Keep up to date with us

We update our blog with regular posts to keep you up to speed on the world of B2B data.

The Problem With Consent

Posted on 19/10/2017 at 11:07By Corpdata

We are very worried for some of you. We are hearing from quite a number of customers that other data suppliers are saying their data can be used on the GDPR legal basis of 'consent'.
It's not just…

We are very worried for some of you. We are hearing from quite a number of customers that other data suppliers are saying their data can be used on the GDPR legal basis of 'consent'.

It's not just the 'fly-by-nights' either, it includes some of the bigger data suppliers who REALLY SHOULD KNOW BETTER.

It seems that consent has been seized upon by many as the only basis for direct marketing. This is not true. In fact, in most circumstances, it is probably not even the best legal basis for direct marketing.

We can understand how some confusion has crept into the thinking of direct marketers. After all the Direct Marketing Association (DMA), the professional body for direct marketers in the UK has a document called 'GDPR Checklist'. In fairness, there is some good stuff in there, but on page 7, in the section called 'Third party data' point 2 is 'Know whether the consent was recently obtained/updated' and point 3 is 'Make sure that the third party can prove consent'. This implies consent will be a must for third party data. However, point 4 is 'Make sure your organisation was specifically named when the data was collected' which seems to be contradictory, suggesting consent will NOT be a valid legal basis for using third party data. Please forgive us, we cannot link to this document, it is for DMA members only, so if you have access, it is called 'GDPR Checklist', but as you can tell, if you never see it, you might merely have saved yourself some confusion!

And this highlights a very real challenge, namely even the people charged with, and paid for, providing guidance and counsel can't agree, not even with themselves!

None of which helps you promote your products and services to keep your organisation in business of course. But remember, as with everything in GDPR, the data controller (your organisation) is required to demonstrate you have complied with the law, and if you have chosen to use consent as the legal basis for processing, that includes having valid consent. If not, you could be processing personal data illegally.

With GDPR just months away, please, please, please think about this issue. This is what concerns us ...

Consent is now quite tightly defined

GDPR says consent must be 'freely given, specific, informed and unambiguous'.

But despite a tight definition, there is still some ambiguity. 'Freely given', 'unambiguous' and 'informed' are all very clearly specified in the recitals. This leaves the word 'specific', in the first line of the Article. What 'specific' means is not defined more clearly than this, so whilst we have a good idea about the intention, the UK Regulator will need to decide if the consent you have is specific enough.

What do the UK Regulator, the ICO have to say on this matter?

Well sadly the ICO, the UK data cop, is being quite tardy about their guidance, but that doesn't mean you can slack with your implementation (data subjects can sue you too!). They have said they will issue formal guidance on consent in December this year. Until then we only have their 'Draft GDPR consent guidance' issued on the 2nd March 2017 for a consultation period ending on 31st March 2017. PLEASE BE AWARE THIS MAY CHANGE.

Working with this document (you can download it from us free here, and if you are keen to make sure we haven't tinkered with it, you can download it free directly from the ICO here), they mention the requirement to name organisations relying on consent AT THE TIME OF COLLECTING THE DATA on many occasions:

Look at page 3 where the 'specific' requirement of valid consent is explained:

Name any third parties who will rely on the consent.

On page 7:

Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.

And again on page 21:

The controller’s identity: you must identify yourself, and also name any third parties who will be relying on consent.

And on page 28, it is stated that consent will be invalid if:

your organisation was not specifically named

On page 29 you are told when obtaining, recording and managing consent, you should:

Include the name of your organisation and any third parties, why you want the data, what you will do with it, and the right to withdraw consent at any time.

On page 30:

the name of your organisation and the names of any third parties who will rely on the consent – consent for categories of third-party organisations will not be specific enough;

Finally, in the checklist on page 38:

We have named our organisation and any third parties

There are at least 7 mentions in a 39 page document. It seems very clear what the ICO will be expecting!

'My suppliers says they are naming all companies'

In practical terms, it is hard to imagine how this might be implemented, but in the quest for understanding let's suspend reality for a few moments and perform a thought experiment.

What does that phone call sound like? What does that web page look like, and how long is it?

... never mind, let's swallow the implausibility of this actually happening. On page 7 of the draft guidance on consent, the ICO say:

Granular: give granular options to consent separately to different types of processing wherever appropriate.

This means the data subject must be able to consent to the items they wish to consent to, and withhold consent from other items. NOW what does that phone call sound like? What does the web page look like with all those un-ticked boxes (mentioned many times)? How long does giving consent take?

... and you're back in the room!

The ICO, the UK enforcers, have mentioned 'granularity' at least as often as 'named' in their draft guidance. It is pretty clear what their intention is. And it springs from the underlying principal which is:

Consent means offering individuals genuine choice and control.

Guilty unless you can prove you are not

Remember you have to be able to prove you are 'in no way responsible' if things go wrong.

