General Data Protection Regulations (GDPR)
GDPR will impact all organisations regardless of size that process personal data. It’s therefore important to understand how the new regulations will impact your organisation and then seek practical guidance on how best to prepare for and manage GDPR.
Latcham Direct is taking the lead in supporting membership and other customers in understanding the new General Data Protection Regulation (GDPR) regulations that come into effect May 2018 and how this will impact on their business.
Having undertaken specific training on the implications of GDPR, we are supporting our customers in preparing for these changes, focusing on the importance of data security and management, what role a business has in protecting its data both in-house and through its supply chain, how the regulations impact on both print and digital media and the positive outcomes of this change.
Latcham Direct is best placed to support companies through this transition, ensuring that the GDPR journey is understood and helping them to engage with personalised and strategic customer communications which will make best used of GDPR compliant data.
Here is some useful information about GDPR consent together with other sources of information.
The regulation provides lawful basis for the processing of data which may include;
CONSENT – the individual has given their Consent to the processing of their Personal Data.
CONTRACTUAL - processing of Personal Data is necessary for the performance of a contract to which the individual is a party or for the Controller to take pre-contractual steps at the request of the individual.
LEGAL OBLIGATION - processing of Personal Data is necessary for compliance with a legal obligation to which the Controller is subject.
VITAL INTERERSTS- processing of Personal Data is necessary to protect the vital interest of the individual or of another individual.
PUBLIC TASK - processing of Personal Data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
LEGITIMATE INTERESTS – processing is necessary under the Legitimate Interests of the Controller or Third Party, unless these interests are overridden by the individual’s interests or fundamental rights.
Many organisations are considering using Legitimate Interest for marketing applications as recital 47 of the GDPR states that ‘the processing of Personal Data for direct marketing purposes may be regarded as carried out for a legitimate interest’ but also goes on to say “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly where the data subject is a child".
An organisation may wish to rely upon Legitimate Interests where Consent is not viable or the most suitable whilst the Balance of Interests condition is met. The GDPR states “may be regarded as…”, so organisations will still need to ensure they can establish necessity and balance their interests with the interests of those receiving the direct marketing communications.
We therefore recommend that you study the “Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation” provided by the Data Protection Network and the DMA, which also includes a Legitimate Interest Assessment form and guidance.
Consent and Postal Marketing
The ICO has specifically said that Postal marketing will not need consent and can be carried out on the basis of Legitimate Interest. We recommended that you visit this website.
Consent required for Electronic Marketing
In addition to GDPR you will also need to consider the Privacy and Electronic Communications Regulation (PECR).
The most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you're targeting has given you their permission.
However, there is an exception to this rule. Known as the 'soft opt-in', it applies if the following conditions are met;
- where you've obtained a person's details in the course of a sale or negotiations for a sale of a product or service;
- where the messages are only marketing similar products or services; and
- where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in future messages.
When you send an electronic marketing message, you must tell the recipient who you are and provide a valid contact address.
The PECR rules on email marketing don't apply to most B2B communications, although you must still identify yourself and provide an address, and establish a lawful basis of processing i.e. storing their data in the first place with GDPR if you are using personal information in the email.
The Telephone Preference Service (TPS), Corporate Telephone Preference Service (CTPS) and Fax Preference Service (FPS) are operated by the Direct Marketing Association, and allow people to register their numbers to opt out of receiving unsolicited calls or faxes. You must not market individuals or organisations who have registered their numbers with the TPS, CTPS or FPS.
In summary, we recommend that your marketing campaigns are always permission-based and you explain clearly what a person's details will be used for. Provide a simple way for them to opt out of marketing messages and have a system in place for dealing with complaints.
To ensure your marketing complies with data protection law and good practice we refer you to the following documents or to contact us to book a consultation meeting with our GDPR consultant.
Sources of Information
Direct Marketing Association
Chartered Institute of Marketing
Institute of Fundraising