The General Data Protection Regulation (GDPR) is fast becoming a reality. Here at Brandsmiths, we are helping all types of businesses to ensure that they will be compliant come May 2018. There is particular concern around whether electronic direct marketing campaigns will fall foul of GDPR in the future.
GDPR and the ePrivacy Regulations
While the GDPR has been taking the headlines, little has been mentioned about the ePrivacy Regulations, which are currently planned to come into force this year (although the original 25 May target is looking increasingly unlikely) and which are likely to carry with them the same maximum fine of the greater of €20million or 4% of global turnover.
The GDPR will govern the processing of personal data, while the ePrivacy Regulations add complementary rules relating to things such as electronic direct marketing. The two of these are distinct and separate pieces of legislation, however the significant areas of overlap between the two have caused confusion in some circles.
Conditions for Processing under GDPR
In order to legally process personal data, one of the conditions for processing under the GDPR must be satisfied, whether for the purposes of electronic direct marketing or otherwise.
Probably the most commonly used condition for processing personal data has historically been consent. However, in order for consent to be valid under the GDPR it must be freely given, specific, informed and unambiguous, with a clear statement or affirmative action.
The GDPR therefore requires a much higher standard than the current regime, and the ICO has made it clear that any consent needs to be “granular” (i.e. businesses need a discrete specific consent for each specific type of processing to be carried out). Consent wording in the future will therefore need to set out what data is being collected, what it will be used for, to whom it will be passed, and the channels through which any communications will come.
Due to this high standard of consent, it is likely that going forward businesses will seek to rely on alternative bases for processing personal data – for example that the processing is necessary for the performance of a contract or the legitimate interests of the controller.
Electronic direct marketing under the ePrivacy Regulations
The final form of the ePrivacy Regulations is yet to be confirmed, however in their draft form they make it clear that electronic direct marketing may only be sent if either (1) the data subject has consented, or (2) the soft opt-in applies (see further on this below).
Where consent is used, the standard of consent required is the same as under the GDPR. This means that, in relation to electronic direct marketing, granular opt-in consent wording will need to be applied when collecting data.
The soft opt-in is currently set out in the Privacy and Electronic Communications Regulations (PECR), and has been retained under the ePrivacy Regulations in their current form, with some small but significant changes. The soft opt-in under the draft ePrivacy Regulations allows a business to send B2B electronic direct marketing to a recipient if:
1) it obtained the recipient’s details in the process of the recipient ordering products or services from the business (this has removed the reference to collecting personal data in the course of “negotiations” for an order, which was included in the PECR soft opt-in);
2) the electronic direct marketing only relates to the business’s own similar products or services; and
3) the recipient is given the option to opt-out.
Recipients must also be given the opportunity to opt-out in each piece of electronic direct marketing which is sent.
Establishing Direct Marketing Compliance
GDPR and the ePrivacy Regulations need not be a disaster for businesses. This should be used as an opportunity to cleanse marketing databases and to have a much more streamlined and engaged electronic direct marketing list.
Businesses need to undertake a review of the data they hold, the purposes for which they use it, and the validity of the legal bases on which it is processed. Where necessary, fresh valid consent should be sought.
As well as ensuring that all personal data for electronic direct marketing was collected using either valid consent or under the soft opt-in, businesses need to ensure that they are able to demonstrate compliance. This means taking steps such as maintaining traceable records of consents and privacy notices, noting the legal bases on which personal data is held and carrying out data protection impact assessments.
Here at Brandsmiths we have helped a number of businesses to review their marketing databases and become compliant. If you require any assistance with any of the topics raised in this article, please contact Jacob O’Brien at firstname.lastname@example.org