Posts

GDPR – What now?

Nearly a month has now passed since the General Data Protection Regulations (GDPR) came into effect on May 25th and ensuring compliance is crucial going forward to avoid any costly fines. There are still many discussions and blurry lines between what you can and cannot do when it comes to controlling and processing data. Like most of us, you probably received a string of emails leading up to May 25th asking for your consent to opt-in to further communications or to update your preferences, but you may have also noticed that some businesses did not send you an ‘opt-in’ email, but instead something along the lines of ‘We have updated our Privacy Policy’. Here are two possible explanations why they did not send you an email requesting your ‘opt-in’:

either

1. they have already got record that you have previously and actively given your consent

or

2. they are processing your data under the basis of legitimate interest.

 

What is a legitimate interest?

The legitimate interest is a clause under the GDPR which allows for the processing of data without gaining consent, providing there is a balance of interests from both the data processor and the individual. Examples of this include working in the same or similar industry where there may be a balanced interest in the services or products, the individual is an existing client or customer, or when the processing of data is absolutely necessary for legal obligation. Providing the data is not processed in a way that is unrelated to that relationship, you may continue to send communications based on legitimate interest unless the individual opts-out.

In light of GDPR, businesses should have an updated Privacy and Cookie Policy to explain how they collect, manage and use your data, which will also explain the emails you may have received notifying you of their updated policies. A business should explain in their Privacy Policy the legal basis of processing your data, whether that be legitimate interest, consent or both.

For B2B marketers and email marketing in particular, there are some particularly crucial boundaries regarding the email addresses you can and cannot send to under the basis of legitimate interest. You can continue to send to email addresses providing they are a Limited company, a Limited Liability Partnership, or a partnership in Scotland or a Government department, and you are sending an email to a business email address. However, if the person you are emailing is a sole trader or works in a partnership, even if you are sending the email to their work email address and there is legitimate interest, you will require an initial opt-in from them to do so.

 

Completing a Legitimate Interests Assessment

The processing of data based on legitimate interest is a credible alternative where gaining consent is not an option; however, we advise that data controllers undertake a Legitimate Interests Assessment (LIA). This process consists of a series of questions that help you to determine whether the processing of data under Legitimate Interests is viable and if it is, demonstrates that there is a balance of interests between the two parties. You should go through the LIA process each time you plan to newly process personal data under Legitimate Interests.

If you have any questions about regarding GDPR and how affects your marketing, contact us on 01962 600 147 or email info@tlc-business.co.uk.

How will GDPR affect Marketing?

With the General Data Protection Regulations (GDPR) coming into effect on May 25th 2018, TLC Business have taken a look into how the new laws will affect the B2B Marketing industry and what precautions we can begin to take to ensure we’re not in any breach of the new regulations – as we could encounter some pretty significant and unpleasant fines.

So what is GDPR and what do we need to know about it?

The GDPR is the biggest change in data protection laws in 20 years and it will affect any organisation that collects or processes the personal information or data of any European Citizen. The intentions of the GDPR are to give back European citizens control of their personal data and to enforce stricter regulations. These new set of rules, set by the European Commission, will make major changes to all of Europe’s privacy laws and replace the current outdated Data Protection Division (1995). If businesses do not comply with the new laws when the regulations come into force on May 25th, they could face some pretty hefty fines. Depending on a series of factors, these could be up to €20 million Euros or 4% of their global annual turnover for the previous financial year, whichever is greater – alongside this, they also face huge damage to the company’s reputation.

What about Brexit?

The UK’s forthcoming exit from the EU will not exclude UK businesses from the GDPR, as the new regulations are already agreed and in place, ready for enforcement in the UK in May. Even if the UK was to repeal them post-Brexit, bear in mind that currently the UK sends around 40% of all its exports to the EU and by complying with the new principles set out in GDPR, a business will ensure it is compliant for continued trading with EU citizens and businesses going forward post-Brexit, whatever the outcome.

What are the most significant changes? And what does this mean for marketers?

The biggest change brought about by GDPR for all marketers, whether they specialise in direct marketing, email marketing, telemarketing or digital marketing, is the new ‘opt-in’ or ‘opt-out’ permission rules. Historically, businesses and marketers have provided pre-ticked opt-in boxes, therefore, by default, their audience is opted-in to receiving an array of marketing communications. The data collected through this method is used freely by companies, how they choose, meaning that the data processors, be it the company or their partners, can send you communications about absolutely anything – regardless whether you actually want it.

Although many businesses have now improved these practices and include clearer and more straight-forward options to ‘opt-out’ or ‘unsubscribe’, GDPR will forbid this practice. From May 25th, organisations will no longer be able to pre-opt in people to their marketing lists and will also be required to maintain records of how and when consent to receive future communications was given by the individual.

However, there are also a few exceptions to this rule:

You will still be able to call businesses with no opt-in but must state who you are calling from and give people the right to opt-out of further calls.
You will still be able to send direct mail with no opt-in but must give people the right to opt-out of further mails.

