Skip to main content

You will have no doubt heard about the new GDPR legislation which is affecting the way all businesses communicate. It’s actually a fantastic opportunity to clean up your database and make sure the people you are communicating with want to hear from you. No more scattergun marketing to people who aren’t interested.

Here are a few things you need to be aware of – and what you need to do in order to be compliant.

If you’re communicating with consumers you need to get the explicit consent of individuals. If you have permission already – great! You need to record where you got the data from and how you got that permission – and if they are not customers, their permission will need ‘renewing’ from time to time.

If you’re not sure that you have their permission, you should send an email which simply asks if they would like to receive email updates from your company. This should take people to a preference centre via the system you use to send out emails. Your contacts should be able to agree to receive all communications, choose between subjects or opt out entirely.

You won’t need consent for postal marketing. You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to your communications.

You also need to think about how you store your data to keep it secure and how you handle requests from people who wish to be removed from your data bases. You need to be able to show how you acquired the data and that you have permission from individuals to contact them.

There is a lot of discussion about whether the legislation applies to those companies that market exclusively to other businesses. This is based on whether a business email address includes the name of an individual.

Our advice? Better to be safe than sorry. MRA is choosing to email all our contacts and remind them that they have the option to opt out any time. Yes, there is a lot of scare-mongering around GDPR. And there are certainly lots of people setting up GDPR consultancies trying to make a quick buck. But you need to be prepared. If in doubt, stick to the principles of the existing Data Protection Act and Privacy and Electronic Communications Regulations (PECR):

• Identify yourself as the sender and to provide a clear and easy way for the recipient to opt-out
• Have a system in place to act on the opt-outs
• Know where your data is stored and who has access to it
More information can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/