Why It’s OK to Continue to Buy Marketing Data under GDPR
The new General Data Protection Regulations, commonly referred to us “GDPR”, become UK Law on 25 May 2018. Whilst uncertainty about the ability to buy marketing data once it comes in has been widespread, there needn’t be any cause for concern among those who operate legitimately.
This blog addresses the issues most frequently asked, both of us and across the industry. It sets to outline Data Bubble’s position on GDPR. The information below is for guidance only and Data Bubble recommends any business also seeks its own independent legal advice, since GDPR extends far beyond the ability to buy marketing data.
GDPR and Compliant Data for Businesses
Data Bubble is a data list broker specialising in providing accurate b2c and b2b data. We license business information to businesses for marketing and data management purposes. We ensure that all our suppliers are compliant with current legislation and are prepared for the implementation of the General Data Protection Regulations (“GDPR”), i.e. that they are “GDPR ready”.
From 25th May 2018 all businesses in the EU will need to comply with GDPR, which are directly concerned with the collection, storage and use of personal data.
The storage and handling of data has for many years been governed by the Data Protection Act 1998 (“DPA”). However, from 25 May 2018, DPA will be replaced by GDPR, which will provide a far more robust set of rules for the collection, storage and processing of personal information. GDPR is a regulation rather than a directive, which means it is a single piece of legislation that applies across all EU member states (and as the UK will still be a member of the EU in 2018, it therefore applies to the UK in the same way). In respect of electronic marketing communications, there are additional rules that come from the Privacy and Electronic Communications Regulations 2003 (“PECR”). With the introduction of GDPR, this is also now in the process of being revised.
What is Personal Data?
Personal data is defined as (Article 4(1)):
“Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Examples of personal data include elements such as name, address, gender, date of birth etc. However,personal data can also include other less obvious identifiers such as IP addresses. Basically, personal data applies to any data from which a living individual (data subject) could be identified.
What is the Impact of GDPR?
Every organisation that holds personal data about its customers, employees and / or prospects will be affected by GDPR, since its reach includes personnel records, customer details, sales and marketing prospect information, online identifier data etc. Organisations will be accountable to the data protection supervisory authorities (in the UK this is the Information Commissioner’s Office “ICO”). Whilst the accountability is not a new requirement, GDPR requires all organisations to record and document compliance with all applicable aspects of GDPR.
For many organisations, this will mean conducting an internal audit to “put their house in order” in the months leading up to 25 May 2018. GDPR gives individuals more rights in respect of their data, including more control and visibility of how their personal data is being used. It also gives them the right to have that information removed or moved if requested.
Using personal data for direct marketing
Under the DPA and GDPR, there are 6 lawful grounds that can be used for the processing of personal data. Consent is one of such lawful grounds for processing, but not the only one. Many organisations will rely on other lawful grounds for processing of personal data, such as legitimate interest.
Relying on legitimate interest involves:
a) Establishing the interest of the organisation – this could be for example promoting goods or services offered by the organisation. Processing for direct marketing purposes is specifically mentioned within GDPR;
b) Carrying out a necessity test – this requires consideration of whether there is another way of achieving the interest, without having to use the personal data. Even if there is another way, but it would require disproportionate effort, the necessity could still be established. You need to consider – is there a way to make direct marketing communication with the correct contacts within an organisation without holding their personal data? It is unlikely that there would be another proportionate way of making direct marketing communications without the necessity to use personal data; and
c) Balancing the interest of the organisation against the fundamental rights of the data subjects and whether the use of their personal data by the organisation could have a significant impact on their fundamental rights. In the context of b2b direct marketing, where communications relate to business services rather than the personal life of the individuals receiving the communications, it is unlikely that the fundamental rights of such individuals would be impaired. Those communications need to be measured and unobtrusive.
Having spoken at length to all of our suppliers over the past few months, Data Bubble is satisfied that they all meet the standards that we expect with regard to their complying with GDPR. Our suppliers have all confirmed that they will either gain specific consent or adopt robust procedures which ensure that it is reasonable to rely on legitimate interest as grounds for the processing of personal data for direct marketing purposes, given the very limited amount of personal information being processed.
How is PECR involved in all of this?
PECR rules relate to electronic marketing communications such as email and SMS. They are in addition to the requirements under the GDPR (Data Bubble does not supply data for the purposes of marketing via SMS so the below relates only to email marketing).
PECR treats the use of email for marketing communication differently depending on whether it is sent to ‘individual subscribers’ or to ‘corporate subscribers’.
‘Individual subscribers’ include those working for unincorporated entities such as sole traders and partnerships. The rules require that electronic mail for direct marketing purposes sent to individual subscribers must be based on a prior consent obtained from such individuals (“opt-in”)
‘Corporate subscribers’ consist of those working for companies and other incorporated organisations, such as LLPs. PECR allows electronic direct marketing communications to be sent to corporate subscribers (business email addresses of individuals working for incorporated entities) without prior consent, unless the recipient specifically requests not to receive emails from the sender (“opt-out”). Each direct marketing email should include an “unsubscribe” option to allow the individual to notify the sender that he/she no longer wishes to receive emails from the sender.
After extensive research and legal advice, here is a summary of our list owners’ positions and therefore why we are confident to say that it is OK to buy marketing data once GDPR comes into effect:
– There are multiple ways in which a business can comply with GDPR when processing personal data.
– The ICO acknowledges that Consent may be hard for an organisation to achieve and therefore suggests considering Legitimate Interest as a better alternative route.
– Our list owners use either Consent or Legitimate Interest as the legal basis to process personal data.
– Our list owners take several steps to ensure their data is up-to-date, accurate and compliant, using various methods. Many make telephone calls every day to confirm and update information regarding businesses. During any call / contact, if a business / individual wishes not to have any data processed, then they have the opportunity to opt out as is their right under the DPA/GDPR.
– Our B2B list owners maintain a B2B database for a multitude of purposes including:
i) enabling businesses to be found across different platforms e.g. search engines and Sat Navs,
ii) ensuring that closed/ceased trading businesses are deleted from search engines,
iii) improving organic search through accurate data listings across multiple online platforms, providing data for marketing and data management, identifying businesses in the protection against fraud and enabling businesses to seek and access finance
– Where they speak to an individual and receive an opt-out response, the data is removed
– Provision of personal data by the list owner to its customers may be based on legitimate interest.
– Legitimate interest should equally apply to the use of personal data by the list owners’ clients, subject to PECR rules and the client’s own assessment of this lawful ground for processing of personal data.
Provision of Data to Third Parties
Data Bubble license and sell business information to third parties for legitimate purposes including marketing and data management. Some of our list owners do not necessarily rely on consent for the purposes of GDPR. However, they do continually verify their entire database of UK businesses by telephone and / or other methods. These processes continuously enhance the database quality and regularly provide businesses with the opportunity to opt out. This process assists clients in compliance with PECR, as part of good business practice and supports a legitimate interest position.
The information provided is for guidance only – Data Bubble recommends any business also seeks its own independent legal advice.
Article 6(1) Lawfulness of processing – (a) relates to consent; (f) relates to legitimate interest.
Recital 47 – “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”