Another point to consider under the new regulations, is that businesses can only keep data and personal information for a fair amount of time before requiring the individual to re-subscribe; however, it is not yet clear what is considered ‘fair’ and we hope this will be made clearer closer to the GDPR launch.

The right to be forgotten

Businesses must also give individuals the option to remove all personal information and data from their systems at any time – as long as it doesn’t mean they are in breach of compliance or industry regulations. This ‘Right to be forgotten’ principle is much more thorough than an opt-out and no longer sending them messages. Instead, it gives individuals the right to be removed from an organisation’s database entirely. As a result of this, if they wish to receive marketing content again in the future, they must resubmit new contact information and provide consent in order to do so.

The right to request what data on you is held

A significant aspect of GDPR that directly affects marketers, is the right for individuals to request a copy of data held on them in any readable, electronic format. Alongside this, they are entitled to ask exactly what information is being used by an organisation or processed by their company and for what end purpose.

The GDPR intends for data subjects to regain control of how their information and data is handled and directly threatens ‘batch and blast’ marketing, where businesses will often use bulk purchased data from data providers in an untargeted manner and without consideration of the data subject’s interests. Small to large companies often rely upon data purchasing to populate their sales pipeline and expand their audience reach.

However, despite the stricter rules and regulations of gaining consent, the European Commission has made some compromises. Marketers may be be allowed to use data without gaining consent providing there is a degree of  ‘legitimate interest’. This ‘legitimate interest’ clause applies to both personal and business data subjects. Many marketers are claiming ‘legitimate interest’ will enable them to continue business as usual. Whilst we think this is unlikely, it remains to be seen what can be considered a ‘legitimate interest’ and only once cases are brought to court and precedents are set, will we truly know.

The ‘legitimate interests’ clause

The GDPR recognises the fact that data processors may have legitimate reasons for processing personal data and that sometimes data processing is absolutely necessary for legal obligation. In regards to the marketing industry in particular, the ‘legitimate interests’ clause is intended to allow data processing without consent, provided certain conditions and requirements are met. At present, this list is still quite vague.

It is also important to mention that individuals can in fact object to their data being processed for legitimate interest reasons and will still of course have the option to opt-out at any time. All organisations must make it clear to individuals how they intend to use their data in a statement and provide a legitimate interests opt-out option as well as the usual opt-out. It should also be clearly stated in the organisation’s privacy policy in line with the ICO’s recommendations on privacy notices.

One of the conditions of processing data under the legitimate interest clause is there must be a balance of interests from both the data processor and the person receiving the marketing. Examples of this include working in the same or similar industry or an interest in the services or products based on existing records. Another example of this is if the organisation has an existing relationship with the data subject; such as a previous client or customer. In this circumstance they must ensure they don’t process data in a way that is unrelated to that relationship.

To be on the safe side, we advise that any organisation processing data under the ‘legitimate interest’ clause, maintain a record of how they have made an assessment of legitimate interest, in the off chance that they are questioned and can therefore demonstrate that they have given the proper consideration to the data subject’s freedoms and rights.

In order to fulfil the requirements to use the legitimate interests clause for marketing purposes, marketers can conduct a ‘Legitimate Interests Assessment’; which can be used to determine that either the processing of personal data is absolutely necessary (which mostly refers to legal obligation) or to establish whether there is a balance of interests between the two parties and the interests of the organisation don’t outweigh the interests of the data subject.

While using legitimate interests is a good alternative when gaining consent from the data subject is not possible, it has been advised by many experts not to wholly rely upon this clause in the GDPR, as there are risks you could face and it is considered more difficult to fulfil the requirements, compared to gaining consent, which is considered the safer and easier option.

B2B email marketing and GDPR

An area of GDPR we are particularly interested in is around email marketing to individuals within businesses and organisations. Currently, the following rules are in place for when GDPR comes into practice:

If the person you are emailing works for a limited company, a limited liability partnership, partnership in Scotland or a Government department, and you are sending an email to their work email address, you can email them as long as there is legitimate interest. They need to be easily able to opt-out of receiving emails and you are required to provide your company information in the email.

If the person you are emailing is a sole trader or works in a partnership, even if you are sending the email to their work email address and there is legitimate interest, you will require an initial opt-in from them to do so.

So what actions can marketers begin to take?

The number one action marketers can take now is to provide a simple and clear opt-in process for data subjects to opt in to their future communications, to ensure your data is GDPR compliant on 25th May.

We recommend that an internal audit of the current practices and systems used to collect data should be carried out to highlight any areas that need to be updated before the GDPR comes into effect.

For marketers who wish to use legitimate interests in order to continue their direct marketing without consent, the Data Protection Network has released a ‘Legitimate Interests Guide’ to give organisations an idea of the requirements and includes the assessment mentioned earlier. You can find the downloadable guide here: https://www.dpnetwork.org.uk/dpn-legitimate-interests-guidance/

If you have any questions about how GDPR is going to affect the marketing of your business or organisation, contact us on 01962 600 147 or email info@tlc-business.co.uk.