Below we discuss some of the issues that have been raised. Please bear in mind this is a discussion and not legal advice, you should always seek professional advice before committing to a course of action as the specifics of your situation are important and cannot be easily generalised.
Alongside the current Data Protection Act, there is another regulation, PECR (Privacy of Electronic Communications Regulation), which covers in detail the rules around electronic communication, specifically email and SMS (texts). PECR is the detailed interpretation of the Data Protection Act which is most relevant to how we actually use our marketing lists today. With GDPR arriving in late May to replace the current Data Protection Act there is a corresponding regulation to replace PECR and this is usually referred to as the e-Privacy regulation which is being extended to also cover other forms of electronic communication including Bluetooth and social media.
Your basis for processing
One of the first things to do when considering your marketing lists under GDPR is to determine what is called the ‘Lawful Basis for Processing’, GDPR offers 6 options but in reality only 3 are relevant. The most obvious is ‘Consent’, i.e. you have real, informed and unambiguous consent to market to the people on your list, for B2C and some B2B situations this will be the only option you have. The second is ‘Legitimate Interest’, this means that you have a genuine reason to contact the people on your list, as the commercial interests of your business can constitute a legitimate interest. This however can only apply to B2B contacts and specifically not to sole traders or members of a partnership who are explicitly defined as consumers. The final option is ‘Contractual Obligation’, if the information you send is only to customers and is informational and necessary to fulfil your contract with them then this is another option to consider.
Working in reverse order, it is highly unlikely that you can use Contractual Obligation as a basis to deliver any form of marketing material to clients. However, if you offer a service where they receive communications about the service or product they use, e.g. notice of updates, hints and tips, maintenance issues and the like, then you don’t need specific consent to do this. You should however ensure you store separate categories of communication apart and allow people to opt-out of the distinct parts they don’t want. If they don’t want to be notified of updates then they should be able to achieve this. In general, your contract with them allows you to communicate important information to them and they can decide if they want this to happen. This is distinct from ‘Consent’ in that you are providing communication as part of your contract terms and users can choose not to exercise that part of the contract in much the same way that they make other choices about the service or product they buy.
Legitimate Interest is allowed as a basis for sending marketing material provided your legitimate interest outweighs the impact on the recipient's privacy. The onus is on you to make this assessment and record your analysis. It is only allowable when conducting B2B campaigns and is not allowed where the contact is a sole trader, a member of a partnership, or is considered as a B2C contact. You should always allow recipients the option to opt out of your material and make this option distinct and simple to exercise. The Direct Marketing Association (DMA) have submitted very specific proposals that describe in great detail how organisations should approach using Legitimate Interest as a basis for processing. If you are primarily sending B2B communication then you should read the DMA paper and any subsequent material appearing on the Information Commissioners Office (ICO) website. This is still a fluid area as the final details of the e-Privacy regulation are still being debated nationally and within the European Parliament.
Consent as a basis for processing is the only option you have when marketing to B2C contacts including sole traders and members of partnerships. Consent must be informed, freely given and unambiguous. In order to satisfy the requirement for informed consent, you must make the user aware of a number of things including the legal basis for processing, the data being collected, what you will use it for, how long you will keep it and an outline of their rights regarding the data you are collecting. Freely given consent is that which is fair and free from pressure, for example, you cannot offer an incentive to those who join your mailing list but deny it to those who do not. The consent they give must also be unambiguous. You cannot assume consent by their omission, eg. A pre-ticked box on a form or not replying an email are not unambiguous consent. Users have rights over the data they give you and you need to make provision for this, these include the rights to correct inaccurate data, to delete their data, to obtain a copy of the data plus other rights.
Make your choice
When considering these options, you should choose the one that provides you with the greatest flexibility and will minimise your workload or potential workload. Consent is the hardest to achieve and comes with many obligations that you must fulfil. It is in many ways the safest course, as you, by definition, have the consent of those you are marketing to. Legitimate Interest offers a simpler way to communicate with B2B contacts but you must be careful that you can justify that your interest outweighs the impact on the recipient's privacy. Contractual Obligation is very good if you are dealing with clients but you mustn’t cross the line into sending them marketing material.
In all 3 cases, you must also consider what data you are collecting and for how long you will keep it. These aspects are known as data minimisation and data retention. The GDPR specifically requires you to justify every piece of data you keep about an individual in terms of what you use the data for and why you need to use it.
Data minimisation means that you should retain only data you specifically need to deliver your marketing material. In a simple email list that might only be the person's name and their email address. It is very easy to add more data on the basis that it may be useful in the future or to use for some other purpose but if you cannot justify it for today's purpose you should not retain it. For example, if you also keep a postal address with postcode, county, street name etc. but only ever segregate your data on the basis of County then the rest of the postal data should be removed.
Data retention is based in the concept that you must not keep data any longer than you reasonably need to carry out your processing objectives, in the case of an email mailing list it could be argued that the need is ongoing and thus the data does not have a ‘lifetime’. In practice, it may be worth re-confirming consent every one or two years in order to keep the list clean thus providing a usable data retention scheme.
If a user asks for their record to be deleted (opt-out) then you are permitted to retain information as part of an exclusion list of people who have opted out so that you do not inadvertently include them again in the future.
If you use Consent as a basis for processing you should also keep a record on the mailing list of when they consented, by which mechanism and the scope of their consent. Date of consent is straightforward, means of consent could be web form, paper-based form etc. The scope of consent describes what the user has given you permission to do, if you have permission to send email, you DO NOT have permission to send SMS, you need a specific consent for each different form of processing.
Consent and how to get it
If you have decided Consent is the path you will take, then you should next consider how to migrate your existing list. In effect you are asking them to give their consent in a manner which is acceptable under the GDPR, providing you document this process and keep good records, this can occur before the May deadline and in truth, the sooner the better. Our approach is to include, in normal email campaigns, an invitation at the bottom to visit a web page to confirm their consent. The subject of the email is not consent, it is a normal, current marketing email with a simple consent explanation and link at the bottom. The web page they visit is however designed to meet GDPR requirements, in that it contains all of the detail required for the user to make an informed decision, there are no coercive or unfair offers and the data that we wish to use is prefilled for them.
By adding the invitation to a normal email, you give users more time to spot it and act on it. If you send a single mail based solely on consent you run the risk of burning your bridges because those that do not act on the email can be considered as not having given consent and must be opted out. At some point before the May deadline you can make the final pitch to send an email specifically about consent, perhaps with an incentive. Bear in mind however that all who visit the web form must be given the incentive whether they give consent or not. If a user reacts to the message added at the bottom of a normal email and gives consent, it is good practice to spot this and remove consent messages from future emails. More importantly, if a user reacts and gives a no-consent response you must remove them immediately from your list(s), add them the exclusion list and you must not, under any circumstance, send them further emails.
We hope this rather long discussion has been of use …
By Roger Sutton