10 Must-know facts about the new EU data law

10 Must-know facts about the new EU data law

The new General Data Protection Regulation (GDPR) was passed in May 2016 and will be enforceable May 2018. It legislates how you manage, protect and administer marketing data. Here are some answers to key questions…

 

(On Friday 24 June 2016 the UK voted to leave the EU. See my post on the DMA website for more information, 3 reasons I’m still implementing my GDPR plan)

1. Does the GDPR apply to my company?

Almost certainly Yes. The size of your organisation is irrelevant, you must comply with the new law no matter how many people you employ. It also affects organisations outside of the EU. If your data includes EU citizens then the GDPR applies to you.

2. Does the law apply after Brexit?

Yes. The government have incorporated the GDPR into UK law.

3. Does this affect my customers and prospects?

The new rules regarding the security of data affect both existing customers and prospects. If you use automated decision-making (e.g. an algorithm to rank customers) then you need explicit consent from both customers and prospects.

However, the need for consent (opt-in) to send marketing messages applies broadly to prospects only – but if a customer has purchased a product from one division of your company, do not assume you have consent to send them marketing from another division of your firm.

You can use ‘legitimate consent’ to contact prospects, but more on that later.

4. What happens if I don’t comply with the new law?

In the UK you will be investigated by the Information Commissioner’s Office (ICO), and if you are found to be in serious breach of the new law you could be fined up to €20 million or 4% of global turnover.

It’s a fact the ICO are increasing their staff numbers in preparation for the GDPR, so don’t assume they don’t have the resources. During 2015/16, they issued £2.5m worth of fines.

List of organisations fined by the ICO April 2015 – April 2016
Advice Direct Ltd, 01 April 2016, fined £20,000
FEP Heatcare Ltd, 17 March 2016, fined £180,000
David Lammy MP, 10 March 2016, fined £5,000
Prodial Ltd, 29 February 2016, fined £350,000
Direct Security Marketing Ltd, 17 February 2016, fined £70,000
MyIML, 17 February 2016, fined £80,000
Telegraph Media Group, 21 December 2015, fined £30,000
Telecom Protection Service Ltd, 25 November 2015, fined £80,000
Nuisance Call Blocker Ltd, 25 November 2015, fined £90,000
UKMS Money Solutions Ltd, 23 November 2015, fined £80,000
Oxygen Ltd, 10 November 2015, fined £120,000
The Crown Prosecution Service, 04 November 2015, fined £200,000
Help Direct UK Ltd, 27 October 2015, fined £200,000
Pharmacy2U Ltd, 20 October 2015, fined £130,000
Home Energy & Lifestyle Management Ltd (HELM), 30 September 2015, fined £200,000
Cold Call Elimination Ltd, 16 September 2015, fined £75,000
The Money Shop, 06 August 2015, fined £180,000
South Wales Police, 18 May 2015, fined £160,000
Direct Assist Ltd, 01 April 2015, fined £80,000

5. Does the GDPR apply to B2B marketing?

You bet. The GDPR makes no distinction between B2C personal data and B2B personal data. It’s all personal. However, GDPR is linked to another new law called the ePrivacy Regulation (ePR).

ePR will define whether a work email address, work direct dial number, and other work-related electronic communication requires consent.

At the time of writing the ePR has not been finalised.

6. OK, so how do I ensure my marketing is legal?

The GDPR changes marketing consent from a broadly opt-out system to a broadly opt-in rule. The chart below explains how each of the main channels is affected.

At the moment it seems that email and text messaging will require opt-in from prospects (both B2C and B2B). Opt-in consent needs to be unambiguous for most data, and explicit for sensitive data*. Basically, your prospects need to be clear what they are agreeing to receive from your marketing department.

Consent cannot be implied by inaction but must be the result of a positive action by individuals. Soft opt-in may apply in some circumstances. You can use soft opt-in if all the following apply…

  • they are an existing customer
  • the messages are marketing similar products or services to the ones they have already bought; and
  • they were given a simple opportunity to refuse marketing (unsubscribe) when their details were collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.

It is likely that ePR will keep direct mail and telemarketing an opt-out system – but you must check the person is not listed on the MPS or TPS lists.

As outlined in Question 3 above, do not assume consent. John Lewis Plc assumed they had consent because a customer gave soft opt-in for marketing messages from their sister company Waitrose. They were wrong. The details of the County Court Judgement are at John Lewis Plc vs Mansfield.

7. What about B2B telemarketing?

Although B2B telemarketing is marked as opt-out, you will still need to check the telephone numbers in your CRM against the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS) registers. However, if someone consents to your telemarketing you can call them regardless of whether they are on the TPS or CTPS lists.

