GDPR – What about my database?
Earlier this week I was speaking to a client about a problem he was having with his existing marketing database (which contains information about almost 18,000 contacts in a similar number of businesses). He wanted to prune the database as he was getting a bounce rate of close to 20% when sending out mailshots. In passing I suggested that now would be a good time to look at General Data Protection Regulation (GDPR) compliance. He had not heard of the GDPR and when I suggested that the contacts in his existing database might not be usable after May 2018 he went very pale.
So what’s the problem with your database?
What might be the problems with using an existing database once the GDPR is enacted? It really all boils down to consent, and the lawful basis, for processing personal data that is held in your database. Most marketing databases will contain personal data of at least a name and an email address or phone number, which will then be sufficient to identify an individual. Earlier this year the Information Commissioner’s Office (ICO) issued draft GDPR consent guidance. This was a consultation process to gather the views of stakeholders and the public. The draft guidance states “if existing DPA [Data Protection Act 1998] consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing”.
From this if our client wants to continue using his database he has two options:
- Contact his entire database to obtain GDPR-compliant consent – however does he actually have consent to do this! Both Flybe and Honda Motor Europe fell foul of this and were fined by the ICO for breaking the current DPA provisions, let alone the new, arguably more stringent, GDPR provisions.
- Determine a lawful basis for continuing to use the contact information – earlier this month we looked at this in our blog. Other than consent there are 5 other provisions which might apply:
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
As this is a marketing database which our client uses to send marketing emails and make marketing phone calls, and many of the contacts are not customers or have not been a customer for sometime, it is difficult to identify any lawful basis for using the data other than that of GDPR-compliant consent.
What can you do?
So what should our client do? He really only has three options:
- Determine which of his contacts are an existing customer and be able to demonstrate that. If he can do this then it may be possible to send marketing information related to the products purchased but not about other products or services. There is some debate about how long after a purchase it is legitimate to consider some one to be a customer – this depends on the industry, the products being purchased and the frequency of purchasing by a normal customer. So this could vary from a few months to no more than 2 years.
- Determine which of his contacts have already given consent and be able to demonstrate that.
- As he has been sending marketing emails already to his database can he determine which contacts are actively engaging with this marketing by opening or clicking on the emails? If so then this might be a basis for showing an existing relationship. However, this is a very subjective area and our client would need to need to be able to demonstrate that his email marketing is a valuable service in its own right (is it providing useful information about industry trends and developments rather than information about his own services and products). This should take into account the value and utility of the emails and the cost, damage or detriment suffered to the contact if those emails were to cease.
Businesses are rightly concerned by the prospect of their databases become devalued assets in the event that the consents on which they rely are invalidated. However, before beginning the (potentially mammoth) task of re-contacting an entire marketing contacts database at this stage, there are a number of important points to be considered; in particular, the evolving nature of the ICO’s guidance which should be issued in December 2017 and the new EU ePrivacy Regulation, published in draft/proposal form in January 2017, which contains more specific rules on electronic marketing – more on this in a future blog.
GDPR Preparedness Toolkit Seminar
This 2 hour seminar will help you, as you take your first steps towards compliance by sharing practical insights about implementing a data security based approach in line with the Regulation. You will learn about:
- Why you have to comply with the GDPR and what might happen if you don’t.
- The GDPR’s direct effect on your business and the transition timelines.
- The steps to take in preparing for compliance.
- The technical and organisational measures your business will need to adopt to comply with the Regulation.
- A key assessment toolkit you can use to help you to achieve compliance.
The seminar will be held at The Birch Hotel, Heywood with easy access to the M60, M62 and M66 on:
Wednesday, 27th September 2017, 14:00 to 16:15– SOLD OUT- Wednesday, 25th October 2017, 14:00 to 16:15
- Wednesday, 29th November 2017, 14:00 to 16:15
Standard tickets are £25.00
Early Bird Discount tickets are £15.00 (available only if you book within 14 days of the seminar)
Contact us on 0345 319 4887 to book or book online with Eventbrite.