This content is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters outlined.
Recently Kevin Salter raised some questions about the practical issues associated with implementing GDPR. The concerns and questions raised by Kevin are typical of those we hear from members. Many of the questions are around the use of marketing emails; the use of marketing by electronic means including emails is governed by the existing Privacy and Electronic Communications Regulations (PECR).
While we will continue to do our best to address these questions it is worth keeping in mind that the ICO will ultimately be responsible for enforcing PECR.
A great many questions are concerned with marketing activities. In this regard it is also worthwhile keeping in mind that there are several ways of establishing a lawful basis for processing personal data. There is no need to focus exclusively on using consent. The ICO guidance on the lawful basis for data processing says:
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
I thought I would take a moment to address some of these concerns. Kevin’s post is reproduced in its entirety below to ensure the context of the questions is preserved.
Our GDPR hub is here: icaew.com/gdpr The GDPR hub will continue to be updated as the Data Protection Act 2017-2019 progresses through Parliament and the ICO finalises its guidance.
“Work” is changing significantly at this moment – the concept of chargeable work that ultimately pays the bills seems to have gone out of the window! Administration seems to be the name of the game now.
GDPR – General Data Protection Regulation – means a complete review of all products, software, methodologies, procedures, the need for staff (and partner!) education. Documents need to be updated or created. Whilst the ICO website provides guidance, interpreting this and converting it into practical documents and procedures is proving hugely time consuming. Having written a document or procedure, getting others to agree with the interpretation or methods of implementation etc. leads to hours of discussion, redrafting and further discussions on the revised versions – a vicious circle. And made even more difficult by those not having looked at any of the guidelines!
Even the apparently simplest of things often leads to more questions than answers. I have three full pages of issues noted already where answers are really required as to how to proceed.
Consider obtaining an email address of a new client. Whilst general correspondence may be by way of email, you also want to send him regular newsletters and other “marketing information.
So, does the fact that he has signed up (perhaps many years ago) as a client mean he has automatically agreed to be added to a mailing list? No, this is not explicit consent. Organisations should again explain to clients how they intend to use their personal data going forward and gain consent ahead of 25 May 2018. It is also worth noting the ICO guidance here: “Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.”
What if the question – do you want to be added to the mailing list?” is asked verbally in a meeting when obtaining other new client personal data such as names, addresses etc? Whilst consent can be verbal it is not advisable as it would be difficult to provide proof of this confirmation if challenged during the course of a dispute.
What if he is sent a form to complete himself - either paper based or online - and this question is posed and he ticks the “Yes” or “No” box himself? This would be an example of obtaining and recording consent. NB Pre-ticked boxes are not allowed.
None of these appear to meet the GDPR guidelines regarding consent – informing him of how the data will be used, his rights to withdraw consent etc….The online or paper forms he completes himself could require a whole page of text setting out data usage, rights etc. A link to an organisations privacy statement would all that is required, not the entire text being repeated. He will need a whole page in any event to disclose all the privacy information in connection with the other data being collected, so could one of these uses be to add to the email newsletter circulation list? Is this considered too “hidden”? Ensuring that clients are aware of how their personal data is being used is a fundamental principle of GDPR. By providing a clear link on a web site to the organisation’s privacy statement will be sufficient. However, in some cases, it could be necessary to supply a paper-based versions to those clients who may not use or have access to the internet.
Should a completely separate and specific “Email Consent” form be supplied - both to existing clients and to new clients in the future – that way there is no argument and there is proof of specific consent? Yes. Gaining consent before 25 May from existing clients is highly recommended and an ‘email consent’ form is one way of achieving this. The consent request form needs to be clear, specific and comprehensive.
If we have the email address we are going to use for correspondence is it permissible to send a specific email asking them to click a Yes/ No button to subscribe to marketing emails – but this email or linked page would also have to have all the GDPR requirements built in to it though…..? Yes, this is gaining consent. A link to the web site is fine.
Your thoughts? How are you dealing with this apparently simple aspect?
What has been the biggest challenge to date? And the biggest time waster?
What questions do you need answered? And where are you going to get these answers from....?
What is the situation where we communicate with businesses and individuals in professional firms (Eg Solicitors)? https://ico.org.uk/media/for-organisations/documents/1551/direct-marketing-checklist.pdf suggests that they fall outside of needing a positive Opt-In?
Are you referring to the bought in list section? Otherwise I don't see where the checklist suggests no opt in?