Like many creative people, we in marketing often chaff against constraining rules and regulations. Our pursuit of contacts, leads, and opportunities can sometimes cause us to be somewhat cavalier
in our approach to data protection requirements.
This will have to change when the General Data Protection Regulation (GDPR) comes into force in May 2018. Failure to comply with GDPR can cost our companies dear -resulting in huge fines for non-compliance.
How is Marketing impacted?
- Collecting new leads
- Buying lists • Business cards
- Double Opt In
Collecting new leads
When trying to collect new leads the regulation stipulates that the data subject has to opt in to the use of their data. There is a long list of information that has to be provided at the time the data is collected, including the purpose that the data is to be used, how long the data will be used for that purpose, the legal requirements for collecting that data if required, if not the justification for the processing and the security measures around protecting the data. When collecting the data, the information should also make clear the rights of the data subject to have their data amended, to remove consent for their data to be processed, to have the data erased (right to be forgotten) and who the data protection authority is for making a complaint. As the notification has to be up front before processing, this makes using mail shots for new contacts not viable according to article 13.
However, article 14 discusses the requirements when the data is in the public domain. For example, if the contact information was collected from a search in LinkedIn, the same information as above needs to be declared to the data subject, but in addition where the source of the personal data originated. The difference with article 14 is that it states that the information shall be provided to the data subject ‘within a reasonable period after obtaining the personal data, but at the latest within one month’.
This would also apply to buying a list of contacts. As long as the Data Controller who you are buying the list from collected the data informing the data subject that the data would be used for marketing and sold on to 3rd parties, when you buy the data you would become the new data controller. However, you would need to get proof from the original data controller that consent for the data to be supplied to a 3rd party has been agreed, and then you would need to follow article 14 in informing the data subjects that you have obtained their details from x and that you will be using their details for y and provide all the information stated earlier. Paragraph 5b of article 14 does allow for not complying if provision of such information ‘proves impossible or would involve a disproportionate effort’. However, this is one of those grey areas which is open to interpretation. Therefore, we would advise using this clause carefully and not use it as a basis for getting out of your obligations.
Another common question around marketing is the use of a business card. Lawyers are not all in agreement, but the general consensus would appear to be common sense. If someone has given you their business card it is common sense that this is with the intention of being contacted. So consent has been provided.
To make sure you can provide proof should you be audited you should follow up a conference or wherever you obtained the business card with an email providing the information listed in article 13 about the use of the personal data and provide the data subject the opportunity to object to the processing.
When communicating the rights of the data subject, if they agree via a website a double opt-in would send an email for further clarification that they are happy to be contacted. This gives them a second chance to opt-out and also prevents someone falsifying their contact details. This is not obligatory in the GDPR, but is recommended.
TrueSwift Ltd. - Data management experts
TrueSwift is a specialist Data and Information Management company proud in the standard of delivery and customer satisfaction that it has gained in its years of experience. It is proud of the results it has achieved. It has an excellent pedigree with many archiving products and extensive experience with migrations between the various archive vendors or to the cloud. With e-Disclosure becoming more prevalent than ever, TrueSwift can also advise on designs and legal investigation requirements for your business. Despite the UK exiting the EU, GDPR is still relevant to British companies and penalties for non-compliance will be severe. Action is needed now and we can help you take your next steps.
To find out more about TrueSwift’s offerings, please get in touch with -
Matt Andree, Head of Business Development