Marketing under the forthcoming General Data Protection Regulation (GDPR)
By Simon Thomas | 22 March 2018
SUMMARY: Tenet's Head of Policy, Simon Thomas, shares some examples of the way in which marketing practices will need to change under the forthcoming General Data Protection Regulation..
The GDPR will take effect in the UK on 25th May 2018 and will be reinforcing the existing Privacy and Electronic Communication Regulations 2003 (PECR).
The key to keeping your marketing activities compliant revolves around ensuring you have proper consent to market to your existing and potential clients.
The level of consent that you need varies depending on whether your marketing is done by email, telephone or postal mail. So let's have a look at a few common marketing scenarios and see how they would play out in the GDPR world.
You are speaking to a client over the phone and you ask if they’d like to receive some information on your latest products and services, and they agree.
Here you have been given consent to send marketing materials, so you should keep a record that they have given consent, the date, and the method (over the phone). Best practice would be to follow up with an email to confirm this opt-in as well as details of how they can unsubscribe.
You have a list of email addresses, however this list hasn't been updated in several years and you have no record of when or how the contacts on the list gave consent, if at all.
In this scenario, you cannot determine whether you have valid consent. You therefore cannot lawfully market to these individuals via electronic means. You are free to try and obtain consent until the 25th May 2018. After this date, even attempting to obtain consent via email is considered a breach.
In your client database you have up to date records of individuals that have consented to receive email marketing messages. However you do not specifically have consent to market via telephone or direct postal mail.
In this scenario, you are in a good position to run marketing via email as you have the right consent. As the consent rules are slightly tighter for email marketing, you are free to market via telephone or direct mail where you might not have explicit consent. However, you must screen your contact list against the Telephone Preference Service (TPS) and Mail Preference Service (MPS) to check their preferences. If they are opted-out on the preference services, then do not market to them. If they are not present on the preference services, you are free to market to them unless they withdraw.
You have sent a client marketing materials via email for products similar to those they have previously purchased from you.
This is acceptable as long as they were given the option to opt-out at the time their details were collected, and they are given an option to opt-out on the marketing email itself.
In summary, marketing is only becoming slightly more restrictive and reinforcing what already exists under PECR. If you do not undertake any form of marketing, then you are in an easy position but it would be good practice to read and understand the marketing rules in case you begin marketing to clients in the future.
If you do currently undertake marketing activity, then it is vital that you read the rules thoroughly and understand them. The Information Commissioner's Office (ICO) has provided a useful direct marketing checklist, which is the clearest document for you to use as guidance for compliance.
By Simon Thomas, Head of Policy at Tenet