19 April 2018

Marketing in the GDPR world

Although this article comes in response to queries on the implications of the General Data Protection Regulation (GDPR) on direct marketing to customers and will focus on answering these questions it is worth noting that marketing is also subject currently to additional regulations.

The DPA (Data Protection Act), which will be replaced by the GDPR on the 25th May 2018 and PECR (Privacy and Electronic Communications Regulations) which will be replaced with the new ePrivacy Regulation (ePR). The new ePR will not be agreed by the EU before the GDPR comes into effect on 25 May 2018 and existing PECR rules will continue to apply (with a new definition of consent) until the ePR is finalised and comes into effect. All these regulations restrict the way organisations (you!) can carry out unsolicited direct marketing (that is, direct marketing that has not specifically been asked for) so it's worth familiarising yourself with them all.

The Information Commissioner's Office (ICO) have made it clear that under the GDPR companies continue to have data protection responsibilities for the personal information they process in their work in a similar way to their current obligations under the Data Protection Act 1998. They also stress that the GDPR rules apply to political parties and not-for profit organisations. So any processing for marketing or fundraising purposes must be compliant with the GDPR.

Key changes that the GDPR will bring for marketing are:

• The GDPR definition of consent is similar to the 1998 Act, but is clearer that consent must be unambiguous and involve an affirmative action. There is also more detail on the level of detail and control individuals must have.

• An unambiguous affirmative action requires a positive opt-in. Don't use pre-ticked boxes or any other method of consent by default.

• Any third party controllers who will rely on the consent must be named - listing categories of organisation will not give valid third party consent.

• The GDPR contains substantial fines for failing to comply with its requirements including fines of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.

Who are you marketing to?

As established above you will still need to comply with PECR which gives separate guidance depending on who you are marketing to so the first thing to consider when marketing to your customers is who are they? Are they 'corporate subscribers?' This covers subscribers that are a corporate body with separate legal status, including companies, limited liability partnerships, Scottish partnerships, and some government bodies.

Or are they an 'Individual subscriber' such as an individual customer like a sole trader or another type of partnership? The PECR details marketing rules for both types of subject, with the rules for individual consumers being far more stringent. The ICO have a handy guide you can use here. However remember that the definition for consent under GDPR strengthens consent in that it must be clear and unambiguous.

When to gain consent

If you intend to send marketing to an individual consumer the GDPR demands unambiguous consent that involves an affirmative action. Pre-ticked opt-in boxes are banned under the GDPR. You also cannot rely on silence, inactivity, default settings, or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way. The GDPR does not specifically ban opt-out boxes but they are essentially the same as pre-ticked boxes so the ICO do not recommend their use.

It is also worth noting that there are several other new provisions on consent - for example specific provisions on keeping records of consent, clarity and prominence of consent requests, the right to withdraw consent, and avoiding making consent a condition of a contract. The GDPR is also clear that consent should not be bundled up as a condition of service unless it is necessary for that service.

You must keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented. In addition to making them aware of how they can withdraw consent easily.

Do you need consent for all marketing?

Not always, you can rely on different bases to communicate with your customers and the ICO have made it clear that you can rely on legitimate interests for marketing activities if you can show that how you use people's data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object - however this only holds if you don't need consent under PECR. See the ICO's guide to PECR here. 

What if we want to buy a marketing list?

If you are buying a 'consented' marketing list, the consent request must have identified you specifically. Even precisely defined categories will not be enough to give you valid informed consent under the GDPR definition. You must keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented. If you buy personal data from another organisation, you must provide people with your own transparency information detailing anything that they haven't already been told.

But are business emails really personal data?

Yes, the GDPR applies wherever you are processing 'personal data'. This means if you can identify an individual either directly or indirectly, the GDPR will apply - even if they are acting in a professional capacity. So, for example, if you have the name and number of a business contact on file, or their email address identifies them (e.g [email protected]), the GDPR will apply.

Contains public sector information licensed under the Open Government Licence v3.0.