The Information Commissioner's Office (ICO) has warned firms that they must respect individuals' rights to prevent their data being used for marketing purposes.
The GDPR applies wherever you are processing ‘personal data’. So, if you can identify an individual either directly or indirectly, the GDPR applies - whether your marketing is to consumers or businesses.
If you have the name and number of a lead on file, or their email address identifies them (i.e. email@example.com), then the GDPR does apply. Even business cards fall under GDPR if you file them and obviously if they are added to a database.
In practice, those involved in business marketing can fall back on 'legitimate interests' as their justification. But remember that this must be 'real and not too vague'. In other words, make sure your targeting makes sense! Indiscriminately contacting people with no knowledge of what they do is likely to be a bad plan.
How to ensure GDPR compliance when marketing
- Make appropriate disclosures to data subjects via privacy notices - so they know who is collecting their information, what it will be used for, whether it will be shared with other organisations and when.
- Inform data subjects upfront of their right to object to data processing - via privacy notices and in your first communications with them.
- Get clear, explicit and unambiguous consent from individuals for any marketing activity - pre-filled boxes, silence or inactivity cannot be taken as a sign of consent. Remember that there are special rules that apply to data relating to children, special categories and vulnerable adults.
- Implement a process - to ensure that when data subjects change their mind and withdraw consent to marketing, they are not contacted in future and their wishes are respected.
- Honesty is the best policy - encourage everyone to report any data loss, theft or accidental transfer promptly. Cover ups can be costly under GDPR.
- Have a process to notify the data authority and data subjects if there is a high risk to their rights or freedoms - You have just 72 hours to notify the data authority of a data breach and those affected if there is a high risk to their rights or freedoms.
- Only use 'clean' data lists from approved and trusted data suppliers - make sure any in-house lists you use for direct marketing do not contain the names of anyone registered with the Telephone Preference Services (CTPS/TPS). And if you do buy or rent data, verify in writing how the data was collected and permissions acquired - it's your reputation on the line, not theirs.
- Storage limitation - a core principle of GDPR is that you must not keep personal data for longer than you need it. The ICO advises that you should "periodically review the data you hold, and erase or anonymise it when you no longer need it."
- Don't forget about data protection - make sure that your data is stored securely. That means the usual IT security measures, but also authorising who has access to it, making sure that data is transferred securely and ensuring it is not downloaded and held on devices.
- Make sure your staff know the rules - it may seem an obvious point, but the rules are complex, and often an afterthought for those focusing on their day-to-day work. At minimum new employees need GDPR compliance training, and GDPR desk guides are a handy way to make sure everyone follows the rules. Remember, it's not just the marketing team that needs to know the rules - everyone in the chain needs to know from customer service and sales to finance.
Recent ICO fines for marketing that was not GDPR compliant
Breaching the GDPR can cost you up to €20m or 4% of annual global turnover. If you were thinking that the ICO doesn't take action - recent penalties might change your mind.
The examples below are all household names who could have easily avoided these fines by simply following the tips that we have outlined above.
- Telecoms giant EE was fined £100,000 in June 2019 for sending over 2.5 million direct marketing messages to its customers, without their consent.
- Honk Kong airline Cathay Pacific was fined £500,000 in March 2020, for failing to protect the security of its customers’ personal data. Their computer systems lacked appropriate security measures that led to customers’ personal details being exposed.
- DSG Retail was fined £500,000 in January 2020 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
- Leave.EU was fined a total of £60,000 in February 2019 for sending almost 300,000 unsolicited communications without consent.
- In September 2020, CPS Advisory Ltd was fined £130,000 for making more than 100,000 unauthorised direct marketing calls to people about their pensions.
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
To help you navigate the compliance landscape we have collated searchable glossaries of key terms and definitions across complex topics including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library?.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!