Frequently asked questions

Got a question? We've got it covered!

There are six lawful grounds for processing personal data: as part of the performance of a contract, with consent, as a legitimate interest, as a legal obligation, to protect the vital interests of the individual or if in the public interest. All grounds for processing are equally valid, it is for the controller to determine the correct legal basis for processing. GDPR specifically states that Direct Marketing may be considered to be a Legitimate Interest. The ICO has confirmed in guidance that organisations can rely on LI in order to carry out postal direct marketing so long as use of personal data is proportionate, has a minimal privacy impact and an individual is unlikely to be surprised or object. It is for clients to make this assessment on a case-by-case basis.

*You may be wondering what legitimate interest means and what our legitimate interest is. Our business as a marketing service provider rests upon us being able to process personal data for our clients’ direct marketing. If we could not do this then we would not have a business so we have a legitimate interest to do so. Our clients have a legitimate interest in finding new customers or making sure that they deliver the best products and services to existing customers by direct marketing. That on its own is not enough, we also have to balance these interests with yours. We consider whether you will expect to hear from our clients regarding new offers and whether you will be surprised to know that your personal data is in our database. If on balance we think
that you will be happy to receive offers and learn about new products on the market then we can process your data. If you do not want us to do so then tell us and your data will be removed from our database.

If you intend to rely on legitimate interests as the lawful ground for processing then first you must perform a balancing test to evaluate whether the interests or the fundamental rights and freedoms of the costumer will be overridden, taking into consideration the reasonable expectations of data subjects based on their relationship with REaD Group. You will need to consider whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. Our advice is to, at a minimum, ensure that any FPN includes a statement that personal data may be processed for marketing as a legitimate interest and ensure that it is clear to the individual that they may withdraw their permission to such processing at any time.

Marketing by post does not necessarily require opt in consent.  The ICO has given guidance that it may be carried out based on legitimate interests. This means you will need to ensure that any FPN and/or Privacy Policy has told the individual that they may receive marketing by post, that they can opt-out at any time and that you have shown that the use is proportionate, has a minimal impact and that an individual would not be surprised to receive your campaign literature. All the postal data supplied by REaD Group will be a mix of permissioned data (consent and LI) and can be identified and selected on permission channel within our data base.

The personal data REaD makes available to clients is renewed regularly and is subject to a number of appropriate safeguards to ensure it is accurate, up-to-date and fit for purpose at the time it is provided to clients. However, if the client acts as a data controller it must take its own steps to ensure that it complies with its legal obligations. Please see article 14 GDPR.

Consent: when you decide to buy a ticket for a concert, in that web page you would be asked if you want to receive any information regarding new concerts, new parties etc. If you check the box saying that you are happy to receive via email, text message, post, that is opt-in consent.

Performance of a contract: your internet/gas/water provider holds your personal data because they need that information to be able to give you the best service. They need to know where you live, your telephone number, and email to be able to get in contact with you whenever necessary regarding your contract.


Legal Obligation: Your bank needs to process your personal data to comply with its legal obligation to prevent fraud.


Vital Interest: your medical records that a doctor/hospital can hold regarding your health. They hold this information in order to help you in case of an emergency, for example, if they need to know your blood type, or check if you are an organ donor.

Legitimate Interest: if a new golf club is opening near you the owner may come to us and ask for a list of individuals within certain postcodes, aged between 18 and 60 who like golf.  We will provide that list on the basis that the golf club owner will contact you to see if you would be interested in becoming a member.

Public Task: processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.  This basis can only be used by public sector organisations e.g. Government, local authorities

In response to the additional requirements of GDPR, REaD is enhancing its safeguards to ensure all personal data is collected and made available by REaD in a compliant manner. Clients should be aware that some of the personal data REaD holds and makes available will have been collected before such additional safeguards were put in place. This does not mean, however, that such data cannot be relied on by clients in appropriate circumstances. REaD has always taken steps to ensure that data subjects were informed that their personal data would be used for direct marketing purposes, provided with information on the categories of third parties with which their personal data may be shared and used and given an opportunity to opt-out. Of course, as with any personal data received from REaD, the client must ensure it is taking appropriate steps to comply with its obligations as a data controller (as set out above).