With that in mind we are going to examine this guidance now, just like you will do when doing your due diligence on data suppliers (you do do that, right?) It might help if you imagine explaining it to The Judge who just keeps on asking:

'Please show me proof you are in no way responsible?'

No B2B data supplier collecting data(*) knows who their data will be used by. Consequently the consent WILL BE INVALID, because it clearly cannot satisfy the ICO requirement; you weren't named when the data was collected. (*) unless you have contracted them to perform a bespoke research task for you.

And just to be clear, you can't get away with this by simply blaming the data supplier either. GDPR is very explicit that everyone is responsible unless they can prove they are not. That means you MUST do your due diligence, how else could you prove your innocence?

Why would a data supplier behave this way?

Obviously no reputable data supplier should. However, they may be:

Misinformed

Mistaken

Misleading

Misbehaving

The data marketplace is changing. Many of the 'fly-by-nights' are just scamming the unsuspecting for what they can get in the next few months. Others are simply lazy, and haven't thought about it in the hope nothing is changing. Still more are waiting for guidance.

The problem is, that doesn't help you!

Summary

If you are speaking to a data supplier who says you can use their data on the basis of consent, as the Regulator sees it, they are wrong! And that puts you at huge risk.

At Corpdata we know the ONLY legal basis for using third party lists using the current guidance, is 'Legitimate Interest'. What is more, we will help you do it. We will help you with the documentation you need:

Have you thought about the 'balancing test'?

... or the 'necessity test'?

... what about proof you need?

... do they have call recordings?

... do they hold document scans?

... what about ensuring you get 'rectifications' to the data?

... how are you complying with the 'storage limitation' principle?

The old phrase 'caveat emptor' or 'buyer beware' still applies, trade with charlatans at your peril!

We would be delighted to talk to you about the challenges you are facing, and how we can guarantee your compliance and maintain your results.

We have more GDPR information on our GDPR video channel.

If you want to know more, please contact us, details just below.

October 2017 Newsletter

Posted on 16/10/2017 at 11:33By Corpdata

How Corpdata helps you comply with new data protection law
As you know a new data protection law is coming into force in May 2018. When we at Corpdata first heard about it, it was pretty obvious tha…

How Corpdata helps you comply with new data protection law

As you know a new data protection law is coming into force in May 2018. When we at Corpdata first heard about it, it was pretty obvious that GDPR would impact on what we do, and on clients who use our business lists. After a lot of thought we started to plan and change our procedures to enable both us, and equally importantly you, to still execute effective direct marketing AND comply with GDPR (download the regulation from us here.).

Increasingly common are conversations with long standing customers concerned about how they can continue to use externally sourced business lists for direct marketing. Unfortunately for everyone concerned, there is still little concrete information out there, so organisations are having to take matters into their own hands. Some turn to lawyers for guidance, but are often finding the legal profession is unable or unwilling to provide meaningful advice. As time moves on some are feeling it necessary to form some sort of opinion and strategy. Many however are waiting, and doing so in the hope that instructions will emerge from some august body.

Over the past eighteen months we have tried to share our view on what we think the new legislation will mean, and what we and you as a direct marketer need to do to remain legal.

Well, there's some good news, and there's some bad news.

The Good News – there is some !

You can still use direct marketing to generate new business, and you can continue to use third party data, such as a business list from Corpdata.

The Bad News

1. Consent is talked about way too much.
In some ways this seemed the easiest to look into in the early days, there was already some guidance upon what consent might mean, how it could be gained and what might be required to make it compliant. But consent is only ONE of the possible lawful bases for processing personal data, and often will not be the most suitable.

2. Consent will almost never be valid if you use externally sourced lists.
Consent cannot be transferred, full stop. Any data supplier who tells you their data can be used on the basis of consent is either lying to you or completely missing the point ! The ICO take the view that for consent to be valid, the data subject must know who they are giving consent to. This is obviously not the case except in specific list build projects.

3. But you can't forget about consent.
Despite that, the new ePrivacy Regulation (if it is implemented as drafted) will mean you will need consent for using email, mobile phone numbers, social media handles and so forth. So you can't entirely escape the concept of consent. Most importantly ePrivacy as it is drafted means you will not be able to use email addresses from third party data. It's worth re-reading you will NOT be able to use email addresses from third party data if ePrivacy arrives as it seems to be intended. If this is worrying for you, or you don't understand why we say this, our 3 page detailed exploration covers all the legal ground, and the exchanges about the draft document which are happening within the EU. We provide all the documents for you to download, information about where to look within them. We encourage you to form your own opinion, and we are very happy to talk with you about this.

4. You are guilty unless you can prove otherwise.
You need to have the proof that you have acted lawfully. Enough said!

Back to the Good News

All the steps we have taken, changes to how we research, and supply our business lists mean that you can be certain that use of Corpdata data and complying with our terms and conditions, you will be able to execute effective and safe direct marketing. As we’ve already mentioned you need to prove that your data and its processing is legal. As your supplier we enable you to do so, and help you prove you need to.

