Over the last few weeks we’ve been asking for your questions on the upcoming GDPR so we can provide you with as much information about personal data as possible. We’ve collected all of your questions and provided answers to help ensure you’re ready for the introduction of the GDPR tomorrow.
1) Can legitimate interest be used to justify email marketing updates to contacts who are social media connections?
You need to be clear whether your organisation takes personal data from social media and stores them in a CRM system, or somewhere else. If in doubt, don’t do it. Or you can explain why you would like to use this information, and ask for, and record, consent.
Transparency is an essential part of gaining client trust, and something you should be committed to.
2) We market B2B to estate agents who have given us their personal data for legitimate business reasons previously because they have been involved with a clients transaction. Are we still able to email market them as long as the marketing is of the same nature of business and we always give them the option to unsubscribe? Or, do we need to email them to ask them to opt-in again? The people we market to have always willingly given their details previously and we never buy or rent lists.
Guidance around this suggest that legitimate interest, and not consent is the best basis for activities which cause no harm and are reasonably expected. You can rely on legitimate interest for marketing activities if you can show that how you are using people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object. As you have a previous relationship with them and intend on sending out content of a similar nature, this would fall under legitimate interest.
3) I worked with someone a year ago, can I reactivate them by sending them an opt-in, or is it legitimate interest?
Using legitimate interest in this situation helps you avoid bombarding people with unnecessary consent requests and can help avoid what it calls “consent fatigue”. It can also, if done properly, be an effective way of protecting the individual’s interests, especially when combined with clear privacy information and an upfront opportunity to opt out.
4) If data protection rules are breached, how do you report it?
- The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
- You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
- You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
5) Can you incentivise consent?
Incentives are a large reason why most people sign up to mailing lists. Under GDPR, you don’t have to drop all use of incentives, as long as you explain what the client will be receiving when they sign up for email marketing.
You should be sure that a client would know what they are signing up for and why and that they don’t then receive anything that they haven’t been informed about previously e.g. using a mailing list for a different, unrelated company marketing list.
They should also be able to ‘positively’ opt into receiving further marketing from you, so there shouldn’t be any pre-ticked boxes, they need to tick/point out that they want further marketing explicitly.
6) I’m processing client information every day for delivering legal services. Do I have to record every instance of processing under the GDPR?
Documenting your processing activities is important for several reasons. First, it is a legal requirement. Although you don’t need to proactively provide these records to the ICO, you may have to make the information available on request; for example, for an investigation. As a key element of the accountability principle, documenting your processing activities can also help you to ensure (and demonstrate) your compliance with other aspects of the GDPR. For instance, it can help you with the following things:
- Drafting your privacy notice—much of the information you have to document is very similar to what you need to tell people in your privacy notice.
- Responding to access requests—knowing what personal data is held and where it is allows you to efficiently handle requests from individuals for access to their information.
- Taking stock of your processing activities—this will make it much easier for you to address other matters under the GDPR such as ensuring that the personal data you hold is relevant, up to date and secure.
7) Can businesses send marketing emails to professionals via their business email addresses without their consent?
In this instance you can apply legitimate interest. A legitimate interest ‘must be real and not too vague’. Organisations will need to show that there is a balance of interests—their own and those of the person receiving the marketing.
Of course, any individual can object to direct marketing and it is one of the examples of legitimate interests for which objection is already fairly well understood and easy to action (often by an unsubscribe link or by contacting the company in question to request).
If you have any more questions you’d like to ask about the GDPR, you can check out our latest blog posts.
How can we help?
Leave a message below and a member of the senior team will be in touch.