*If a controller finds that the consent previously obtained under the old legislation will not meet the standards of GDPR consent, then controllers must assess whether the processing may be based on a different lawful basis, taking into account the conditions set by the GDPR. However, this is a one-off situation as controllers are moving from applying the Directive to applying the GDPR. Under the GDPR, it is not possible to swap between one lawful basis and another. If a controller is unable to renew consent in a compliant way and is also unable to make the transition to GDPR compliance by basing data processing on a different lawful basis while ensuring that continued processing is fair and accounted for, the processing activities must be stopped. In any event the controller needs to observe the principles of lawful, fair and transparent processing.

REaD Group will ensure that Active is GDPR ready by April 2018. We are currently assessing all of our contributors to ensure that they can provide GDPR standard data. All indications are that Active will largely remain the same because email and mobile records already have to comply with the PECR regime. Our postal records may be used for postal marketing so long as the balancing test to assess the impact on the individual has been carried out and the threshold reached.


*For more information regarding Electronic Marketing please see PECR.

We prefer to say that our products are GDPR Ready.   The rules governing electronic marketing are not going to change on 25 May 2018 as PECR will still apply.   Our postal records will be available as it is your legitimate interest to seek new customers.

No – deceased data is not subject to GDPR as the regulation only applies to living individuals. Our GAS and Qinetic products are name and address only and can be utilised on one of two lawful grounds – either as a legitimate interest or in fulfilment of a legal obligation to keep your data accurate and up to date. If you wish to use GAS Reactive or Qinetic to update one of your existing customer records, then you will do so based on complying with a legal obligation to keep your records up to date and accurate as you will already have established a lawful ground for holding that record. We strongly recommend that your terms and conditions state that you tell your customers that you will update their records.

We have further invested in our data governance and compliance team to ensure that we can continue our compliance programme. We conduct regular audits of our contributors and are in ongoing dialogue to ensure we are kept informed of any new data sources.

We require all new contributors to go through a Due Diligence audit programme. This establishes professional credentials and accreditations, levels of information security, methods of data capture and whether the contributor is an aggregator of data. In addition, to be a contributor to Active you must adhere to our GDPR Rules. These enable us to be satisfied that we have the lawful ground for processing, the date of data capture, the FPN given to the individual and if applicable any unbundled consents opting in to marketing.

No, it would be impossible for REaD or any other organisation in the industry to do this. However, REaD takes a number of steps and has implemented various safeguards to ensure the highest level of transparency for data subjects, including providing a comprehensive fair processing notice that makes clear that their personal data will be processed for the purposes of direct marketing by both REaD and the third parties accurately and comprehensively described. It is important for clients to bear in mind, however, that upon receipt of a list from REaD, the recipient is considered a data controller and must takes steps to comply with its own legal obligations as a data controller. This could include, for example, ensuring it has considered and decided upon an appropriate legal basis for handling and use of the personal data, using the information received from REaD in an appropriate and reasonable manner (and one expected by the data subject bearing in mind the information provided in the REaD fair processing notice) and by providing the data subject with its own fair processing notice when first making contact.

Data Suppression is the regular or ad-hoc removal of any inaccurate and unwanted data from a contact database. Data decays at an alarming rate – changing daily due to house moves, deaths and marriages for example. Cleaning and keeping your data up to date is crucial for a data controller if they want to keep their data accurate and effective. With the enforcement of GDPR in May 2018. keeping data accurate and up to date will become a legal requirement under Article 5 d). REaD Group’s data quality products are the most accurate, comprehensive, trusted and up to date suppression product available in the UK. Combining three market leading products – The Gone Away Suppression file (GAS), GAS Reactive and The Bereavement Register (TBR

REaD Group DaaS delivers seamless real-time connectivity to the UK’s most comprehensive and authoritative database. Always on technology allows brands to respond to changes and updates as and when they occur. Allowing you to maintain accuracy, target the right customers and deliver better decisions at every stage of the customer lifecycle. REaD Group’s DaaS delivers a cost effective and simple solution to this core GDPR requirement – it will clean customer data in real time.

For more information about REaD Group DaaS

ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes. As part of our commitment to the highest standards of data security and processing REaD Group has ISO 27001 certification.

More information about ISO 27001