Data Protection and Marketing

The handling of personal data within the marketing sector varies, thus it requires an alternative understanding of protection principles. The use of personal data for marketing purposes is subject to the Data Protection Act (DPA) and Privacy and Electronic Communications Regulations (PECR). PECR is derived from European legislation and therefore implements the European e-privacy Directive, which specifies the risks to privacy which can occur through using electronic communications. The marketing sector utilises the internet and digital networks to contact customers, therefore they need to be aware of the DPA and PECR regulations to mitigate the risks of causing a data breach.

Direct Marketing

Direct marketing is the promotional procedure used to contact target customers directly, through channels such as email, telephone, SMS or fax. The e-privacy regulation and PECR have established the protection principles which need to be followed by an organisation if they wish to utilise direct marketing. As a result, direct marketing requires consent. The individual giving consent needs to be made aware of the methods of communication that will be used, and also what this personal data will be used for regarding direct marketing purposes.

Digitonomy Ltd, a UK based credit broker, was fined £120,000 by the Information Commissioner’s Office (ICO) in 2016 for contravention of the PECR. Digitonomy Ltd were found guilty of sending over 5 million marketing texts to the public, without receiving any consent. These texts, which were labelled as ‘spam,’ elicited 1,464 complaints, forcing the ICO to take legal action.

Digitonomy Ltd were working with affiliate marketing companies to distribute these text messages, assuming that this classified as achieving consent. However, the ICO highlighted that this did not constitute as receiving specific consent. The inability of Digitonomy Ltd to prove that they had received specific consent, meant that they were subject to the ICO’s guidelines and penalties.

Therefore, it is essential for marketing authorities to be thoroughly aware of the protection regulations set out in the protection act and the PECR, to ensure that they do not have to face monetary penalties issued by the ICO.

Legitimate Interest

Legitimate interest can be used by marketing authorities as a flexible legal premise used to process personal data, in a way that an individual would expect their information to be used. The PECR explicitly states that if an organisation wishes to send a direct marketing messaging electronically, then they must have received consent previously. The organisation is allowed to contact an induvial again, through further electronic messages, but only if they are offering similar products or services. Furthermore, the individual should be offered the opportunity to opt out of receiving such communications in every channel of communication which the induvial has with the organisation.

To ensure that your business is utilising legitimate interest in the right manner, the ICO has issued three tests which can be used to justify the use of legitimate interest: the purpose test, the necessity test and the balancing test. If legitimate interest is used correctly by a business, then there should be no reason for the ICO to investigate that business’ marketing procedures.

Due to the changes in the standards of the GDPR, businesses have been forced to consider whether existing customers still want to receive marketing emails. Therefore, re-permissioning campaigns have been used by businesses to receive permission from customers to continue sending marketing emails. Asos.com, the British online fashion company, sent out a series of bold and concise emails with the title: “The law is changing. Are you set to get your ASOS emails?” Therefore, this organisation has achieved a clear confirmation of whether their marketing emails can be sent to certain individuals or not. Consequently, this has ensured that Asos.com are compliant with the DPA and the PECR.

It is essential for businesses to be certain about how they can market their business, whilst remaining compliant with the DPA and the PECR, to avoid any crippling fines from the ICO. This certainty can be achieved through ensuring direct marketing and legitimate interest is utilised in the right manner.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.