPR portal works

The customer can either deactivate their profile or consent to its storage from a link in the email. In the portal itself, you can delete your profile completely or put limitations on your consent. For example, you can allow email, but disable personalized tracking. Or decide whether and which data may be viewed by others (e.g. on the extranet, where our customers can exchange information).

Our customer portal demonstration

Here is my presentation of the portal in a short video:

The following options are available in the portal:

Change the language: You can switch between English and German.

Our language selection

Create an account in the customer portal: Every customer can view and edit their data by creating their own login. The data is already stored with the email and the link. But a true account is even better.

Create an account

Modify your own data: Customers can view and process the data we have stored about them via the portal. On the page you can also set which data is ok to be exchanged (for example with other customers in our extranet).

Edit your data in our customer portal

Give your consent or revoke it completely: Your consent can be given or revoked in the portal for the storing and processing data as well as for email newsletters, for tracking and for exchanging information in our extranet. In addition, you can deactivate or delete your. Deactivating is like deleting, except that we keep the profile to remind us that you don’t want us to contact you. Deletion also means forgetting everything and that means, because we no longer ‘know you’, we may contact you again.

You can give us your consent

Specify your interests: We assume we have many contacts who actually want us to get in touch and stay in touch with them. They can tell us which topics they are interested in.

Select your interests

Tell us how you have dealt with the GDPR, or contact us if you have any questions about this article and our solution. We have already answered one question in our Q&A portal (in German) and we look forward to hearing from you.