Don’t make the mistake of thinking that TPS is just for consumers and therefore does not apply to B2B telemarketing – sole traders and partnerships are on the TPS list, as well as the personal mobile phone numbers of many executives.

8. I’ve heard about the ‘Right to be Forgotten’, what is it?

The Right to be Forgotten (or Right to Erasure) enables individuals to request the erasure of their data from your CRM in certain circumstances. This right already exists in relation to search engines and there are many cases that involve Google (just search ‘Google Right to be Forgotten’).

Under the GDPR you do not have to erase the personal information if you need it for accounting, tax or other regulatory purposes.

You also need to consider whether data should be erased or simply added to your in-house suppression file. If you delete it entirely you run the risk of inadvertently sending individuals further marketing in the future; the very thing they were seeking to prevent.

9. What is ‘profiling’ and what do I need to do about it?

The GDPR defines profiling as “automated processing on personal data” – I prefer to call it automated decision-making. It’s the use of an algorithm for analysing customer or prospect data.

For example, profiling could assess the likelihood for an individual to purchase a certain product, to behave in a certain way, or to be at a certain location.

The GDPR states you must have explicit consent from prospects to perform automated decision-making. However, they cannot opt-out if profiling is necessary for a contract between them and your organisation.

The Regulation clearly identifies on-line credit scoring and e-recruitment assessments without human intervention as having a legal effect or significantly affecting individuals – so tread carefully.

10. What is legitimate interest?

If you are unable to get consent from a prospective customer you may be able to use ‘legitimate interest’ as a justification to contact them. But tread carefully.

Before you contact them you must perform a Legitimate Interest Assessment. This is a test which balances your desire to contact them with their desire for privacy. You should keep a copy of the results of your Assessment to show prospects, customers or the ICO.

But should the ICO decide you have not proved you have a Legitimate Interest you could lose contact with all those individuals. Getting unambiguous consent is my preferred route. Permission marketing rules!


This post is part of a series about the General Data Protection Regulation; the full list of posts include ‘How Brexit impacts marketing data in the UK‘ | ‘3 tips: Steal my GDPR plan‘ | ‘The GDPR became law yesterday… and nobody cared‘ | ‘Get ready for Data Protection ambulance chasers‘ | ‘10 Must-know facts about the new EU data law‘ | ‘Want prospects to opt-in? Call them‘ | ‘You don’t need ‘opt-in’ to store a switchboard number‘ | ‘What can these guys teach you about opt-in marketing?‘ | ‘How content marketing will change after 2018‘ | ‘Winning Edge: Counter a direct threat


4 thoughts on “10 Must-know facts about the new EU data law

  1. I’d be interested if you could cite where the opt-in/opt-out requirements for each channel came from. I’ve seen no other reference to them.

    1. Hi Walter, I created the opt-in/opt-out requirements myself, based on what I’ve learned as a member of the Direct Marketing Association. Hope that answers your question 🙂

  2. Hi Graham

    Your articles have been some of the most informative and easy to understand out of everything I’ve read about the GDPR Compliance so far!

    However I just wondered if you could qualify a couple of points for. You suggest that current/existing customers don’t have to double opt-in and then you do suggest that. What is the best action to take?

    Also I just wondered in addition to sending out e-marketing such as e-shots, e-newsletters and any other content by email, what other forms of marketing will customers need to double opt-in too – i.e. will they need to double opt in to following a company on social media or receiving marketing literature in the post?

    Look forward to hearing your comments on this. Emily

    1. Hi Emily

      You can contact your current/existing customers using ‘legitimate interest’. I recommend you perform a Legitimate Interest Assessment just to prove you have given it proper consideration. So ‘unambiguous’ or ‘explicit’ consent is unlikely to be necessary.

      In some circumstances, you can use legitimate interest to contact prospective customers. But this could be tricky, because if some customers complain you could lose the ability to contact an entire group. So for prospects, it is better to get unambiguous or explicit consent.

      However, you also have to consider the PECR regulations as well as GDPR. The existing PECR regulations (soon to be replaced by the ePrivacy Regs) state the need for current and prospective customers to be given the ability to opt-out of electronic marketing (email, text, telephone etc). So make sure you include unsubscribe links and processes.

      The act of following your company on social media means they have opted-in for you to contact them on those platforms. What they may not have done is given you permission to store their Facebook page or Twitter URL in your CRM. Be careful.

      I believe that direct mail (letters in the post) will become more popular. It is expensive, but as long as you check your mailing list against MPS, you can contact almost anyone – plus there is less competition on the doormat these days.

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.