We update our blog with regular posts to keep you up to speed on the world of B2B data.
Posted on 18/01/2018 at 09:00By Corpdata
One of the key features of the GDPR is the concept of 'accountability'. It's written throughout the Regulation. As a sign of how central it is, Article 5 of the GDPR spells out 6 key principles in paragraph 1, but it also has a second paragraph which says only:
The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').
The controller is you. This means you have nowhere to hide. You will no longer be able to point at the list owner, or the data broker, and leave them with the problem. Mind you, nor can they! Any problem sits firmly on everyone's lap. If you think back to children's party games, it's a bit like musical chairs, just without the chairs.
What does this mean for you? Well you should definitely choose your suppliers with care. If they are unable to re-assure you about any concerns you have, should you trust them? It's a due diligence process, and given that this is new, at least in the B2B space, you will need some time to put together your questions. To help you along, we have put together a non-exhaustive list of due diligence queries which will apply to many licensing situations. You can also refer to some earlier posts we have made to help you think about the implications, here is one, and here is a second.
At Corpdata we take our responsibilities to our customers seriously. We will help you comply with every aspect of the GDPR. We will help you with the documents you need to prove you are complying.
One of the principles says you must process data lawfully (obviously!), but to do so you must have a 'legal basis' for doing so. Until recently most people imagined the GDPR meant the only way to do things was by getting consent. We have never agreed. You may have seen our articles over the last few months explaining our understanding. Here is our October 2017 newsletter talking about consent among other things. We also issued another October 2017 blog explaining why consent didn't seem likely to work for list rental. In December 2017, the EU issued it's guidance on consent which absolutely closed the issue. We issued this video covering the guidance. As we stated in October, consent will (almost) never be transferable, so will not suit list rental.
Following considerable study of the Regulation, Corpdata had decided the only way we could SAFELY offer our lists to you was on the basis of 'legitimate interest' which is one of the other legal bases. That is what we have been telling data subjects when we have been researching their data, for almost 2 years.
You might be thinking other list owners can simply change the basis of processing to 'legitimate interest', and of we all go again. Unfortunately the Regulation seems clear, this would be unlawful (remember point 1 above). You must tell the data subject the lawful basis for processing at the time you collect the data. If you change the basis for processing, that data can not be lawfully processed.
When can consent be lawful for a list? The key thing is consent must be VALID, and this means you need to be named at the time the data is collected. But naming you needs to be easy to understand (not in a huge list of names) and unlinked from anything else (such as directory listings), otherwise consent will NOT BE VALID.
Our advice is, if you need to use consent, do a bespoke list build. In any other circumstance, unless the data supplier can PROVE they told the data subject the legal basis is 'legitimate interest', don't touch their data.
Corpdata have call recordings of our research, and we also email data subjects after the call. We can prove every element of our research process to you, and for you, if needed.
The fifth principle of the GDPR is 'storage limitation'. It only says you should process personal data for as long as you need to, and no longer.
So when licensing data, this means YOU should decide the duration of your data license, not your supplier. An 'eternal' license, or 'list purchase' is not likely to work well, this would normally imply the processing duration has not been considered.
An 'open-ended' or 'rolling' license means you will terminate the license when you no longer need the data. This seems to best align the interest of the data subject, the list owner, and the licensee (you). Whatever you choose, make sure you document your decisions, you may need to prove it!
Corpdata offers data of durations fixed by you, or on a rolling basis, if that suits your needs better. You will comply with the requirements for 'storage limitation' by licensing Corpdata data.
We still have residual Christmas spirit, so this last one is a gift. A requirement that GDPR makes of data controllers is that if data changes the controller must notify any recipients of the data of those changes. This is primarily about allowing data subjects to exercise their rights, but it is also good practice. The rights state data should be updated as soon as possible, but within one month.
Direct marketing always has the possibility to generate a level of complaints. Keeping data up to date, and respecting the changing preferences of the data subject is a good way to reduce an irritation felt. Your data supplier should make this easy for you. If not, you are increasing the chances your marketing will cause complaints, and that can't be good.
Corpdata's new systems send updates twice monthly to ensure the data is accurate and up to date. Using Corpdata means you can prove you are complying with the 'accuracy' principle of the GDPR.
Oh my, what a kerfuffle! At least some of the challenges around consent have been caused by the issues surrounding email marketing. The problem is this. The Data Protection Act is being replaced by the GDPR. GDPR covers the processing of personal data in a general sense. Emailing, or indeed any direct marketing over a publicly available electronic network is currently governed by the 'specialist' law PECR. PECR dates from 2002, and is due to be replaced.
The EU intended to bring in the new law, the ePrivacy Regulation on the same day as the GDPR becomes applicable, 25th May 2018. Unfortunately that seems very unlikely to happen now, and ePR is likely to be delayed by six months or even longer. This means there MAY BE a period where emailing to people using a work email address is still legal WITHOUT CONSENT, even after 25th May. This is causing some to suggest it will be 'business as usual'.
However, this is unlikely to remain the case. Back in October 2017 we put together this explanation, to help eMarketers think about the future. ePR is still in draft form, so there is the possibility for change, but the EU seem unlikely to create a loophole to allow emailing in a work context. Certainly none of the drafts, or comments on drafts, have suggested anything of the sort.
It is worth noting, it is really only the definition of a 'subscriber' in PECR which has permitted this emailing. Now the tighter definition of personal data in the GDPR, in combination with the removal of the 'subscriber' concept from ePR, will almost certainly mean consent is required.
So unsolicited email probably isn't a long term prospecting solution, but the period before ePR comes in may be an 'extension' to the 2 year implementation phase which the GDPR will have had by 25th May. If you choose to use this 'grey area', you might be well advised to consider it a work out phase, perhaps for trying to gain consent. Don't forget, sole traders and partnerships are still 'natural persons', so you should not email them. If you think about safety first, you should probably also avoid email addresses with 'consumery' type domains, such as gmail.com.
One big health warning. With all the attention on data protection, it is quite likely data subjects will complain anyway, believing the law has already changed. If brand image is important to you, or frankly if you just prefer an easy life, perhaps stopping email prospecting is your best course of action.
Other than that, bespoke list-builds may be a viable solution for eProspecting, but will likely increase the cost significantly. This will focus attention back on the targeting of the source data for the list-build project.
Corpdata offers exceptional targeting possibilities. We are able to offer bespoke list-build, and we record all calls where consent is gained, meaning you will be able to prove your consent is valid.
In May the new GDPR will get it's teeth. Many organisations are just now starting to prepare, and if that is you, you are far from alone. The good news is you have time to put your house in order, and for many who are already following best practice, the changes will not be too great. In addition, it is quite possible to move to GDPR compliance using in-house resources.
Despite this, many organisations are approaching Corpdata for advice and guidance. Often this is because the GDPR is seen as a distraction from core business, sometimes because the risks are too great.
Corpdata have created a new division, to help people with Regulation 679, that's GDPR, called Dept679. You can consider it as an affordable one-stop solution to your personal data protection compliance concerns.
The proposition is intended to be remarkably simple, you keep focusing on your core business secure in the knowledge your data protection headaches are being coped with. The service starts with a review and gap analysis report. The report contains actionable advice, including wording such as contractual clauses, for inclusion in your documentation.
Of course there is no case law, so the service is intended to keep you safe over time by evolving as the law does, and is offered over a 5 year term. This also allows for the significant up-front costs to be spread over time.
If you would like to know more, please contact Corpdata on 01626 777400 and one of our data protection consultants will contact you for a free discussion with no obligation.