GDPR: Direct Marketing update

An area of some confusion among clients, now bracing themselves for the arrival of the GDPR, is on what basis they can continue to market themselves to customers: is fresh consent required, or what are the alternatives?  With the 25th of May fast approaching, this short article explains that the new restrictive form of consent proposed by the GDPR is not the only lawful ground of data processing applicable to direct marketing, and there is a more flexible alternative.  It also serves as a reminder that the e-Privacy regime must be considered alongside the GDPR when sending e-marketing.

Direct marketing and the GDPR

Direct marketing under the GDPR is treated the same as any other data processing – you will need to show that you have a lawful basis for collecting and processing data from customers, with consent being one such lawful basis.  Obtaining valid consent under the GDPR will be significantly more difficult than under the current data protection regime, and the view among advisors is that it should be avoided where alternative grounds are available.

Fortunately for marketers, the GDPR does recognise that “legitimate interest” may be relied on as a basis for data processing for direct marketing. When assessing whether it can be relied on, a balancing test should be carried out using these steps (otherwise known as a legitimate interests assessment):

  • identify the legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

The first two steps require you to identify a legitimate interest, and assess whether your data processing is necessary to achieve it (i.e. whether there are other less invasive methods available). Crucial to this analysis is the third stage where you must consider whether the interests of the individual override your legitimate interest of marketing to them.  In a large part this can be ascertained by looking at the reasonable expectations of the individuals – i.e. would they expect you to process their information for the purposes of marketing in the manner chosen?  A record of this legitimate interest assessment should be kept, and details of the legitimate interest being pursued should be included in your privacy policy.

Whilst specific consent is not required under this ground to process personal data, you should always allow the recipient an opportunity to opt-out of receiving your direct marketing material.

Don’t forget about e-Privacy

The GDPR applies to direct marketing primarily as it involves collecting and processing personal data: the contact details, browsing behaviour, and location data you use to make your marketing material targeted and personalised.  There is also a separate e-Privacy regime which applies to sending e-marketing materials (emails, SMS, and automated telephone marketing).  The e-Privacy regime adds a layer of consent on top of your lawful data processing obligations under the GDPR.

Under the e-Privacy regime email and SMS marketing requires opt-in consent, unless you have previously obtained an individual’s details as a customer, you are marketing related products, and they have been given an option to opt-out (so called ‘soft opt-in”).  The soft opt-in can only be relied on by you as the organisation that collected the information and not third parties.  Similarly, you can make marketing calls to numbers on the basis of the opt-out, provided national “do not call registers” are excluded.

The e-Privacy regime is also undergoing reform and will be replaced with a new European e-Privacy Regulation (officially due to come into force on 25 May 2018, to coincide with the GDPR – but now looking increasingly unlikely).  Broadly speaking, the draft e-Privacy Regulation maintains the status quo for e-marketing and therefore it is anticipated that the soft opt-in will still be available after its implementation. However, you are advised to keep an eye on any developments, as the legislation is still in draft, and so the rules may evolve further before its implementation.

Summary

In summary, on the implementation of the GDPR on 25 May 2018, you may well be able to rely on legitimate interests as your grounds for processing personal data for direct marketing, rather than the new restrictive form of consent under the GDPR. This is provided your interests are not overridden by those of the individual.  When you send any e-marketing, you must consider the e-Privacy regime and comply with the soft opt-in (but be sure to keep an eye out for updates on the new e-Privacy Regulations).  And either way you must always provide an opportunity to opt-out of receiving your marketing material.

And finally for our own GD-PR, if you have any queries concerning your data protection obligations or direct marketing – we would be very happy to assist. Please contact Ciaran Noonan or Paul Herbert for more information.

This guide is for general information and interest only and should not be relied upon as providing specific legal advice. If you require any further information about the issues raised in this article please contact the author or call 0207 404 0606 and ask to speak to your usual Goodman Derrick contact.