Ian Birch, Managing Director of IBC Group, answers some key questions around the impact of the new GDPR on direct marketing
PrintIT Reseller (PITR): Is GDPR the only regulation companies need to be aware of?
Ian Birch (IB): The GDPR (General Data Protection Regulation) which was introduced in May, focuses on the personal data of individuals. However, when it comes to direct marketing, there is another regulation which must also be considered.
Introduced in 2003, the PECR (Privacy and Electronic Communications Regulation) focuses on electronic communications. Specifically, this is in relation to ‘unsolicited marketing’. The replacement of this regulation will take place shortly, but it remains valid in the interim.
PITR: Organisations need to comply with both GDPR and PECR regulations. How do both impact on direct marketing activities?
IB: In brief, if a company’s direct marketing activities involve contacting individuals by name, GDPR applies. If they are sending unsolicited marketing communications by phone, email, text, fax or post, then PECR applies.
PITR: How can organisations process personal data?
IB: There are six lawful bases for processing personal data. ‘Consent’ however, is key to the rules on direct marketing. Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In most situations, organisations will need to demonstrate they have the appropriate consent from individuals before sending them marketing messages. Importantly, the use of pre-ticked opt-in boxes and inactivity do not constitute consent.
It is imperative that evidence of the consent which an individual provided is retained. This will require detailed record keeping on who provided the consent, when and how. Aside from consent, Recital 47 of the GDPR also states ‘legitimate interests’ as an appropriate basis for processing personal data for direct marketing purposes.
PITR: Can organisations continue to make marketing phone calls?
IB: With the appropriate lawful basis already in place (for the specific purpose of direct marketing), it is possible to make unsolicited live phone calls. Yet, it is imperative to undertake two checks before picking up the phone. Firstly, check the number against the Telephone Preference Service (TPS and CTPS). If the number is listed there, then organisations should not make an unsolicited marketing call.
Secondly, it is good practice to check the number on internal CRM systems to ensure the individual has not opted out of future calls specifically from your company. The right to ‘opt out’ is absolute and calls must cease immediately if this is requested.
Making automated calls is permissible only if an individual has specifically consented to them.
PITR: What about sending marketing text messages and emails?
IB: Typically, a company may only send marketing text messages and emails if the recipient individual has specifically consented to it.
Critically, individuals must be given the opportunity to withdraw any previously given consent. An ‘unsubscribe’ button on the marketing message is sufficient here.
It is possible to contact existing customers without their specific consent, using the so-called ‘soft opt-in’ method. Assuming the contact details of the individual were gathered during the course of a negotiation or sale, and the company is marketing their own similar products or services, marketing text messages or emails may be sent. It is important, however, that the opportunity to ‘opt out’ is provided in every message.
PITR: Does this signal the end of ‘bought-in’ marketing lists?
IB: The use of bought-in marketing lists has become stricter under the GDPR. The list seller must gain the consent of individuals to share their personal data for marketing purposes, with specific named third parties. It is insufficient to list the types of third parties which will receive the personal data. The list sellers must demonstrate the individual knew exactly who would receive their data.
Equally potential buyers of marketing lists must keep records of what the individual consented to. This covers lists purchased before the introduction of GDPR as well as any purchased post implementation.
Of course, this change in the GDPR is likely to have a dramatic impact on the collators and sellers of such lists.
IBC Group offers a comprehensive suite of services enabling organisations to improve the performance of their data systems, automate business processes and ensure compliance with data regulations.