I guess you may be confused by what appears to be contradictory information around processing marketing data?

From all the recent emails regarding GDPR compliance requests to process our personal data, we believe the main confusion is around whether you need to obtain “consent” from clients, customers, suppliers and prospects to send them marketing material: flyers, direct mail, printed newsletters or emails, on or after the May 25, 2018.

Kate Armstrong, Blue Shadow Marketing Director and GDPR Fundamentals Practitioner explained at our GDPR Awareness Seminar in Carlisle earlier this month: “You don’t necessarily need consent to send marketing material to prospective, existing or past customers.

"It’s all down to the six legal bases GDPR has determined for processing personal data”. We’ve two further GDPR workshops running in June, Cockermouth on Wednesday, June 13th and in Carlisle on Wednesday, June 20th.

So what do you do with marketing contact data you have?

Admit it, when did you last review your contacts list? So first and foremost as part of your GDPR compliance plan, you need to identify what personal data you have; this includes email addresses and phone numbers.

Then determine on what legal bases you can process the personal data. This is great way to refresh and slim down an out-of-date contacts list so you have a cleaner current client list and quality prospects moving forward.

The next step is to determine for each live contact where it falls within GDPR’s six legal bases for processing personal data:

Kate Armstrong has kindly allowed me to share this graphic to make it easier to see:

Copyright Blue Shadow Marketing

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

4. Vital interests: the processing is necessary to protect someone’s life.

5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this cannot apply if you are a public authority processing data to perform your official tasks).

Choose carefully

None of the bases is more important than another, but you have to choose which of the bases fits your processing activity and stick with it. Your business may apply a number of conditions across various processing activities.

You need to state which bases you have chosen in your privacy statement . In simple terms: who you are; why you are going to use their personal data and what you are going to do with it. Once you have stated the bases you cannot later change that bases, even if the other bases would have been relevant.

As a general rule of thumb, when it comes to processing data for marketing activities, there are generally two choices: consent or legitimate interest. There is no right or wrong option; consent allows you to do anything that an individual has given you consent to do; legitimate interest allows for a broader spectrum of data processing activities without the requirement for consent, but comes with stiffer safeguards in processing the individual's data. The ICO has published a Helpful Lawful Basis Guidance Tool to determine the legal basis that you should use.

Use trusted sources

The ICO has a really helpful website and there are guidelines and a checklist on the website to help you determine if legitimate interest is the correct legal basis to proceed. You should also refer to Refer to Privacy & Electronic Communications Regulations (PECR) for rules for processing both business and private data for marketing reasons.

Want to know more?

Kate Armstrong, GDPR Fundamental Practitioner, will be delivering a half-day workshops on GDPR across the county over the next few months in association with Business Doctors.

We are in Cockermouth on Wednesday, June 13th and in Carlisle on Wednesday, June 20th. For future events please keep an eye on Business Doctors events website for an event near you.

Alternatively please email peterfleming@businessdoctors.co.uk .

If you are looking to grow your business, Business Doctors Cumbria offer a free business health check where we can help you to set a clear vision to understand the steps you need to take to fulfil your aspirations.

Contact Peter Fleming 0845 163 1490 or 07966 686112 or email peterfleming@businessdoctors.co.uk .

Or click here to view our website for other services we can offer you.
<script>var hideInlineMPU=1;</script>