On 25 May 2018, the General Data Protection Regulation (GDPR) will introduce new rules on how personal data can be gathered, processed and used. For most (if not all) businesses, this will likely affect their marketing activities, explains Nimarta Cheema, Solicitor in our Corporate team.
If your business sends out regular e-newsletters, bulletins, customer magazines or other communications, you may need to review your current processes and databases to ensure your actions are compliant with the GDPR.
The GDPR will introduce new requirements in terms of how organisations (including businesses, charities, sole traders and other data controllers) record, handle, store and secure information about customers and other business contacts.
The new rules will apply to information that you now hold, not just new information that you gather after May 2018.
Consent
For a number of years, the rules on direct marketing have centred on consent. Generally, organisations need an individual’s consent before they can send marketing communications.
Under the GDPR, the rules on obtaining consent to store and use personal data will change. Consent must be freely given, specific, informed, properly documented and easy for people to withdraw. This new definition has many practical implications.
For example, in order for consent to be freely given, it is no longer acceptable to use pre-ticked boxes on webpages which state that the information provided by a customer when placing an order will also be used for marketing purposes. This means your customers and other business contacts will now have to “opt-in” and explicitly agree to their data being used in a particular way.
Similarly, for consent to be specific and informed, organisations cannot rely on the idea that ‘one consent fits all purposes’. For example, if a customer in a clothes shop provides his or her email address and consents to receiving an electronic copy of a till receipt, the clothes shop cannot use this email address to send out newsletters or promotion offers unless the customer has also agreed to receive these types of marketing materials. Essentially, the customer must understand what the actions are to which he or she is giving consent.
But that isn’t all as consent will also need to be documented and stored in a way that organisations can easily demonstrate compliance with the GDPR or can action a request from an individual to withdraw consent. This is a significant change and imposes additional operational burdens on a business. You will need to have processes in place to be able to demonstrate compliance.
Example
In order to encourage donations, a local children’s charity produces a regular newsletter containing information about its work and to promote upcoming fundraising events. The charity only sends the newsletter to people who have signed up for it via the charity’s website.
Does the charity’s procedure for obtaining consent meet the new requirements under the GDPR?
- By asking the recipients to sign up for the newsletter, the charity is asking recipients for their freely given, specific consent.
- However, it is important that the website requires the recipients to actively opt-in and that it is clear exactly what the recipient is signing up for.
- The charity will also need to put in place a privacy policy which clearly sets out how the recipients’ information will be used and how they can withdraw their consent if they choose to do so.
Databases and processes
If your business carries out marketing activities, it will likely have a database of recipients’ names, addresses (postal or email) and perhaps other personal information.
As well as imposing stricter rules on how to obtain consent to gather personal data, the GDPR will give individuals increased rights to manage the information which a business holds about them in databases and in other forms.
In order to satisfy any such requests, businesses will need to know where and how individuals’ data is stored, must have the tools to recover any data that has been shared and must be able to amend, delete, or share the data as required.
Example
Over the years, an IT support company has compiled an informal database of information about its customers by retaining names, addresses, email addresses and contact numbers in a spreadsheet.
Does the database comply with the company’s obligations under the GDPR?
- The company will need to consider its lawful basis for holding the relevant information. This will be closely tied to the purposes for which the company has gathered the information. If the company does not have a lawful basis for gathering and holding the information, it should be deleted. This will involve a systematic process to determine whether a lawful basis exists and a check to ensure that, if not, the relevant information is fully deleted from the company’s IT systems, records and databases.
- If the company has a lawful basis, it will still need to audit the information it holds to check that it is accurate and to ensure it is not holding more information than is necessary.
- The company should also review the internal process it has in place around dealing with the information, and ensuring that it has the correct resources to manage and protect the information on a continuing basis.
- The company should also have a clear privacy policy which sets out how it deals with its customers’ information.
Consequences of non-compliance
The Information Commissioner’s Office (ICO) can impose stringent penalties if businesses, charities, sole traders and other data controllers and data processors cannot demonstrate that they have complied with the rules on obtaining consent for direct marketing and are properly using, storing and securing personal data.
There is also the risk of bad publicity, reputational damage and loss of consumer confidence, not to mention the possibility of consumers or competitors taking legal action.
If you would like advice on the new data protection rules under the GDPR and ensuring your marketing activities are GDPR compliant, please get in touch with a member of our team who would be happy to help.
