Posted by Emma Willis, a GDPR consultant at Legal Futures Associate Teal Compliance
With less than 50 working days until GDPR takes effect on 25 May 2018, many businesses are starting to consider the hot topic of whether their marketing lists will still be valid. But it’s not just GDPR that needs to be considered.
Up until that date, the Data Protection Act 1998 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR) apply.
After then, it is the General Data Protection Regulation (GDPR) and PECR, but the latter only until the Regulation on E-Privacy and Electronic Communications (the E-Privacy Regulation) comes into force.
Under the DPA, “an individual is entitled at any time by notice in writing… to require the data controller… to cease, or not to begin processing for the purposes of direct marketing”.
Whilst referenced in the DPA, the majority of the rules around direct marketing can actually be found in PECR. For ease of reference, the ICO’s current direct marketing guidance, based on PECR, can be found here.
Direct marketing can currently be carried out following a variety of opt-ins or opt-outs, but under GDPR the rules become more challenging because giving consent (or opting in) to direct marketing has specific requirements.
GDPR says: “Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time.”
Further: “Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”
As we all know, under GDPR, organisations can only process personal data if they have a lawful basis for doing so (article 5, clause 1). The test for ‘lawfulness of processing’ includes that the data subject has given consent for the processing, but this does not automatically mean that you need consent to carry out direct marketing (or any other type of processing).
Recital 47 of the GDPR states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Even the ICO acknowledges that obtaining valid consent under GDPR (article 7) will be challenging and they urge businesses to consider whether consent is the correct lawful basis for the processing of any data.
But when deciding whether sending direct marketing can be done as a legitimate interest, an organisation still needs to consider the rules under PECR.
Postal marketing: This is not covered by PECR, so as long as the organisation identifies itself, offers an opt-out and screens addresses against the Mail Preference Service, then it’s OK to send first-party marketing (about your own products and services) as long as the client has not previously opted out.
If they haven’t previously opted out but have registered with the Mail Preference Service, then you need to leave them alone.
Email/SMS marketing: You must follow the rules in PECR, which require an opt-in unless you have obtained the contact details of the individual during the course of a sale (or negotiations of the sale) of a product or service.
The marketing must be of a similar product or service and the individual must have been given the opportunity to opt-out.
Telephone marketing: For live marketing calls, the rules say you can contact anyone as long as they have not previously opted out and are not registered with the Telephone Preference Service. You must not make automated calls to anyone unless they have specifically opted in to receive this type of call from you.
So what do you need to do?
Consider whether consent is the most appropriate lawful basis for processing – can you use legitimate interests instead?
Make sure your privacy notice covers direct marketing if you will be sending it to clients;
Ensure that there is an easy way for clients to opt-out of marketing and that your system can record the opt-out;
Ensure your marketing teams screen all marketing data against both the telephone and mail preference services;
If you do need (or want to rely on) consent, then review your current opt-ins. If they don’t meet the requirements of article 7, then you will need to ask your clients to opt-in again; and
Keep an eye out for our updates on the E-Privacy Regulation – it was supposed to be ready for 25 May 2018 but this is looking increasingly unlikely as the text is yet to be finalised
Teal Compliance will be talking about the practicalities of GDPR at our upcoming conference in London on 26 April. See here.