We’re getting closer to the 25th May, and I think there are few small business owners out there that haven’t heard of GDPR. Something that hasn’t been discussed too widely regarding the update to Data Protection is the impact that GDPR will have on our marketing efforts.
I will say that I’m not a GDPR expert, and I’m certainly not a lawyer, so this is only my interpretation based on current ICO guidance and that of data protection lawyers sharing their expertise. I would recommend that you do your own research, ask the ICO questions and get as much knowledge as you can before making any decisions for your own business.
GDPR is about an individual having choice and control over how their personal information is used
For the context of this blog, we’re talking about names, email addresses and phone numbers. Even if this information can be found in the ‘public domain’, it still constitutes as personal data and is the kind of information many of us use for marketing purposes.
Under GDPR, we have three opportunities (for want of a better word) to access and use personal information to market our products and services:
- Informed consent
- Soft opt-in
- Legitimate interest
Informed consent is always the best option under GDPR
There are a few things the ICO has to say about consent under GDPR which I suggest you have a good read through.
If you want to use someone’s information for marketing and gain their direct consent to do so, you need to make the purpose obvious using clear and concise language in a specific statement specifically for the purpose of gaining that consent.
Let’s take a networking meeting as an example where you’ve collected a ton of business cards.
Rather than adding their details to your email subscriber list straight away (I hope you don’t do that by the way!), you’d need to send an email explaining that you met at the networking event and you’d like to add them to your mailing list.
You’d use a clear and concise statement of intent – the information you’d be collecting, how you’ll be processing it and how it will be used. So, ‘I will add your name and email address to my mailing list where I will send you my newsletter, news of my latest promotions and other forms of email marketing about my services’.
Consent needs to be granular – that means giving them a choice over how their information is used, some people might want to receive blogs only and not the marketing spiel. Rather than bundling it all together there should be individual tickboxes for each aspect.
You’d require a positive opt-in – they must freely give their consent and off their own back (no assuming consent or making it conditional for receiving a freebie).
You need to make it easy for them to withdraw their consent – they need to be able to say ‘no’, and for any communications you send after consent has been given you need to provide an unsubscribe link prominently within the email so they can withdraw their consent at any time.
Keep evidence of the consent obtained – who, when, how, and what you told people.
Now if you’re anything like me, you’re probably thinking ‘not many people are going to say yes to being added to a mailing list’, and the ICO understand this and that their high standards for consent can be tricky for business owners. Which is why their guidance states “If consent is difficult look for a different lawful basis”.
The soft opt-in is a lawful way to collect and process data under GDPR
- They have already bought from you (or were in negotiation, e. asked for a quote)
- You are emailing them about something similar
- At the time of collecting their email and in every subsequent marketing communication you’ve advised them of their right to opt-out
Let’s say you have received an enquiry through your website’s contact form asking about how to order a product or obtain a quote for one of the services you provide. The contact details provided can then be used as the lawful basis for soft opt-in and use of their information for marketing if the emails/newsletters are about a similar product/service, and they can freely and easily unsubscribe at any time.
When you send an electronic marketing message, you must tell the recipient who you are and provide a valid contact address. Although the rules on emails don’t apply to organisations (sole traders and partnerships are classed as individuals), you must still identify yourself and provide an address according to the PECR.
The last lawful basis for direct marketing according to GDPR is ‘legitimate interest’
You can rely on legitimate interest for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact and people would not be surprised or likely to object.
You should avoid using legitimate interest if you’re using personal data in ways that people don’t understand and would not reasonably expect, or if you think people would object if you explained it to them. However, the PECR – Privacy and Electronic Communications Regulation also says that:
If you’re sending unsolicited direct marketing emails or texts to individual subscribers, which includes sole traders and partnerships unless the soft opt-in applies you have to have their prior consent.
This means that b2b marketing where you are sending emails and other communications to limited companies is ok provided it’s reasonable and to be expected, but when sole traders and partnerships are concerned you must have the soft opt-in basis or their direct consent.
So when can I use legitimate interest for marketing?
Let’s take a mailshot as an example to a current list of postal subscribers who have donated to a charity previously, and you want to send them your latest promotional leaflet. Before the charity can proceed with using legitimate interest as their lawful basis, they will need to conduct a three-stage assessment:
- Is there a legitimate interest for marketing?
- Is the data processing necessary?
- A balancing test
Is there a legitimate interest for marketing? Well, yes. They’ve already supported the charity and provided their address, it isn’t unethical or illegal to ask for their support again.
Is the processing of the data necessary? Yes, the name and address are needed to send the mailshot. Is it a targeted and proportionate way of achieving your objectives? Yes, it’s a printed leaflet that has an order form aimed at an older population that don’t use electronic communications. Is there a less intrusive way of achieving the same aim? Not really.
In this case, you can see that the legitimate interest test has been passed and should be filed away on record in case of an investigation from ICO following a complaint (should one happen).
In terms of avoiding such complaints, it’s worth considering the nuisance factor – would the frequency of mailings be classed as a nuisance, or could the marketing cause issues for vulnerable persons, i.e. if a pensioner struggling financially was continually being asked for donations they couldn’t afford but felt compelled to make. This actually happened to 92-year-old Olive Cooke who took her own life after receiving over 460 charity requests for donations in a year.
Ultimately, obtaining consent enabling an individual to have choice and control over how their personal information is used is the aim of GDPR, and essentially much of what we have to do as small business owners is common sense. The ICO has a very useful direct marketing checklist you can use to make sure that you’re abiding by the GDPR for your campaigns.