Obtaining consent for marketing under GDPR
By Claire Scaramanga
In the second article looking at GDPR, which comes into effect on 25th May 2018, we look at how to obtain consent to marketing (all marketing, not just email).
It is worth remembering that, if you have an alternative lawful purpose for processing your contact data, for example they are an existing customer, this would be preferable to relying on consent, which can of course be withdrawn at any point.
The GDPR regulations are designed to work together with another piece of legislation, the ePrivacy regulations, which will replace the 2003 Privacy and Electronic Communication regulations. These are still in draft format, so the details are not yet set in stone.
Natural person or legal person
GDPR makes a distinction between two types of people when it comes to processing their individual personal data. The first is what they determine a natural person and the second is a legal person.
A natural person is somebody operating in an individual capacity, rather than as part of a legal entity. This is often referred to as consumer data, but it does also apply to a sole trader and a partnership, which are unincorporated businesses.
Under current data protection regulations, any natural person must make a positive opt-in to receive marketing and it is not permissible to market to them without that consent. This situation will not change under GDPR.
A legal person is where an individual is identifiable and is part of a legal entity. The change from current data protection regulations is that GDPR will consider this to be personal data where it is possible to identify who the individual is.
- firstname.lastname@example.org – natural person
- email@example.com – legal person, because Scaramanga Marketing is a limited company
- firstname.lastname@example.org – does not fall under GDPR because there is no personally identifiable data
Opt-in or opt-out for legal entities?
For legal entities, the current regulations allow business data to be processed on an opt-out (or default opt-in) basis. It is unclear going forward whether this will remain the case.
This will be determined under the new E-Privacy regulations if they permit countries to determine their own rules on consent for legal entity data. If that is the case, it is likely that the UK will make legal entity data an opt-out/default opt-in.
Going forward, you should add compliant consent gathering to all the collection points where people are providing their data, whether that is on your website, a newsletter sign up, at webinar or event registration form, sales calls or exchange of business cards etc.
For sales calls we would strongly recommend that you train your staff on what they need to say, perhaps providing them with a script or guidance and recording the calls so that you have an auditable record of when consent was given.
Your existing data
We would recommend that you review all the data that you have and how you obtained it. See what consent was given and whether that would comply under GDPR, which is more stringent that current data protection regulations, so it is quite possible that your consent may not be adequate.
As mentioned previously, if the contact is an existing customer then your lawful purpose for marketing to them may well be covered under a legitimate business interest.
For natural persons, if you do not already have consent you should not be marketing to them under current legislation.
Do NOT contact them to ask for their consent to marketing. If you do not already have consent, you cannot contact them full stop. There have been several companies fined for doing this over the last few months.
However, with natural persons’ data it may be possible to use what is known as the “soft opt-in”. This states that if you obtain data directly as a result of a sale, or negotiations for a sale, you may be able to continue to market to them products and services which are similar to what they have bought. On each communication you must give the person a clear opportunity to object or unsubscribe.
The soft option only applies to commercial marketing, not to charities, political parties or not for profit organisations. Please obtain professional advice for your circumstances before relying on this option.
Minimum data set
GDPR states that you may only store the minimum data set to fulfil your purpose and that you are keeping it for no longer than is necessary for the stated purpose.
The regulations do not specify what the minimum data set is or what the necessary time period might be. That is up to you to determine but if you are audited or challenged, you will need to explain the reasons for why you have certain data.
For example, if you are a tailor, it would be perfectly acceptable to store someone’s inside leg measurement, but possibly not for any other purposes!
The benefits of GDPR for marketing
Whilst all of this might sound onerous and will undoubtedly result in companies reducing the size of the prospect marketing databases that they have, I still think it is no bad thing to make sure that all the people you are marketing to actually want to engage with you and want to receive materials from you.
After all, why waste your time and money marketing to people who are not really interested. A smaller database of engaged and interested prospects is undoubtedly going to be of more value. I think that permission marketing, as Seth Godin called it, is very much here and now and should be embraced.