It will come as no great surprise to know that direct marketers might be at risk when the GDPR gets it's teeth in May 2018. This has been emphasised by 'Guidelines on the application and setting of…
It will come as no great surprise to know that direct marketers might be at risk when the GDPR gets it's teeth in May 2018. This has been emphasised by 'Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679', recently issued by the Article 29 Working Party, or WP29 as it is known. You can download it free here.
What is the Article 29 Working Party?
The Working Party was set up under Articles 29 and 30 of the Directive 95/46/EC, which became the Data Protection Act 1998 in the UK. It's remit is 'the protection of individuals with regard to the processing of personal data', and they are the body that will become the European Data Protection Board when GDPR becomes applicable. This means they are the ultimate authority on all matters relating to personal data protection. It is WP29 which tells the ICO how to do their job. Part of their task is to ensure 'equivalent' conditions in all member states.
This document was issued on 3rd October 2017, and is important because it tells the ICO, and us, the guidelines they must use when deciding upon enforcement measures. It refers to other measures available to the ICO, but this document focusses on applying administrative fines, and how to calculate them.
What the guidelines say about direct marketing
The main section of the document concerns 'assessment criteria' for administrative fines. Understandably, much attention is paid to the general 'nature, gravity and duration of the infringement', but beyond that we can find some themes.
1. Comply or expect fines
The final point in the 'assessment' section is particularly relevant, and is called:
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
Since the only objective(*) of direct marketing is to gain a financial benefit, direct marketing falls squarely within it's purview. This point concludes:
(*) you may be able to argue otherwise, but ...
... the fact that the controller had profited from the infringement of the Regulation may constitute a strong indication that a fine should be imposed.
The implication for direct marketers is 'if you don't comply expect fines!'
2. You are accountable so act responsibly
GDPR has introduced 'a far greater level of accountability' than the DPA ever did. It refers to the obligation on the controller to 'make the necessary assessments and reach the appropriate conclusions'. It suggests the ICO must consider whether the controller 'did what it could be expected to do'. It also states you should create structures and procedures adequate for the risks of your organisation, stating:
controllers and processors cannot legitimise breaches of data protection law by claiming a shortage of resources.
The guidance also instructs the ICO to consider whether infringements are intentional or negligent in nature and observes:
It is generally admitted that intentional breaches, demonstrating contempt for the provisions of the law, are more severe than unintentional ones and therefore may be more likely to warrant the application of an administrative fine.
Judgements about negligence or intent will be taken from the 'objective elements' of the facts of the case. So, as GDPR says, you have to prove it! If you can't demonstrate a fact, you ARE demonstrating another one, namely that you didn't act responsibly enough.
One area to demonstrate you are behaving responsibly will be in your due diligence when sourcing a list, and clearly the guidelines tell us this needs to be thoroughly documented. List rental is explicitly mentioned as one of the examples on an 'intentional infringement'. It states an example of an intentional breach might be:
the trade of personal data for marketing purpose ie selling data as ‘opted in’ without checking/disregarding data subjects’ views about how their data should be used
Please recall, the requirements for consent to be valid are significantly stiffened by GDPR. As we have covered in a previous blog the ICO have stated that for consent to be valid, the name of the organisation must be given at the time the data is collected, and that the request for consent must be clear and easily understood.
This means a third party list owner must have named you at the time they researched the data, and they could not put you in a massive list of potential users. Only if both of these are true, you will have valid consent.
If you accept the assurances of a data supplier WITHOUT CHECKING these matters, you can expect you will be found to have acted irresponsibly.
If you infringe the regulation, you are accountable.
If you are not acting responsibly, you can expect a fine.
If you are doing direct marketing, you can expect a fine.
If you are doing direct marketing WHILST not acting responsibly, expect a BIG fine!
Unless the ICO change their interpretation (which seems unlikely since WP29 ensure consistency across all member states) no third party lists, unless they are compiled explicitly for you, will have valid consent. If you use data on the basis of consent when the consent is not found to be valid, you have infringed the law.
These guidelines tell us all what to expect, and they tell us to comply or expect big fines. We can deduce that the unscrupulous data houses will take a pounding. The question you probably need to ask is “Am I confident the data house has considered my interests as well as their own?”
Corpdata lists will be usable but only on the basis of 'legitimate interest'. If you want to know more about how we have changed our procedures to keep you safe, have a look at the 'Corpdata GDPR Changes' video.
This blog is the latest in a number of GDPR information pieces. Others are available below:
If you would like to know how Corpdata can keep your direct marketing safe and compliant, or if you have any other questions, please call us now on (01626) 777400.
GDPR and sourcing a list
Posted on 02/08/2017 at 09:43By Corpdata
By now you have probably heard about GDPR, and the headlines about huge fines.
You're involved in marketing in some form, so have been thinking about how it might affect your tasks. One of the big…
By now you have probably heard about GDPR, and the headlines about huge fines.
You're involved in marketing in some form, so have been thinking about how it might affect your tasks. One of the biggest implications is in danger of slipping past unnoticed. GDPR says you are guilty unless you can prove you are in no way responsible. So quite a high bar!
Now, consider how you go about sourcing a marketing list. Are you doing sufficient due diligence to be able to PROVE everything is safe to use? Have you thought about how you might do this?
You need to cover a few key questions, ask your potential list providers:
How do you create your list? (OWNERSHIP)
What do you tell data subjects about how their data will be used? (TRANSPARENT)
When did you inform them of their rights? (FAIR)
What is the legal basis you are using? (LAWFUL)
How do you ensure your data is accurate? (ACCURATE)
And one more key question: Do you have any requirements of me before I can license your data?
If your supplier struggles to answer these, so will you, and you’ll have a hard time persuading anyone you are in no way responsible.
Buying data just got harder, unless you buy from Corpdata that is!
Accurate B2B lists from Corpdata
It's your choice how we can help you with your best marketing list.
Working as you have been
Until May next year you can continue to source safe to use (Data Protection Act) business contacts as now, although we are not able to license contacts beyond 25th May 2018. We have introduced 2 new licenses, a nine month and a six month license, allowing you to license your list to suit your needs, and as our client well positioned to adopt our GDPR compliant data.
Step boldly into the direct marketing by adopting our new GDPR compliant lists. Either a one off single use or our more popular rolling license featuring regular updates.
Corpdata business lists
Telephone checked to always be accurate and up to date
Fully comply with GDPR
Actively managed to respect data subject preferences
Low initial cost
Rolling license, rolling payment letting you spread your investment over time
Lets you use your list over time helping you nurture your new business
Please have a look at our website, or give us a call now on 01626 777400 to continue to work in DPA style, or to understand more about the GDPR compliant licenses. We take our data very seriously, that's why we've put out some clear and useful YouTube mini guides to help you understand GDPR quickly, just look at the Corpdata GDPR YouTube channel for ideas.