Complying with GDPR in time gives us all a long term future

Andy Smith has been Corpdata’s managing director since the Company’s beginning in 1992. Here’s his take on GDPR so far.

It seemed obvious to everyone that the General Data Protection Regulation (GDPR) threatened the direct marketing industry in a profound way. Since GDPR arrived in May last year, the sector has undergone significant change, not only losing a number of players but also forcing list owners to adapt. How they have done so is both interesting and surprising.

Andy thinks that that GDPR will continue its huge impact on UK direct marketing. But because Corpdata took active steps over three years ago all Corpdata’s clients can still safely use direct marketing to generate new business. In terms of how Corpdata embraced the new legal context the business had three choices; number one, do nothing until we had to; number two, wait and see and follow others or option three; understand the new legislation and its impact and act accordingly. As they say fortune favours the brave, but in reality Corpdata has always acted to be one step ahead, so line by line the team worked through how GDPR might apply to direct marketing, on those supplying business lists and the impact on clients that use them.

Andy said “We soon realised that we needed to completely re-engineer our list collation process, and quickly! We needed the time to be able to phone the many business contacts within our database because the way we tele-research had to change. After deciding on ‘our’ approach and how it would respect the individual communication preferences of contacts, it made our existing process redundant so we needed time build up the new, to replace the old”.

As you probably know GDPR places much importance on respecting the individuals and the information held about them, therefore it followed that taking reasonable steps to ensure that information is maintained to remain accurate and up to date is also important but HOW. Andy Smith “So if we have information about the preferences an individual has toward marketing from third parties, and their preferences change what would we need to do? After much head scratching we’ve arrived at a process which not only works but is simple. We update our clients live lists twice each month to let them know of any preferences which have changed and this demonstrates that we and our clients are serious about avoiding contacting anyone who no longer wishes to receive marketing communications".

If you look at different list providers you will see different approaches. Andy “It appears to me that most list owners essentially do now what they did before last May, meaning it’s still possible to find yourself on a mailing list because your personal information is held within a business directory or database for reasons other than for direct marketing. I really can’t see this continuing for much longer because it has so many flaws. It may be a strange thing to say but I think that over time, GDPR will improve the sector. Historically, there’s been a tendency for list providers to talk up their own lists but now that’s increasingly risky not least because there is now a heavier burden of proof. You are required to be able to demonstrate that the list you use complies with GDPR”.

Given the wide breadth of Corpdata clients its increasingly common to speak with people who have developed a working familiarity with GDPR. Most accept that they now have to do things differently so; proper due diligence when sourcing their mailing list is now important, as is having evidence that you have done just this. Direct marketers have had to learn and adapt so for instance, users of direct marketing lists understand they must be clear about the legal basis for collecting personal information they intend to use, how the fairness and transparency requirements of GDPR need to be applied, and holding evidence which they either retain or have from their list provider that helps prove they've done nothing wrong.

Andy feels that “this is an evolving discipline, the rulebook is still being written. We have really tried to embrace the letter, but also the spirit of GDPR. There will be interesting times ahead and work to do. Oh and my advice is that whatever happens with BREXIT, deal or no deal, GDPR is here to stay. So you had better take the action you need to ensure you’re complying too”.

If you are worried about data protection or ensuring you comply with GDPR, Dept679 can help a business centric and cost-effective manner while minimising any disruption to your operations. Call them on 0800 2800 679, or email enquiries@dept679.com.

If the ICO come knocking on your door – DON’T PANIC

Personal information that your business holds, how safe is it?

Even if you adopt a rock solid approach to GDPR you may have to prove you have done nothing wrong. If someone makes a complaint, it is possible that you may have to respond to the Information Commissioners Office (the ICO).

Here are a few ideas that help you prepare should this happen. Whilst much depends on the nature of the complaint, scrutiny might fall upon the following;

1. The legal basis you rely on to process personal information?


2. How did you let people know;
   
   - Your purposes for processing their personal information;
   
   - How they object to you processing their information;
   
   - How they could verify, correct or withdraw their details at any time.
   
   


3. If you rely on consent can you prove it? How did you gain consent, do you have evidence such as a call recording, something signed some evidence of who, when, how, and what you told a person.


4. Have you conducted a Legitimate Interest Assessment, which enables you to relate your need to process someone’s personal information to the potential consequences that your processing has for that individual.


5. Has there ever been a request you should cease processing an individual’s personal data? If so, can you demonstrate you have complied with the request?


6. Do you have a policy, written procedure or guidance which set out how complaints about data protection breaches/incidents should be handled?


7. What training do you provide in relation to the requirements of the DPA? Is this training mandatory? How frequently does this training occur?

That’s why we created Dept679, it exists to specifically help address the Data Protection needs of your business. We deliver practical guidance for you and your colleagues helping you to address the issues which you face and ensure you comply with GDPR be it in your sales, people management or the personal information you hold within any other part of your operation? If you need some advice just call 0800 2800 679 or email enquiries@dept679.com.

Update on Updates... which keep you safe

Corpdata telephone research systems and processes have only one objective and that’s to ensure that we supply business lists that are accurate, up-to-date and with the detail that allows clients to target their best prospects.

Whilst our mission to do this hasn’t changed in any way GDPR has brought with it a responsibility to ensure reasonable steps are taken to make sure that personal information held by clients is correct not only when sold but kept that way over time. So we and our many clients share the responsibility to avoid using information if it is likely to be out of date. There are mailing lists out there from the beginning of time itself, you may have come across them yourself !

How do you make sure that if you received a Corpdata list today it remains safe to use in six month time?

If like many you intend to use your list over a period of time, perhaps to build awareness, or to nurture prospects to the action you require, then its obvious your marketing list should allow you to do this effectively and also safely over time. Our list update process keeps your Corpdata lists right up to date. In fact it’s not uncommon that during mailing list due diligence clients complement our approach to maintaining accuracy as the only one that really does the job properly. After all we have adapted to the requirements of GDPR, we don’t cut corners and we don’t make dangerous assumptions which might get our clients in hot water.

Our work over the last three years allows us to select your prospects not solely on the basis of what they do, and where they work but also using their preferences for marketing communications from third parties. If and only if they have expressed a positive preference for contact via the marketing channel(s) you have specified may business contacts be included within your marketing list.

It takes considerable hard work to gain these preferences, so we take their provenance very seriously. You probably understand that GDPR now gives far greater emphasis to the rights and wishes of data subjects and in consequence we sought reasonable steps we might take to maintain the integrity of our databases. So, in addition to the adoption of a painstaking approach to getting information correct in the first place, we keep our eyes and ears open for any changes as soon as we reasonably can. If a contact has indicated that their preference has changed; details we hold are updated and the updating is precisely how our clients benefit because twice monthly list updates allow our clients to be aware and act on changes. In fact we have developed different methods your list can be kept up to date, just choose the process that suits you; you can receive:

1. The entire file resupplied to contain updated data; ready just to drop over the top of what you are already using (this probably works best if you use Excel).


2. Just the records which have changed (works well for those with CRM’s that can update records).


3. An API to allow you to query the current state of the data (this suits those of a more technical nature, or those with some technical support).

So let us assume that Mrs May wants to change a preference, e.g. she no longer wishes to receive telephone calls. Within a few days her preference change has been acted upon and the updated information is reflected in the lists that our clients receive. Our twice monthly updates now enable any client who might (other than single use) phone Mrs May to now know that they should not telephone her. This straight forward process helps us and our clients demonstrate the steps we take to respect the wishes of the data subjects, and in so doing our actions and that of our clients are lawful.