Does GDPR Stop Me from Marketing?
After the influx of marketing emails asking for consent in early 2018, the mass update of privacy and cookie policies and J.D. Wetherspoon deleting its entire email marketing database, GDPR is here to stay for marketers. So, does GDPR stop me from marketing like I used to?
Legislation and rules around marketing can be complex. This is because at least two laws come into play – GDPR and PECR, which both apply to B2B and B2C marketing. If that wasn’t enough to worry about, the Data Protection Act 2018 was recently introduced and PECR is due to be replaced by the ePrivacy Directive in 2019, which will bring more changes.
Currently, there is significant overlap between GDPR and PECR. The introduction of GDPR in 2018 did not replace PECR, but it did change the underlying definition of consent.
Read on to find out answers to the questions about marketing our support team have been answering recently.
Do I need consent for sending electronic communications?
The answer to this question depends on a number of factors. You probably already know that you may need consent before you can send marketing texts or emails under PECR. However, you must also have a lawful basis under GDPR if you are using personal information.
If you do use consent for your lawful basis, this must have been valid: freely given, clear and specific, e.g clicking an icon or sending an email. You must keep clear records of what was consented to, by who, how, and what privacy notice was given at the time, even if the data was bought from a third party. In addition, consent can be withdrawn at any time and you must tell the individual how and make it easy to do so.
Note that you must not contact someone to ask for consent for future electronic communications – this is considered a marketing communication in itself.
You may be able to use legitimate interest, rather than consent, as your lawful basis in some situations such as:
- The activity is of clear benefit to others, for example fraud prevention.
- The person would expect their data to be used in that way, such as when someone has recently signed up to a mailing list.
- B2B emails and texts, if you comply with PECR and any other industry standards, and the individual has not opted out.
If you use legitimate interest, you must assess the impact with a “balancing test” to consider necessity of the campaign against the rights and interests of the audience. You must still also comply with PECR.
I have a subscriber list – can I still market to them?
If your existing consents already meet the new rules, then you can still send marketing communications.
If you have already been sending B2B communications but do not have GDPR-compliant consent, then you may continue to market to them but must ensure that you:
- Have a lawful basis for using personal information (such as legitimate interest).
- Provide a clear option to unsubscribe.
You should either find a way to gain future consent (but do not send specific emails asking for consent as this is intrusive) or continue to rely on another lawful basis, such as legitimate interest.
For B2C marketing, if you do not have consent you should review the situation very carefully to see whether you have a lawful basis to continue to hold that information. You must also review the rules before beginning a campaign because you are unlikely to be able to send communications without consent.
Why do I need to know about DPIAs?
A Data Protection Impact Assessment (DPIA) is a way of identifying and minimising data risks in campaigns or other projects. The GDPR has a new obligation to conduct a DPIA for many situations, all of which are likely to result in a high risk to individuals’ interest.
Some types of data use that require a DPIA are data matching or combining, large-scale profiling (including social media) and “invisible processing” (including online tracking or advertising). The latter is where personal data has been collected from a source other than through the individual, such as bought-in data, and a privacy notice has not or will not be provided from you.
Do I need unsubscribe from my emails?
If your emails are not related to marketing in any way, for example they are used to contact your stationary supplier, then there is no need to have an unsubscribe link.
Do I need to implement “double opt-in”?
A “double opt-in” is not required under GDPR. It is a way of ensuring you can prove you have obtained adequate consent (if you choose to use consent) but there are other methods, such as clicking an icon or ticking a box with clear indications of what is being signed up to.
How can I check if a campaign is allowed?
The Data Support Agency has experience in guiding marketing teams around GDPR to ensure their marketing is compliant but also that they get the most out of their data. We have support packages available for teams who just need someone to call to ensure that the activity is compliant as well as for those who require more detailed guides, templates and additional support. Contact us on the details below to find out how we can help you.
To find out more, please speak with a member of our team by emailing firstname.lastname@example.org or calling 0345 646 0066.