1. GDPR 101 for Marketers:
Your Questions Answered!
9 March 2018
James Boyle – Associate Solicitor
T: 01223 225028
E: james.boyle@taylorvinters.com
2. The GDPR
• It’s a monster – regulates all personal data.
• Covers how we collect, use, store, share and
delete personal data.
• Applies irrespective of whether:
– We are dealing with consumers or businesses.
– We are using the data for marketing purposes or
other reasons.
3. The Privacy & Electronic Communications Regulations
• Sets out when we can send marketing emails and
text messages to consumers, sole traders and
some partnerships (“B2C”).
• Most marketing fines we see are actually for
breaches of the PECRs rather than the Data
Protection Act/GDPR.
4. What is a marketing email?
[specific examples discussed on 9 March 2017]
5. What is not a marketing email?
[specific examples discussed on 9 March 2017]
7. The Data Processing Conditions
• Before we can use anyone’s data, we need to
satisfy a processing condition. There are six:
– Consent
– Because there’s a contract in place
– Because it’s in our legitimate interests
– Because it’s to comply with a legal obligation
– To protect the vital interests of the data subject
(think paramedics at the scene of an emergency)
– To perform a task in the public interest
8. Which processing condition?
• All 6 processing conditions are theoretically
available to us for marketing purposes under the
GDPR.
• The PECRs restrict which processing conditions
we can use for electronic marketing to consumers.
• Practical reality means only a few processing
conditions are relevant for marketers.
9. Which processing condition for marketing?
GDPR PECRs
Consent Any channel
Contract
Legitimate
Interests
Any channel
Legal Obligation
Vital Interests
Public Interest
B2C Email and SMS must have
consent, unless the soft opt-in applies
Relevance? Likely to be consent anyway due to clarity
requirements
B2C Email and SMS ok if you establish
a soft opt-in
Relevance? Likely to be consent anyway due to clarity
requirements
Relevance? Likely to be consent anyway due to clarity
requirements
Relevance? Likely to be consent anyway due to clarity
requirements
10. The soft opt-in
• For existing customers or someone who has shown an interest in the
business, you can send them marketing texts or emails if:
- you obtained their details during a sale or negotiations for a sale to
them
- you are only marketing your own similar products or services (not those
of a third party or group company)
- you gave the person a simple opportunity to refuse or opt out of
marketing at the time you collected their information
- Be careful using the soft opt-in, there is a new piece of legislation coming in
(the e-Privacy Regulation) which may change when we can use it.
11. Which processing condition am I using?
Consent Legitimate Interests
Post
If you collected an opt-
in, whether B2B or B2C.
If you offered an opt-out or nothing
at all, for B2B or B2C. Always screen
against the MPS!
Email & SMS If you complied with the soft opt-in -
PECRs apply to these channels for
B2C.
If you didn’t get an opt-in from your
B2B contacts.
Telephone If you offered an opt-out or nothing
at all. Always screen against the
TPS!
13. I’m using consent, now what?
• PECRs say you need consent, but the GDPR sets the
requirements for that consent. Do you meet it?
– Freely given? not forced to give it
– Specific? identifies relevant channels
– Informed? identifies what will be sent
– Not bundled or hidden? separate opt-in mechanism
– Positive action? silence does not = consent
• Consent doesn’t last forever – is your opt-in fewer than
2 – 3 years old?
14. I’m using consent, now what?
• Met all of those requirements? Great! Sit back and
chill out, until the 2 – 3 year time period impacts
you…
• If no, consider refreshing that consent via a re-
permissioning campaign, upgrading the consent to
the GDPR standard and “resetting” the opt-in time.
15. How are others handling consent
• For legacy, but GDPR standard consent, there are
no recorded fines for failing to “re-permission” –
some are taking the risk by doing nothing.
• Others are carrying out a re-permissioning
campaign – the risk here is that people complain to
the ICO about the re-permissioning email.
• Let’s talk about what re-permissioning looks like:
16. Top tips for re-permissioning
• If you say: we will continue to contact you unless
you opt out, that is not enough to collect GDPR
standard consent. It needs to be we won’t contact
you unless you opt-in [by clicking here].
• Segment your data – is there any value in re-
permissioning those who haven’t opened an email
from you in the last 18 months? These recipients
are also more likely to complain.
17. Top tips for re-permissioning (cont.)
• Make the email fun and engaging – you need to
encourage people to open it and opt in.
• Opt-in rates from re-permissioning are between
20% and 50%.
• Make sure you record who opted in, when and
how they did it, to meet the new GDPR record
keeping requirements.
19. How are others handling legitimate
interests?
• Risk averse approach - move to consent:
– B2B contacts first receive a “privacy receipt”
– B2C consent campaign
• Stay with legitimate interests – make sure you
have a retention period. It will not be okay under
the GDPR to market to people indefinitely.
20. Legitimate interests: the balancing test
• Because it is so easy to say:
marketing is in our legitimate interest,
we can only use data in that way if it doesn’t
unfairly impact on recipients’ privacy rights.
• Use a Privacy Impact Assessment to work this out.
21. Legitimate interests: potential practical
changes
• Enhancing security
• Moving to consent instead
• Using “privacy receipts”
• Setting retention periods
• Narrowing the scope of the marketing we send –
particular companies/sectors only
23. Consent Legitimate Interests
Post
If you collected an opt-
in, whether B2B or B2C.
If you offered an opt-out or nothing
at all, for B2B or B2C.
Email & SMS If you complied with the soft opt-in -
PECRs apply to these channels for
B2C. If you didn’t get an opt-in from
your B2B contacts.
Telephone If you offered an opt-out or nothing
at all.
UNSUBSCRIBE =
CONSENT
WITHDRAWN
UNSUBSCRIBE OR ON PREF.
SERVICE = FAIL BALANCING TEST
UNSUBSCRIBE = FAIL
BALANCING TEST
UNSUBSCRIBE OR ON PREF.
SERVICE = FAIL BALANCING TEST
The legal effect of an unsubscribe
25. Whilst we all agree with the spirit of GDPR (and
PECR for that matter), if you're a small company with
minimal lead acquisition budget, how can you get off
the ground? For e.g. joining member business
networking bodies - you can't necessarily email
members to introduce yourself and your business - or
can you? Lists are often too expensive. How do you
get the volume in a database you need to start putting
content in front of it, engaging on social etc. There is a
limited time for a small business to build traction.
What is the best/compliant plan?
26. If you're a small company with minimal lead acquisition budget,
how can you get off the ground? For e.g. joining member
business networking bodies - you can't necessarily email
members to introduce yourself and your business - or can you?
• The PECRs don’t apply to B2B electronic marketing, so you can identify leads
via LinkedIn or your own internet research and contact them by email or SMS.
• Think about other channels – telephone and postal introductions can be made
(but always screen against the TPS).
• Think about how the initial email contact will “look” – draft it carefully because
an uninvited B2B email (although generally permitted) may irritate the
recipient.
27. Lists are often too expensive. How do you get the volume in a
database you need to start putting content in front of it,
engaging on social etc. There is a limited time for a small
business to build traction. What is the best/compliant plan?
• You can create a database of leads using your own research rather than
buying in lists – these leads are likely to be higher quality too.
• What the best/compliant plan?
• Make sure you are being clear about how you use people’s information in
your privacy policy
• Be as clear as possible in your marketing emails around how people can
unsubscribe – does a particular link unsubscribe them from a category of
marketing emails, or all marketing emails from you?