It will come as no great surprise to know that direct marketers might be at risk when the GDPR gets it's teeth in May 2018. This has been emphasised by 'Guidelines on the application and setting of…
It will come as no great surprise to know that direct marketers might be at risk when the GDPR gets it's teeth in May 2018. This has been emphasised by 'Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679', recently issued by the Article 29 Working Party, or WP29 as it is known. You can download it free here.
What is the Article 29 Working Party?
The Working Party was set up under Articles 29 and 30 of the Directive 95/46/EC, which became the Data Protection Act 1998 in the UK. It's remit is 'the protection of individuals with regard to the processing of personal data', and they are the body that will become the European Data Protection Board when GDPR becomes applicable. This means they are the ultimate authority on all matters relating to personal data protection. It is WP29 which tells the ICO how to do their job. Part of their task is to ensure 'equivalent' conditions in all member states.
This document was issued on 3rd October 2017, and is important because it tells the ICO, and us, the guidelines they must use when deciding upon enforcement measures. It refers to other measures available to the ICO, but this document focusses on applying administrative fines, and how to calculate them.
What the guidelines say about direct marketing
The main section of the document concerns 'assessment criteria' for administrative fines. Understandably, much attention is paid to the general 'nature, gravity and duration of the infringement', but beyond that we can find some themes.
1. Comply or expect fines
The final point in the 'assessment' section is particularly relevant, and is called:
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
Since the only objective(*) of direct marketing is to gain a financial benefit, direct marketing falls squarely within it's purview. This point concludes:
(*) you may be able to argue otherwise, but ...
... the fact that the controller had profited from the infringement of the Regulation may constitute a strong indication that a fine should be imposed.
The implication for direct marketers is 'if you don't comply expect fines!'
2. You are accountable so act responsibly
GDPR has introduced 'a far greater level of accountability' than the DPA ever did. It refers to the obligation on the controller to 'make the necessary assessments and reach the appropriate conclusions'. It suggests the ICO must consider whether the controller 'did what it could be expected to do'. It also states you should create structures and procedures adequate for the risks of your organisation, stating:
controllers and processors cannot legitimise breaches of data protection law by claiming a shortage of resources.
The guidance also instructs the ICO to consider whether infringements are intentional or negligent in nature and observes:
It is generally admitted that intentional breaches, demonstrating contempt for the provisions of the law, are more severe than unintentional ones and therefore may be more likely to warrant the application of an administrative fine.
Judgements about negligence or intent will be taken from the 'objective elements' of the facts of the case. So, as GDPR says, you have to prove it! If you can't demonstrate a fact, you ARE demonstrating another one, namely that you didn't act responsibly enough.
One area to demonstrate you are behaving responsibly will be in your due diligence when sourcing a list, and clearly the guidelines tell us this needs to be thoroughly documented. List rental is explicitly mentioned as one of the examples on an 'intentional infringement'. It states an example of an intentional breach might be:
the trade of personal data for marketing purpose ie selling data as ‘opted in’ without checking/disregarding data subjects’ views about how their data should be used
Please recall, the requirements for consent to be valid are significantly stiffened by GDPR. As we have covered in a previous blog the ICO have stated that for consent to be valid, the name of the organisation must be given at the time the data is collected, and that the request for consent must be clear and easily understood.
This means a third party list owner must have named you at the time they researched the data, and they could not put you in a massive list of potential users. Only if both of these are true, you will have valid consent.
If you accept the assurances of a data supplier WITHOUT CHECKING these matters, you can expect you will be found to have acted irresponsibly.
If you infringe the regulation, you are accountable.
If you are not acting responsibly, you can expect a fine.
If you are doing direct marketing, you can expect a fine.
If you are doing direct marketing WHILST not acting responsibly, expect a BIG fine!
Unless the ICO change their interpretation (which seems unlikely since WP29 ensure consistency across all member states) no third party lists, unless they are compiled explicitly for you, will have valid consent. If you use data on the basis of consent when the consent is not found to be valid, you have infringed the law.
These guidelines tell us all what to expect, and they tell us to comply or expect big fines. We can deduce that the unscrupulous data houses will take a pounding. The question you probably need to ask is “Am I confident the data house has considered my interests as well as their own?”
Corpdata lists will be usable but only on the basis of 'legitimate interest'. If you want to know more about how we have changed our procedures to keep you safe, have a look at the 'Corpdata GDPR Changes' video.
This blog is the latest in a number of GDPR information pieces. Others are available below: