“Legitimate Interest” to the rescue
The General Data Protection Regulation creeps ever closer and still the confusion continues. I’ve read a number of articles and blogs which basically just copy the “12 steps to take now” released by ICO in 2017 and a variation of the phrase “whatever your business you need to start preparing now” (I’m kind of guilty of using a variation of that phrase myself). Some have even referred to the General Data Protection Regulations plural rather than Regulation, one I saw referred to the Global Data Protection Regulation.
Further clarification came from the Information Commissioner’s Office with relation to postal marketing this month (January 2018). Unfortunately it was not trumpeted from the battlements or shouted from the rooftops of ICO house (I’m really not sure on the architectural details of the building the ICO works from, could be a fortified stone edifice, more likely a concrete, steel, and glass block). I came across it from an article on Decision Marketing (http://www.decisionmarketing.co.uk/news/direct-mail-industry-set-for-boom-time-under-gdpr). As you can see from the title contained in the hyperlink, “Direct mail industry set for boom time under GDPR” this was just the type of article that would catch the eye of a Mailing Muppet like me. What the ICO actually said was:
You won’t need consent for postal marketing…you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.”
Let me put that into further context for you. This clarification came about because of a large number of enquiries from charities. These are the types of organisations that rely upon sending fundraising communications, event information to drum up sponsorship, even raffle tickets. We’ve had one of our own charity customers contact us about posting to its own database of supporters seeking consent from them to continue sending them newsletters etc. Our take on the situation was that their money would be better spent on fundraising activities rather than an exercise which is not necessary and may actually be damaging to the organisation. If a charity has a database it has built up of supporters (shall we say for example that they have 10,000) and then writes to them seeking explicit consent to continue contacting them how many recipients do we think will get around to replying? 5,000 out of 10,000? 1 in 4? Some might say that at least you’ll know that those that do reply really do want to engage with the organisation. If you were in charge of the charity would you feel comfortable taking the risk though? Would you still feel comfortable if you were told that if you took the plunge and went down the Consent path and processed your data in this way you could not double back and change tack if you found that it wasn’t working for you?
Among the many articles and blogs I’ve read about GDPR there was one that particularly jumped out at me (and not in a good way). It was purporting to give guidance on how organisations should transition into GDPR. It was quite a short article and really didn’t have enough space to cover the subject. It was the very epitome of ‘a little knowledge is dangerous’. For some reason they jumped straight in with Consent. In fact that was all they talked about. So listen up. There are six available lawful bases for processing. Six. Not one. Six. Let me quote directly from the ICO website:
No single basis is ’better’ or more important than the others”
Please read that quote again so that I know you’ve got it.
As ever we tend to get hold of the wrong end of the stick, or default to ‘panic mode’, or get confused when faced with a large and looming new thing. Some of us start ‘spouting’. However, you will notice that those who take to spouting do not appear to have the firmest grip on the subject. You don’t find the Information Commissioner spouting: she’s much too polite and measured. I sincerely hope you do not think that I’ve been spouting. What I’m trying to say here is that you simply have to do the research and do not give in to that knee-jerk reaction that panic can sometimes engender. People sometimes assume that all of the GDPR applies to all that they do. The GDPR has to cover a lot of ground. In my own opinion (and it is simply just my opinion) the 1998 Data Protection Act was an adequate piece of legislation to cover what we did back in 1998. However, since then, we’ve seen email marketing blocking up our inboxes, we’ve seen large corporations sucking up people’s data with no apparent motive. It turns out that the corporations that suck have decided that they can ‘monetise’ (annoying made up word) peoples’ data. Website’s gather our names, addresses, ‘phone numbers, card details etc. Google Analytics grab data. Now we, at the crenelated fortress of Cumbria Mailing, do not indulge in spam email, or data capture from websites, we don’t even use Google Analytics. It does not seem to us that the GDPR is targeted at us and our activities and what we’ve taken from the ICO is that we can carry on with our responsible processing of postal marketing. Obviously we’re complying with GDPR and running through all the checklists and updating policies and procedures but we don’t believe GDPR is any more onerous for our straightforward and honest processes than the 1998 Act.