There has been a lot of information published over the last few years regarding the proposed changes to the Data Protection Act, known as the General Data Protection Regulation (GDPR). This has left many people confused about what they need to be doing to keep on the right side of the law.

This blog provides answers to many of the key questions to help give a better understanding of what you should be doing now to protect your business for the future.

What is the General Data Protection Regulation (GDPR)?

  • The GDPR is a new EU regulation to replace Directive 95/46/EC which will be directly applicable in every Member State. This means there is no need for the UK to implement any secondary legislation
  • The aim is to harmonize all data protection law across the EU and increase individual rights
  • The regulation will come into force on 25th May 2018
  • Brexit may have some impact on the implementation in the UK, however it is likely that the UK will need to be compliant with the regulation in order to continue trading with the EU.

Implications for B2B marketing

  • Can you advise how consent for marketing to B2B vs B2C under GDPR?
    The minor differences between B2B and B2C will remain after the GDPR comes into force. Sole traders and partnerships are treated as consumers. Employees of limited companies, LLPs and Government departments can be emailed without prior consent but can object to their work email address being used for marketing.
  • Privacy and Electronic Communications Regulations (PECR) treats B2B marketing to Corporate accounts differently to B2C. B2B is opt out. Does this still apply in data collection and use for electronic marketing?
    This will still apply when collecting email addresses of corporate employees for use in marketing.
  • B2B has been opt-out therefore no consent – will post GDPR require consent to be gained?
    No, the rules for corporate employees will continue to be opt-out from marketing. For sole traders and partnerships, it is opt-in as they are treated as consumers.

The right to be forgotten

  • How will I stand if a person asks to be forgotten… and then I get their data from a third party when I no longer have their data to suppress against?
    The legislation says that you do not have to ‘forget’ all aspects of a person’s data if there is a legal reason for keeping it. Suppression from further marketing is a legal reason so you could keep just enough data to prevent that person from being contacted.
  • If models / segments aren’t updated daily are we falling foul of the regulation if customers have opted out since we built the model / segment?
    The analysis could probably go ahead including customers who subsequently opted out, but the results of the analysis would not be able to be applied to that customer.

Implementing GDPR

  • How will the GDPR have an impact on how you market to your former customers by channel?
    If you collected your customers consent then you can market to them in whatever way they agreed to. If you do not have evidence of B2C customers opting in to email or SMS you can still communicate with them using the traditional opt out channels, mail and telephone as long as you screen against TPS and provide an opt out mechanism with each subsequent communication.

Consent and legitimate interest

  • Is legitimate interest broadly equivalent to calling those individuals not registered with the TPS?
    Legitimate interest means that you would have to be able to demonstrate that it was in the legitimate interests of your business to call people not registered on TPS. For example, if they had been customers or if they were people you had selected because they were likely to be customers. Just not being on TPS would probably not be a sufficient reason.
  • So is it going to be all opt-in?
    No, if you can show that your business has a legitimate interest in contacting certain people then you can use the traditional opt out channels of mail and phone (with TPS).
  • If not all opt-in now, isn’t it just a matter of time and that it is inevitable?
    Email and SMS to B2C customers have always been opt in. There are no plans at present to make mail or telephone opt in.
  • How long does consent last? Would customers expect different lengths of consent depending on the product and how often they might purchase e.g shampoo v car?
    There is no specific time limits in the legislation for consent. The ICO’s guidance suggests that first use of third party should be no longer than six months. They also say that consent decays over time. Some products could justify longer periods between communication such as annual insurance or the purchase of a car, but I think it would be hard to argue that periods longer than two years would be appropriate either between communications or from initially gathering a person’s data.
  • Question for consent session under GDPR, does legitimate interest only begin once a person becomes a customer? If a person declined your product, how can you market to them?
    No, legitimate interest is not just for customers, if you can demonstrate you have a relationship that may well constitute legitimate interest.
  • How much proof of consent is required? If all done over the phone are the answers recorded in a database enough or are the actual call recordings required?
    The legislation says that it is a company’s responsibility to prove that consent was given. We may have to wait until the guidance from the ICO is published to see exactly what they will accept.

A guide to what to include in your data capture forms

Key information to include

  • Why the data is being requested
  • What the data will be used for
  • Provision of an opt-in/out for marketing
  • Marketing channels to be used
  • Link to privacy policy

Key information to include in privacy policy

  • How the data subject can opt-out of marketing
  • If the data will be processed outside the EEA
  • How long the data will be kept for
  • How to make a subject access request
  • How to make a complaint regarding use of data

*Source includes information published by the DMA 18/10/2016.