Will we have to get consent from everyone on our marketing list?
Will we still be able to use data lists?
Will we still be able to do direct marketing?
These are just some of the questions I’ve been asked over the last few weeks. Lots of businesses are still feeling uncertain about how you can market your business post GDPR.
When GDPR comes into effect on 25th May 2018 it won’t be like some kind of iron curtain falling on our business activities. In many cases it will be pretty much business as usual – but with a little more care (and a good deal more documentation) than before.
There is a lot of advice flying around, much of it promising to hold the definitive answer to your GDPR headaches – but the truth is that the answer to many of your questions will probably be ‘it depends’. Maybe not the answer you’re looking for – but as long as you are asking the right questions (and documenting your answers) you’ll be well on the way to compliance.
When you do any marketing activity that’s addressed directly to an individual, whether business or consumer, you are processing their personal data and you will need a lawful basis for doing so. (Personal data means anything that can be identified as belonging to an individual – so firstname.lastname@example.org is personal data but email@example.com isn’t, because one can be identified as belonging to Bob and the other can’t).
The first myth to tackle is the idea that you won’t be able to do any direct marketing post GDPR, unless you have explicit consent, because consent is only one of the six lawful bases for processing data. Legitimate interest is what marketers are looking to now – according to the ICO, legitimate interest:
‘may be the most appropriate basis when:
the processing is not required by law but is of a clear benefit to you or others;
there’s a limited privacy impact on the individual;
the individual should reasonably expect you to use their data in that way; and
you cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.’
Legitimate interest is the most flexible lawful basis for processing, and according to the ICO, ‘the GDPR highlights direct marketing as one of the processing activities where the legitimate interests basis is likely to apply’.
So how do you know when you can and can’t use legitimate interest for marketing?
The GDPR doesn’t say that direct marketing is always a legitimate interest, and whether your processing is lawful on the basis of legitimate interests will depend on the individual circumstances, but as long as the marketing is carried out in compliance with e-privacy laws and other legal and industry standards, it’s likely that you can look to use legitimate interest by applying 3 tests –
Purpose test: are you pursuing a legitimate interest? (this could be someone else’s or yours – in the case of marketing it’s most likely to be yours, ie ‘we have a legitimate interest in marketing our goods to existing customers to increase sales’.)
Necessity test: is the processing necessary for that purpose? (ie the method of contact must be targeted and proportionate – is there a less intrusive way of achieving your purpose?)
Balancing test: do the individual’s interests override the legitimate interest? (are they likely to be disturbed or distressed to receive your communication?)
So let’s say you are marketing manager for a company in the North West that supplies IT support services to businesses, and you want to do a campaign by telephone and email promoting your services to IT Directors at limited companies in the North West. You apply the 3 tests : the purpose test – your legitimate interest could be that you are marketing your services to decision makers at companies that you would reasonably expect to have a requirement for your services, in order to increase your sales. The necessity test – by making a phone call or sending an email to their place of work (as opposed to their home number or personal email) is targeted and is an effective and proportionate way to achieve your purpose. And finally the balancing test – an IT Director of a limited company would reasonably expect to receive marketing calls or emails at work from companies supplying IT support services, so they are unlikely to be distressed or surprised by your activity (but don’t forget that you need to give them a way of to opting-out in future).
As long as you follow this process for each marketing activity you want to do, and document your conclusions, you’ll be well on the way to ensuring that your marketing activities are lawful. There are lots of really useful resources and more detailed guides on the ICO website, and a helpline you can call if you need further advice.