GDPR became UK law back in 2018 – giving people more power over their personal data, what companies can do with it, and how long they can hold it. There’s talk of change to UK laws around data in the wake of Brexit, but for now, rules remain set.
If you’re planning a multi-channel marketing campaign any time soon, we’ve broken down some of the key areas you need to know about to make sure you remain GDPR compliant.
What to know when you’re gathering data directly (Article 13)
When you’re gathering data directly from a data subject, it’s essential you provide them with:
- The purpose for processing their data
- The lawful grounds associated with that purpose
- The retention period that you’ll hold their data for
- Whether you plan to share their data – and what other parties may use that data for
If you intend to send out marketing communications, your privacy notice must make this clear. It’s also important to remember that when setting a retention period, it has to be definitive, or specify the criteria that the retention period will be based on; it can’t be documented as ‘at least’.
If carrying out profiling, you need to state any meaningful information about the logic used as part of the profiling process.
What to know when you’re gathering data from other sources (Article 14)
When data is gathered from a source other than the data subject, you must provide the same information as listed above (relating to purpose, lawful grounds, retention period, and any plans to share that data) at the time of gathering the data, within 30 days, prior to sharing data, or in your first communication with a data subject.
The same rules apply when it comes to profiling: meaningful information about the logic used as part of the profiling process must be supplied.
You also need to inform the data subject of the source from which their personalised data originated – and whether that source was publicly accessible (for example, through social media).
Understanding consent: B2C
Consent must be obtained for marketing purposes when no existing relationship with the data subject exists, or there are no existing enquiries from the data subject for similar products or services. In other words, a ‘cold contact’. The same rules apply when you’re dealing with sole traders or partnerships; these fall into the B2C category, as opposed to B2B.
It’s important to remember that:
- Consent must be positive (the opt-in option can’t be pre-ticked)
- You must make it clear what they’re consenting to (Article 13)
- You need to specify every applicable data process that you intend to carry out, and obtain permission for each one
A data subject has the right to withdraw their consent at any time, and you must maintain evidence of their consent.
Understanding consent: B2B
When sending B2B direct marketing messages to corporate email addresses, you don’t have to obtain prior consent. However, if the email address of the person you’re communicating with clearly identifies them (for example, firstname.lastname@example.org) this is classed as personal data, and the data subject would have the right to object.
Any objections on this basis must be upheld, and communications stopped immediately.
Understanding soft opt-ins
When you have an existing relationship with a data subject, you don’t always need to obtain consent; instead, you might choose to rely on a Legitimate Interest Assessment. But there are certain requirements you’ll have to meet:
- You must have given data subjects the chance to opt-out of marketing communications when their data was first collected
- You must give data subjects the chance to opt-out with every subsequent communication
- There must be no pre-existing objections or opt-outs to marketing communications from the data subject
It’s important to maintain an in-house opt-in/opt-out suppression file, containing:
- Opt-outs recorded at the point the data was captured
- Opt-outs in response to marketing messages (clicked unsubscribe)
- Any objections received through subject request processes (for example, if a data subject calls and asks you to stop sending them marketing communications)
There isn’t any formal, national register that people can sign up to in order to suppress text and email marketing, which is why it’s essential to keep your own records in-house.
When it comes to voice marketing, you need to screen your call list against the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS).
For any direct mail marketing campaigns, you should make full use of the Mailing Preference Service.
What is a Legitimate Interest Assessment (LIA)?
An LIA is essentially a balancing act between a data controller’s reason for wanting to process a person’s data, and the personal rights of the data subject.
- An LIA must be performed against each data processing activity
- LIAs must be objective, rather than self-serving
- In order to be valid, there must be a reasonable expectation from the data subject that data processing will take place
- The data subject has the right to object; at which point you must stop using their data
Privacy notices and consent notices give you the opportunity to set expectations around data and data processing, so use them wisely.
To help you navigate the demands of GDPR in your marketing campaigns, we’ve also created a useful GDPR & PECR workflow, which you can access for free here.
Download our How-to guide to Legitimate Interest and Legitimate Interest Assessments
Read about Marketing and Consent from the ICO