This post is presented for information purposes only and references the GDPR, which may differ from the Data Protection (Jersey) Law 2018.
The content of this post does not constitute legal advice and should not be relied upon as such.
Consult your legal counsel for your particular legal clarity and understanding of your rights and obligations in order to comply with any laws and/or regulations.
There are those who believe that the General Data Protection Regulation (GDPR) appears to be an attack on marketing; to a degree they are correct.
The GDPR does restrict marketing, or to be specific, irresponsible marketing and other abuse of personal data, as demonstrated recently with actions against Cambridge Analytica and Facebook.
This particular issue is much deeper than the published abuse of personal data, at its core is the question of timing; given Facebook admit to knowing of such practices since 2014, why have they only come clean after being ‘caught in the act’?
The principles of the GDPR include ‘lawfulness, fairness and transparency’, principles that Cambridge Analytica, Facebook and others appear to struggle with.
How does the GDPR really affect marketing?
For marketing that is professional and ethical, there is almost no impact.
The UK ICO guidance states that where an organisation has existing databases for prospects, subscribers and/or clients then these data subjects are classified as ‘soft opt-in’. The premise being that at some point the data subjects have had contact with the organisation and are aware they are being marketed to.
The UK ICO recommends that all marketing to ‘soft opt-in’ data subjects should contain an ‘opt-out’ option (i.e. unsubscribe), specifically after 25th May 2018.
While best practice is to communicate with all historic data subjects asking for their confirmation of consent (or not) for continued marketing, this can raise issues where data subjects simply don’t reply. Given that the GDPR requires affirmative action (i.e. not tacit consent), are non-replies happy with the status quo or not?
Legitimate Business Interests
Within the GDPR the legal basis for processing data comprises 6 options:
The data subject has given clear consent, via affirmative action, for you to process their personal data for a specific purpose. Additional consent is required if you wish to process that data for another purpose and/or if you wish to pass the data to a third-party not defined in the original consent.
The processing is necessary for a contract you have with the data subject, or because they have asked you to take specific steps before entering into a contract. A contract provides consent when it is entered into by the parties. The UK ICO relies on UK contract law for the definition of a contract.
The processing is necessary for you to comply with the law (not including contractual obligations).
The processing is necessary to protect the vital interests of the data subject or any other natural person.
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
The processing is necessary for your legitimate [business] interests or the legitimate [business] interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate [business] interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Most commercial organisations, specifically those engaged in marketing, will rely upon Consent, Contract or Legitimate Interest for the legal basis of processing data.
Legitimate Interest Example
An e-Commerce organisation may claim legitimate interest for collecting name, address and payment information of data subjects in order that it may process payments for the provision of services and/or delivery of products that the subject has requested.
This legitimate interest may extend to third-parties who are required to complete elements of the transaction, such as payment service providers and/or logistics providers for delivery.
Can I continue to use bought in marketing lists?
Buying in mailing lists should be done with care. You must be satisfied that all subjects in the mailing list have consented to their data being passed/sold to third-parties. You are also required to ensure that no data subjects are on suppression lists.
The following is a quick checklist for use of bought in lists.
- We check that the seller is a member of a professional body (or is accredited in some way)
- We don’t use bought-in lists for texts, emails or recorded calls (unless we have proof of opt-in consent within last six months which specifically named or clearly described us)
- The product, service or ideals we are marketing are the same or similar to those that the individuals originally consented to receive marketing for
- We only use the information on the lists for marketing purposes
- We delete any irrelevant or excessive personal information
- We screen the names on bought-in lists against our own list of people who say they don’t want our calls (suppression list)
- We carry out small sampling exercises to assess the reliability of the data on the lists
- We have procedures for dealing with inaccuracies and complaints.
- When marketing by post, email or fax we include our company name, address and telephone number in the content
- We tell people where we obtained their details
- We provide people with a privacy notice (where it is practicable to do so)
- We tie the seller into a contract which confirms the reliability of the list and gives us the ability to audit
In short, follow the ‘lawfulness, fairness and transparency’ plus other principles of the GDPR.
Conduct marketing responsibly and ethically, with respect the rights of the data subjects.
Protect clients’ personal data as if it were your personal data.
The GDPR is not rocket science. It is common sense and can provide a host of business benefits when applied correctly.
Do you have questions about the GDPR or Data Protection (Jersey) Law 2018? Why not schedule a call with one of our certified GDPR practitioners to get your questions answered?