Your Guide to Direct Marketing
A key part of the GDPR is accountability and you must be able to demonstrate your compliance. Conducting a simple data protection impact assessment is an easy way to get started with this. This shows that you have considered data protection and privacy issues upfront when you are planning your direct marketing activities. It is a key document to able to point regulators to should they come knocking.
Do we need to complete a DPIA?
A data protection impact assessment (DPIA) enables you to analyse your processing and help you identify and minimise the data protection risks. It is an integral part of the accountability requirements of GDPR. DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals. Article 35 of the GDPR says you must do a DPIA if you plan to:
· use systematic and extensive profiling with significant effects
· process special category or criminal offence data on a large scale; or
· systematically monitor publicly accessible places on a large scale.
You need to carry it out in the early stages of developing a project. The DPIA is a dynamic document and you should review and update it to ensure it reflects any changes to your project. The review process does not stop once processing personal data commences.
How do we decide what our lawful basis is for direct marketing?
You must decide and document your lawful basis before you start processing personal data for direct marketing purposes. There are six lawful bases for processing in the GDPR. The most appropriate basis to use depends on your direct marketing activity, the context and your relationship with the individual. Generally speaking the two lawful bases that are most likely to be applicable to your direct marketing purposes are consent and legitimate interests. Your choice between these two bases is likely to be affected by a number of factors including whether you want to give individuals choice and control (consent) or whether you want to take responsibility for protecting the individual’s interests (legitimate interests). As a rule of thumb, if you are relying on soft opt in, legitimate interests may be appropriate. Likewise legitimate interests may be appropriate for ‘solicited’ marketing (ie marketing proactively requested by the individual). Otherwise, consent must be the basis used.
How does consent apply to direct marketing?
The consent lawful basis is about giving people choice and control over how you use their data. The GDPR defines consent as:
“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Individuals can withdraw consent at any time. You must make it as easy to withdraw consent to direct marketing as it was to give it. If you want to rely on consent to process the individual’s personal data for direct marketing purposes you must meet all the elements of valid consent. The individual must:
· have genuine choice and control over whether or not to consent to their personal data being used by you for direct marketing purposes
· be able to refuse consent to direct marketing without detriment
· be able to withdraw consent at any time.
Your request for consent for direct marketing must cover:
· the name of the controller who wants to rely on the consent – this includes you and any third party controllers who are relying on the consent for direct marketing;
· the purposes of the processing – you need to be specific about your direct marketing purposes;
· the types of processing activity – where possible you should provide granular consent options for each separate type of processing
· the right to withdraw consent at any time
You must clearly explain to people in a way they can easily understand that they are consenting to direct marketing. The request for consent needs to be prominent, concise, in plain language, and separate from your privacy information or other terms and conditions. It must be obvious that the individual has consented to you processing their personal data for direct marketing purposes. Pre-ticked opt-in boxes are banned under the GDPR. You cannot rely on silence, inactivity or default settings – consent must be separate, freely given, unambiguous and affirmative. Failing to opt-out of direct marketing is not valid consent.
How does legitimate interests apply to direct marketing?
You might be able to rely on legitimate interests for your direct marketing purposes if you can show the way you use people’s data is proportionate, has a minimal privacy impact and is not a surprise to people or they are not likely to object to what you are doing. The legitimate interests lawful basis is made up of a three-part test:
· Purpose test – is there a legitimate interest behind the processing?
· Necessity test – is the processing necessary for that purpose?
· Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
This test is referred to as a legitimate interests assessment (LIA). The first step is to determine the legitimate interest to your business of contacting that individual. We recommend you focus primarily on your own interests and avoid undue focus on presumed benefits to customers unless you have very clear evidence of their preferences. Once you have established this, you still need to show that your processing passes the necessity and balancing tests.
When looking at the balancing test, you should also consider factors such as:
· whether people would expect you to use their details in this way;
· the potential nuisance factor of unwanted marketing messages; and
· the effect your chosen method and frequency of communication might have on vulnerable individuals.
Given that individuals have the absolute right to object to direct marketing, it is more difficult to pass the balancing test if you do not give individuals a clear option to opt out of direct marketing when you initially collect their details (or in your first communication, if the data was not collected directly from the individual). The lack of any proactive opportunity to opt-out in advance would arguably contribute to a loss of control over their data and act as an unnecessary barrier to exercising their data protection rights.
Direct marketing by e-mail
In general, direct marketing by electronic mail requires that you have the individual subscriber’s consent. However there is an exception to this known as the ‘soft opt-in’. If you intend to rely on consent you must ensure that it is specific to the individual receiving that particular type of electronic mail from you (for example specific consent for emails or specific consent for text messages). Regardless of whether you are relying on consent or the soft opt-in, you must not disguise or conceal your identity and you must provide a valid contact address or Freephone number for individuals to opt out or unsubscribe. You must comply if an individual tells you they do not want direct marketing by electronic mail, for example if they unsubscribe or opt-out. You must make it easy for them to withdraw their consent or opt-out.
The ‘soft opt-in’
The term ‘soft opt-in’ says: “A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—
(a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
(b) the direct marketing is in respect of that person’s similar products and services only; and
(c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.”
The soft opt-in only applies to electronic mail (e.g. emails and texts), it does not apply to other methods of direct marketing. If you want to use the soft opt-in you must meet all of its requirements. It breaks down into five requirements;
1) You obtained the contact details;
2) In the course of a sale or negotiation of a sale of a product or service;
3) Your similar products and services are being marketed;
4) Opportunity to refuse or opt-out given when you collected the details; and
5) Opportunity to refuse or opt-out given in every communication.
What do we need to tell people if we collect their data from other sources?
If you collect personal data indirectly, i.e. from sources other than the individual, you must still be transparent and comply with the right to be informed. Other sources could include publicly available data, third parties such as data brokers, or other organisations that you work with. Article 14 of the GDPR contains a list of the information you must provide to individuals if you have not collected their personal data directly from them. In general these requirements are the same as when you collect the data directly from the individual but you also need to provide:
· details of the categories (types) of the individual’s personal data that you have collected (eg contact details, interests, ethnicity etc); and
· the source of their personal data (eg the name of the third party, the name of the publicly available source). You must provide privacy information to individuals within a reasonable period and at the latest within a month of obtaining their data.
Generating leads and collecting contact details
Transparency is a key part of the GDPR and as part of this individuals have the right to be informed about your collection and use of their personal data for direct marketing purposes. If you collect data directly from individuals you must provide privacy information at the time you collect their details. If you collect personal data from sources other than the individual (e.g. public sources or from third parties) you must provide privacy information within a reasonable period of obtaining the data and no later than one month from the date of collection. Your privacy information must be in clear and plain language and easily accessible. If you are considering buying or renting direct marketing lists you must ensure you have completed appropriate due diligence. Regardless of what technology or contact method you consider, you still need to comply with the GDPR and PECR. If you are using new technologies for marketing and online advertising, it is highly likely that you require a DPIA.
Enforcement of this code:
The ICO upholds information rights in the public interest. We will monitor compliance with this code through proactive audits, will consider complaints and enforce the direct marketing rules in line with our Regulatory Action Policy. Adherence to this code will be a key measure of your compliance with data protection laws. If you do not follow this code, you will find it difficult to demonstrate that your processing complies with the GDPR or PECR. In particular, the Commissioner will take the code into account when considering questions of fairness, lawfulness, transparency and accountability under the GDPR, and in the use of her enforcement powers. The code can also be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant.