Is my marketing activity legal? We can make sure it is…
Just before GDPR become enforceable in May 2018, marketers panicked. Many abandoned their activity altogether (much the dismay of their sales teams), decided they needed consent without fully understanding what that meant, or just ignored their obligations altogether thinking they were untouchable or hardly in the scope of the ICO.
None of these demonstrate rational thinking – and inevitably lead to problems further down the line. Even today, with confidence in marketing on the increase, business owners are cautious as to what they can and cannot do…
If this sounds like the decisions your business has had to make in the last 18 months, then give our Privacy Team a call – our marketing specialists are experienced in providing guidance in all kinds of scenarios and can make sure your marketing is both compliant AND successful.
Unlike other areas of your business, marketing is regulated by a separate legislation – the Privacy & Electronic Communication Regulation, 2003 (PECR). This outlines how data can be used for electronic marketing – namely, email, telephone, SMS (and fax!) Although it has been in force since 2003, many companies are still operating outside of this – and many of the fines issued by the ICO in the last 3 years have been for breaches of this – the home improvement and PPI calls have been well-publicised.
PECR should not be confused with GDPR
The two complement each other but are entirely separate.
GDPR relates to the initial collection of personal data for a specific purpose, or purposes, which may include marketing if the data subject is aware of this.
PECR relates to the use of personal data for electronic marketing purposes: elements to consider…
Have you obtained the appropriate permissions from the data subject
Can you demonstrate this if challenged?
Do your emails have the appropriate headers and footers?
Are you calling with a visible CLI?
Since 2003, there have been several amendments to the legislation – each to adjust to market activity and technological demands.
The latest, came into force on 15th December 2018 and addressed the issue of companies breaching PECR and closing their business down to avoid paying any enforcement fines – currently up to £500,000.
The latest update means that any Director whose company is found guilty of breaching the PECR legislation will be PERSONALLY liable for the fine of up to £500,000 - irrespective of their business still trading, or not. Of all the Directors we’ve spoken to, not many want to be in that position.
Just to confuse matters, PECR is due to be replaced with the e-Privacy Regulation – a more up-to-date version of the legislation, which is understood to carry a similar, heavy fine structure to GDPR.
If you’d like more detail on this for your longer-term strategy, get in touch and our marketing specialists will advise and work with you.
How to market
In spring 2018, the common question among marketers was “do I need consent for this marketing? Many panicked and decided that consent was the best option – ultimately, they LOST the consent for marketing from many people… when they didn’t need it, so their marketing databases reduced massively for no reason! The other problem, is once you’ve lost consent, getting it back is a challenge.
In many cases, our marketing privacy specialists were able to “rescue” significant amounts of customer and prospect data before the delete button was pressed – much to the relief of Marketing Directors who engaged with us.
This is all thanks to the solid understanding and interpretation of the GDPR that our specialists have – and in particular, being able to apply at least one of the six legal bases of processing to an activity.
For marketing, you need to understand the conditions of consent – Article 7, of the GDPR – and that the use of legitimate interest is not the golden egg that most businesses assume.
Consent
This is typically used when contacting prospects on a B2C basis with whom you have no existing, demonstrable relationship with. It also applies when contacting sole traders or partnerships on a B2B basis.
For consent to be valid at the time of data collection, you must satisfy the demands of Article 7, Recital 32 of the GDPR.
Clear & affirmative act by the data subject - Assumed consent (silence) or pre-ticked boxes are not appropriate and will not be valid
Freely given - Not in exchange for a “free offer” or entry to a competition / prize draw
Informed - Told at the time of collection exactly what the marketing activity will entail
Unambiguous decision – there is absolutely no uncertainty as to how the personal data will be used and who it will be shared with – including your business partners, or other advertisers.
You should also give data subjects the option to revoke their consent at any point – and easily as it has been granted.
With consent-based marketing being such a hot-topic and an activity that can cause annoyance from those on the receiving end and potentially complaints to the ICO under GDPR or PECR, it makes sense that you engage with an independent specialist to review and sign the activity off ahead of going live.
Either that, or you have a conversation with your Board about the six-figure fine they need to pay..
Legitimate Interest - This can be used when contacting individuals on a B2B level (corporates or limited companies only), or when you have an existing relationship with a customer – but there are exceptions to this…our experts will explain this in full to you.
Far from being the “golden egg” and an “easy option”, you are responsible for PROVING to anyone you contact using legitimate interest that you have a right to do this. If you don’t, or you cannot prove it, then your activity is unlawful and potentially a breach of both GDPR and PECR – there have been instances of this in the past.
Legitimate interest is a balancing act – you must be able to prove to the recipient that it is as much in their interest to hear about your product / service as it is for you to use their personal data to promote via that channel. This is achieved by completing a Legitimate Interest Assessment (LIA) document.
In the event of a complaint from the recipient, or the ICO, this LIA document will be key to proving to the complainant or the regulator that you have considered your approach and you are right to make contact. Going forward, however, this contact should be removed from your outbound activity
Our specialists are experienced in preparing LIA’s and helping companies demonstrate why their marketing approach is reasonable, so allow us to guide you through this process.
Third Party Data - If you purchase data from third parties – brokers, or data owners directly – then ensure you conduct the appropriate due diligence on these organisations. As a word of warning, many claim their activities are “GDPR compliant”, but very few can demonstrate this sufficiently.
Under the GDPR, as the data controller, you are responsible for your supply chain, which includes purchasing third party data.
If the data has not been collected appropriately, or there have been failings in the transparency principle during the collection phase, then the use of the data could be unlawful – for which you will be liable due to inadequate due diligence. In most cases, a large fine will be imposed putting pressure on the business and giving your outbound marketing operations unwanted bad press.
Our marketing specialists have many years’ experience in conducting due diligence on third party suppliers, so Privacy Helper can either reassure you, or advise against specific data purchases.
Such is the varied nature of our work with marketing teams, over the last two years, our specialists have:
SAVED many thousands of records from being deleted – simply by identifying the correct legal basis of processing. Legitimate interest, rather than consent.
HELPED devise major marketing campaigns that satisfy all elements of the legislation – both GDPR and PECR. In the event of any complaints, these can be handled swiftly and professionally in the knowledge that the company had done nothing wrong.
HELPED a business respond to an ICO complaint regarding their outbound marketing activity. Our technical knowledge of the activity meant we were able to respond to the letter on behalf of our client, which minimised their risk of further action.
STOPPED a call centre dialling a database due to insufficient opt-ins on the data. The business owners were unaware the data wasn’t appropriate for use and our guidance directly addressed all risks of his marketing activity.
WARNED against the use of cookies to track individuals on a website. This information was then used by third party advertisers – a direct contravention of the new guidelines on the use of cookies.
Get in touch with us today and allow us to act as your outsourced marketing compliance team – expert advice and meaningful updates on legislation as it is announced by the ICO, or European regulators to ensure your marketing operations develop in line with your obligations as a data controller.
Why choose us?
Click here to find out why we are the UK’s #1 privacy consultancy.
How much will this cost?
Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.
What next?
Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.
Other services you may be interested in from PRIVACYHELPER
DPO services
We offer DPO packages to suit your business needs – from a basic advisory service for smaller businesses to integrating ourselves within the operation of larger businesses.
GDPR Consultancy
Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.
Training
An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.