Not so much a 'Get out of jail free' card, more or a ‘Don’t go to Jail in the first place’ card for B2B direct marketers.

Want to know more about what we’ve done. It’s explained in more detail on our YouTube channel; Andy Smith (MD) explains it all, what we’ve done and the legal reasons why.

If you are wondering how we work, and more about the organisation, our One Minute Whizz through Corpdata video will show you about us.

On our YouTube channel, we share with you our understanding of GDPR and look at the impacts of it on UK organisations.

We have updated our Terms and Conditions, and these are key to ensuring you continue to be safe when GDPR comes into force.

Our telephone research and our process make your Corpdata business list safe to use

Over 25 years our reputation for supplying UK business lists is not just the result of our bright articulate people and the calls they make checking and refreshing details we hold on hundreds of thousands of UK businesses. Our clients stick with us because of our years of experience to adapt our systems and processes to meet the direct marketing needs of today.

As you know UK data protection legislation is changing, and you may also be aware that with these changes come large penalties for the unwise or unwary. The law changes many things; one being that the distinction between private individuals and those acting as agents for the companies they work for will for all practicable purposes no longer exist.

Well over a year ago we refocussed our telephone research and what we ask to reflect the change in data protection law. When we now call, we ask those we speak to for their preferences toward marketing communications via email, telephone or post. It became apparent to us that most people were prepared to receive something ! So after many months of careful research we are now in the position to present clients with business lists using contact preferences.

Once we have gained a person's preferences toward direct marketing messages it becomes important to respect them, and be seen to do so. It may seem obvious but we also thought long and hard about both obtaining business contact information in a lawful way but also managing what we have to ensure that its continued use is also lawful.

This is why we now offer two safe methods to use Corpdata B2B business lists. The simplest is to use them quickly after we supply them, use them once – it’s that simple. However many people believe that the most effective direct marketing employs a multiple contact approach to both inform, educate and motivate people to action over time. Many of our clients do just this. Our Rolling license allows them to continue to do so by regularly updating the list they use, which means the latest update from us reflects any changes in our contact’s preferences.

GDPR is not that far away (download the regulation from us here.). Our approach does mean that if your business needs to target new business you will still be able to do so.

GDPR and you

Many of our customers are contacting us concerned about GDPR and how they or their clients should respond to it. Regulation 679 of the European Union, otherwise known as GDPR, comes into force on 25th May 2018 (download the regulation from us here.). Our newsletter opened about the steps we have taken to prepare and respond, and how direct marketing can still be efficiently employed to continue to find customers and help businesses grow.

Corpdata have for twenty five years served the demand for accurate B2B marketing lists, but GDPR goes well beyond your ability to target and communicate to potential new customers. New business acquisition is impacted by the change in data protection law, but we recognise this is only part of your organisations challenge. Like every organisation Corpdata holds employee records, customer records, prospect details, supplier information and so on. You can understand that GDPR was always going to have a big impact on what we do. This meant we really think things through properly, and carefully and fully. So we applied ourselves to making sure that we are fully compliant. We are and so we now offer this service to you.

We recognised that between now and next May, there would be a growing need for practical and affordable advice that allows small to medium sized organisations to effectively manage the risk that GDPR poses.

You will need to be legal, and you will need to be able to prove it. So, Dept679 has been created specifically to enable organisations to ensure full compliance with GDPR, and develop processes and systems that allow you to prove it.

Rather like providing accurate business lists quickly, the ethos of Dept679 is “You concentrate on what you do best, we'll take care of your personal data protection worries”. Most people are enjoying the affordability. Our aim is to partner with our clients long term, so we do not charge huge up-front fees, but instead cost are spread over a five year term, during which time we will ensure you continue to comply even as the law becomes more clear and settled.

Five years may sound like a long time but when the law does change it will be here for ever, and so will your need to comply.

Dept679 is a division of Corpdata, have a look at dept679.com, from just £100 per month we’ll help you manage this potentially complicated area. Leaving you to get on with managing your business.

Call Dept679 FREE to find out more - 0800 2800 679

New Business and GDPR

Posted on 03/10/2017 at 09:30By Corpdata

Many marketing people are starting to appreciate that GDPR will affect new business generation. We are increasingly hearing questions like 'Do I need to get consent?' This is a sign that awareness…

Many marketing people are starting to appreciate that GDPR will affect new business generation. We are increasingly hearing questions like 'Do I need to get consent?' This is a sign that awareness of the new data protection requirements are gradually rising to a conscious, and sometimes worrying level.

We understand that! As the UK’s premier B2B marketing list supplier we have been working through the challenges for a long time. Happily, we can reassure you using Corpdata data to find new customers will continue to be legal and rewarding after May 2018.

Unfortunately, we also hear of other data suppliers who claim GDPR changes nothing. As one of our customers asked us 'If nothing is changing what is the point of GDPR?', and of course they are right. Changes are required, and this will challenge some.