01438 840 040
Getting Ready for GDPR
New requirements concerning the collection, storage and use of personal data will go live next month, (25 May). Presently, there is no distinction between personal and business data. The new General Data Protection Regulations will apply to both business-to-consumer (GDPR) and business-to-business organisations.

From a marketing point of view, we must make sure that we have individuals’ specific consent before emailing them about anything other than the product/service that they are currently engaged with.

So – it is ok to email about the product/service you are providing to them… their ‘account’ with you. Marketing emails can only be sent with their specific consent. This applies to newsletters, events and specific product/service updates.

The only exception is for existing customers, if they meet all three of these criteria then the ‘soft opt-in’ applies:
  • you have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person;
  • you are only marketing your own similar products or services; and
  • you gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.
If any of these criteria have not been met, we need to approach all customers to request permission to contact them for marketing purposes. In most cases, the third point is the area to investigate further.:
  1. Did people have the option to ‘opt out’ of being added to the marketing list?
  2. Were ‘opt out’ links provided with every email received?
This happens automatically within most marketing email software such as Mailchimp, although not in generic email systems such as Outlook. Letters of engagement should be amended to include an opportunity for the person signing the agreement to give their consent for communication (all methods involved) and marketing.

Proof of Consent
New GDPR requirements mean that an organisation must be able to demonstrate that an individual consented to the processing of their information. Records should include:
  • who consented;
  • when they consented;
  • what they were told;
  • how that consent was given;
  • by what mechanism; and
  • when consent was withdrawn (if applicable)For marketing purposes, creating a new list within Mailchimp plus retaining a copy of the email requesting consent will meet these requirements.
When consenting to the processing of their data and to receiving marketing communication, individuals should be referred to a Privacy Policy.

Privacy Policies
The following questions should be considered when writing a privacy notice: 
  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • How long will it be kept for?
  • How will it be disposed of after this period?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain? 
This applies to customers, employees and volunteers. The above list can form the basis of your Privacy Policy.
Why are you processing personal data?
At least one of these must apply whenever you process personal data:           
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

The validity of each of the above options depends upon which data you are collecting and why. If you are relying on consent, you should:
display it clearly and prominently;
  • ask individuals to positively opt-in;
  • give them sufficient information to make a choice;
  • explain the different ways you will use their information, if you have more than one purpose;
  • provide a clear and simple way for them to indicate they agree to different types of processing; and
  • include a separate unticked opt-in box for direct marketing.
Legitimate interests can be used to justify:
  • postal marketing;
  • email to existing customers using the ‘soft opt-in’ option – see above; and
  • telephone marketing to people who have not previously opted out – either to you, or by registering on the Telephone Preference Service, (or Corporate Telephone Preference service).
For further information, please contact us or refer to the Information Commissioner's Office.