The General Data Protection Regulation (GDPR) (EU 2016/679) came into force on 25th May 2018 and is the new legal framework which governs the processing of data of European citizens. It replaces the Data Protection Regulation (Directive 95/46/EC).
GDPR sets out six lawful grounds for processing, each of which is equally valid. No single basis is considered more lawful than the other. Article 6.1
The most widely publicised and often quoted of which, is ‘consent’. Under GDPR, consent has a very specific definition, the key elements of which are – it must be freely given, specific, informed and there must be a clear indication signifying agreement. Many people have been led to believe that this is the only basis on which processing can operate and, assume that if they have not given consent in the manner described above, then any marketing emails they receive from a company must be in breach of GDPR. This is simply not true. Recently the UK Information Commissioner has gone to great lengths in her recent series of white papers and blogs to try and ‘debunk’ this and several other myths surrounding the legislation. https://iconewsblog.org.uk/
Article 6.1(f) also allows for another legal basis for processing called ‘legitimate interest’. This is where the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subjects which require protection of Personal Data, in particular where the data subject is a child”. The legitimate interest can be one of the controller or a third party, and will be lawful provided the following three stage test is passed
- Identifying a legitimate interest
- Recital 47 of the Regulation directly affirms that the processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interests.
- Establishing that the processing is necessary
- a detailed Legitimate Interest Assessment ( LIA ) is conducted and documented. Every third party accessing personal data from Executive Grapevine has submitted an assessment which can be viewed on request in relation to the processing of an individual’s personal data
- Conducting a balancing test.
- The usage and release of personal data to third parties is restricted by Executive Grapevine: subject matter must be relevant and business related, campaign frequency is restricted, exposure is controlled, privacy policies and data protection levels of third parties are all assessed and monitored to manage any potential impact of processing. Data sets are heavily ‘seeded’ to monitor acceptable usage.
Executive Grapevine requires all third parties to successfully pass all three stages prior to any processing of personal data. Direct marketing by post, telephone or in person is covered by regulations outlined in GDPR.
However, in the UK, any communication by electronic means whether by email, inapp or OTT services are currently covered by the Privacy and Electronic Communications [PECR] (EC Directive) Regulation 2003, and not by GDPR. Under the existing regulation, personal data requires consent prior to electronic mailing. However business emails are not currently classified as personal data and therefore are covered by Regulation 22 which allows for a ‘soft opt in’ for commercial business electronic mailings. This means that a business can lawfully contact a data subject using a personal corporate email address (except LLC’s) without prior permission. So if a data subject receives a commercially relevant email from a legitimate supplier it is currently still lawful. The ICO recommends that data protection implications are considered and Executive Grapevine uses the GDPR rules for processing to meet this need.
The new E-Privacy Regulation, which will replace the current PECR, was due to be implemented at the same time as GDPR however it is still travelling through the European legislative process and, at the time of writing, only has agreement on 12 out the 29 proposed articles. Until resolution on these remaining articles is achieved, all electronic marketing in the UK will continue to be subject to PECR.
If you would like to read more the ICO publishes an excellent summary of this regulation here: https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf