How does GDPR affect data enhancement? For example, appending data to a clients base to drive personalisation, targeting or insight?
No, but the privacy policy at point of data collection needs to explain and be transparent as to how the data will potentially be processed. The REaD Group privacy policy explains this: https://www.mydatachoices.co.uk/privacy-policy
Do you need Consent or Legitimate Interest to carry out analytics under GDPR?
No, but the privacy policy at point of data collection needs to explain and be transparent as to how the data will potentially be processed. The REaD Group privacy policy explains this: https://www.mydatachoices.co.uk/privacy-policy
What’s the difference between a necessity test and a balancing test?
The three key stages of a Legitimate Interest Assessment are:
1. Identify a Legitimate Interest i.e. what is the purpose of the processing
2. Carry out a Necessity test i.e. state why the processing of the data is necessary (and that another less intrusive option is not available)
3. Carry out a balancing test i.e. balancing of the rights and freedoms of the individual’s data which will be processed
Is a balancing test only necessary for Legitimate Interests or for any lawful basis?
If you choose to rely on legitimate interests, you are taking on extra responsibility and obligations for considering and balancing people’s rights and interests using a Legitimate Interest Assessment which includes a Balancing Test. No other legal basis for processing data requires this Assessment or balancing test.
What is a Legitimate Interest Assessment (LIA)?
If you are using Legitimate Interest as your legal basis for processing personal data, the Information Commissioners Office (ICO) have stipulated you must carry out a Legitimate Interest Assessment (LIA). An LIA is a three-part test. You need to:
1. Identify a legitimate interest
2. Show that the processing is necessary to achieve it
3. Balance it against the individual’s interests, rights and freedoms
You should keep a record of your Legitimate Interests Assessment (LIA) to help you demonstrate compliance if required.
See an example LIA template provided by the Data Protection Network (DPN) here:
Guidance from ICO: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
What is Legitimate Interest?
Legitimate Interests (LI) is the most flexible lawful basis for processing personal data under GDPR. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
However, if you choose to rely on legitimate interests, you are taking on extra responsibility and obligations for considering and balancing people’s rights and interests using a Legitimate Interest Assessment. The Information Commissioners Office (ICO) stares clearly in their guidance that: the legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
Defining Legitimate Interest sits at organisational level. For processing personal data for direct marketing it is the instigator of that marketing that must complete the Legitimate Interest Assessment (LIA) and associated balancing test to document their LI.
It could be the legitimate interest of a charity to increase its donor base.
It could be the legitimate interest of a new business to obtain new customers via a marketing campaign.
We find that clients often have a large customer database but only contact a section. Do you think that it is reasonable for the client to maintain the accuracy of the whole base and not just the contactables?
Article 5 (1) (d) places a high burden on a data controller to ensure that personal data is kept accurate and up to date. All data processed (this includes mere storage) is subject to the same requirement and measures should be in place to regularly screen all data for changes. If a client maintains a name and address on its base then use of REaD’s suppression suite and its associated enrichment products is good evidence of having taken ‘every reasonable step’.
Data has to be kept up to date and accurate under GDPR Article 5(1) so how frequently does it have to be cleaned?
As a Regulation the GDPR is law not best practice. Although it does not specify a frequency for data cleaning it does states explicitly in article Article 5 that “Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted” . By ‘reasonable’ it is imperative to have a trusted data cleaning process in place to evidence that you are adhering to this requirement
What is the lawful basis for using telephone data?
Telemarketing can be carried out using LI as the lawful basis of processing so long as the numbers are not used for automated cold calling (this requires consent). Considerations in any balancing test might include the time of day calls are made, an assessment of the vulnerability of the targets (possibly by the exclusion of certain age groups) and the frequency of calls.
What is soft opt-in?
Until the ePrivacy Regulation is enforceable – expected to be in 2020 (date to be confirmed) – The Privacy and Electronic Communications Regulations (PECR) will continue to be the prevailing law governing electronic communications and messaging , including email, and this includes the provision for soft opt-in for marketing to existing customers.
If a company has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient and the direct marketing is in respect of that person’s similar products and services only and the recipient has been given a simple means of refusing, then there is an option to use a ‘soft opt in’ as your lawful basis for processing. However, you must have given the recipient a clear chance to opt out – both when you first collected their details, and in every communication you send.
The soft opt-in rule means you may be able to use electronic messaging to communicate with your existing customers, it does not apply to prospective customers or new contacts (which require consent).
Further details on PECR the ICO guide to PECR can be found here: https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/
We find that clients often have a large customer database but only contact a section. Do you think that it is reasonable for the client to maintain the accuracy of the whole base and not just the contactables?
Article 5 (1) (d) places a high burden on a data controller to ensure that personal data is kept accurate and up to date. All data processed (this includes mere storage) is subject to the same requirement and measures should be in place to regularly screen all data for changes. If a client maintains a name and address on its base then use of REaD’s suppression suite and its associated enrichment products is good evidence of having taken ‘every reasonable step’.
What is ISO 27001?
ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes. As part of our commitment to the highest standards of data security and processing REaD Group has ISO 27001 certification.
What is REaD Group Data as a Service (DaaS)?
REaD Group DaaS delivers seamless real-time connectivity to the UK’s most comprehensive and authoritative database. Always on technology allows brands to respond to changes and updates as and when they occur. Allowing you to maintain accuracy, target the right customers and deliver better decisions at every stage of the customer lifecycle. REaD Group’s DaaS delivers a cost effective and simple solution to this core GDPR requirement – it will clean customer data in real time.
Do REaD Group need to name all of its clients in its Fair Processing Notices?
No, it would be impossible for REaD or any other organisation in the industry to do this. However, REaD takes a number of steps and has implemented various safeguards to ensure the highest level of transparency for data subjects, including providing a comprehensive fair processing notice that makes clear that their personal data will be processed for the purposes of direct marketing by both REaD and the third parties accurately and comprehensively described. It is important for clients to bear in mind, however, that upon receipt of a list from REaD, the recipient is considered a data controller and must takes steps to comply with its own legal obligations as a data controller. This could include, for example, ensuring it has considered and decided upon an appropriate legal basis for handling and use of the personal data, using the information received from REaD in an appropriate and reasonable manner (and one expected by the data subject bearing in mind the information provided in the REaD fair processing notice) and by providing the data subject with its own fair processing notice when first making contact.
Will it be OK to rely on Legitimate Interest (LI) for postal marketing?
Yes, recently published guidance by the ICO confirms Legitimate Interest can be relied on subject to certain conditions.
Will REaD group share their ‘due diligence audit & test results’ to help end clients in the decision making when purchasing data?
We are happy to be as transparent as we can be. There may be some documents which are confidential, but we will always work with you to ensure that you have satisfied your own compliance team that we can work together.
What level of due diligence are REaD Group conducting on their suppliers?
We require all new contributors to go through a Due Diligence audit programme. This establishes professional credentials and accreditations, levels of information security, methods of data capture and whether the contributor is an aggregator of data. In addition, to be a contributor to Active you must adhere to our GDPR Rules. These enable us to be satisfied that we have the lawful ground for processing, the date of data capture, the FPN given to the individual and if applicable any unbundled consents opting in to marketing.
How will REaD Group ensure ongoing GDPR readiness post 25 May?
We have further invested in our data governance and compliance team to ensure that we can continue our compliance programme. We conduct regular audits of our contributors and are in ongoing dialogue to ensure we are kept informed of any new data sources.
Does GDPR affect deceased & suppression data?
No – deceased data is not subject to GDPR as the regulation only applies to living individuals. Our GAS and Qinetic products are name and address only and can be utilised on one of two lawful grounds – either as a legitimate interest or in fulfilment of a legal obligation to keep your data accurate and up to date. If you wish to use GAS Reactive or Qinetic to update one of your existing customer records, then you will do so based on complying with a legal obligation to keep your records up to date and accurate as you will already have established a lawful ground for holding that record. We strongly recommend that your terms and conditions state that you tell your customers that you will update their records.
Will there be less data in REaD’s products?
No. We predict that volumes will remain constant due to the compliance programme we have undertaken.
When will REaD’s products be GDPR compliant?
We prefer to say that our products are GDPR Ready. The rules governing electronic marketing are not going to change on 25 May 2018 as PECR will still apply. Our postal records will be available as it is your legitimate interest to seek new customers.
How will REaD Group products change as a result of GDPR?
REaD Group will ensure that Active is GDPR ready by April 2018. We are currently assessing all of our contributors to ensure that they can provide GDPR standard data. All indications are that Active will largely remain the same because email and mobile records already have to comply with the PECR regime. Our postal records may be used for postal marketing so long as the balancing test to assess the impact on the individual has been carried out and the threshold reached.
*For more information regarding Electronic Marketing please see PECR.
What will happen with legacy data?
i.e Data where permission was previously obtained under the old legislation will not meet the standards of GDPR
In response to the additional requirements of GDPR, REaD is enhancing its safeguards to ensure all personal data is collected and made available by REaD in a compliant manner. Clients should be aware that some of the personal data REaD holds and makes available will have been collected before such additional safeguards were put in place. This does not mean, however, that such data cannot be relied on by clients in appropriate circumstances. REaD has always taken steps to ensure that data subjects were informed that their personal data would be used for direct marketing purposes, provided with information on the categories of third parties with which their personal data may be shared and used and given an opportunity to opt-out. Of course, as with any personal data received from REaD, the client must ensure it is taking appropriate steps to comply with its obligations as a data controller (as set out above).
*If a controller finds that the consent previously obtained under the old legislation will not meet the standards of GDPR consent, then controllers must assess whether the processing may be based on a different lawful basis, taking into account the conditions set by the GDPR. However, this is a one-off situation as controllers are moving from applying the Directive to applying the GDPR. Under the GDPR, it is not possible to swap between one lawful basis and another. If a controller is unable to renew consent in a compliant way and is also unable to make the transition to GDPR compliance by basing data processing on a different lawful basis while ensuring that continued processing is fair and accounted for, the processing activities must be stopped. In any event the controller needs to observe the principles of lawful, fair and transparent processing.
Can you give examples of the six different lawful bases of processing?
Consent: when you decide to buy a ticket for a concert, in that web page you would be asked if you want to receive any information regarding new concerts, new parties etc. If you check the box saying that you are happy to receive via email, text message, post, that is opt-in consent.
Performance of a contract: your internet/gas/water provider holds your personal data because they need that information to be able to give you the best service. They need to know where you live, your telephone number, and email to be able to get in contact with you whenever necessary regarding your contract.
Legal Obligation: Your bank needs to process your personal data to comply with its legal obligation to prevent fraud.
Vital Interest: your medical records that a doctor/hospital can hold regarding your health. They hold this information in order to help you in case of an emergency, for example, if they need to know your blood type, or check if you are an organ donor.
Legitimate Interest: if a new golf club is opening near you the owner may come to us and ask for a list of individuals within certain postcodes, aged between 18 and 60 who like golf. We will provide that list on the basis that the golf club owner will contact you to see if you would be interested in becoming a member.
Public Task: processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. This basis can only be used by public sector organisations e.g. Government, local authorities.
DOWNLOAD a summary of the six bases for processing personal data
How long will consent last under GDPR?
The personal data REaD makes available to clients is renewed regularly and is subject to a number of appropriate safeguards to ensure it is accurate, up-to-date and fit for purpose at the time it is provided to clients. However, if the client acts as a data controller it must take its own steps to ensure that it complies with its legal obligations. Please see article 14 GDPR.
GDPR states that direct marketing may be considered to be a legitimate interest. Does this apply to direct marketing by any channel?
No. Due to the PECR regime we do not believe that you can send electronic marketing to an individual without their consent. It is our belief that you can send direct mail to an individual as a legitimate interest of your business, as per Recital 47 of GDPR journal.
Will postal consent be ‘opt in’ or ‘opt out’?
Marketing by post does not necessarily require opt in consent. The ICO has given guidance that it may be carried out based on legitimate interests. This means you will need to ensure that any FPN and/or Privacy Policy has told the individual that they may receive marketing by post, that they can opt-out at any time and that you have shown that the use is proportionate, has a minimal impact and that an individual would not be surprised to receive your campaign literature. All the postal data supplied by REaD Group will be a mix of permissioned data (consent and LI) and can be identified and selected on permission channel within our data base.
Will email be consent only?
Yes. Currently consent is required for marketing via email under PECR and we do not expect this to change.
What is the balancing test?
If you intend to rely on legitimate interests as the lawful ground for processing then first you must perform a balancing test to evaluate whether the interests or the fundamental rights and freedoms of the consumer will be overridden, taking into consideration the reasonable expectations of data subjects based on their relationship with REaD Group. You will need to consider whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. Our advice is to, at a minimum, ensure that any FPN includes a statement that personal data may be processed for marketing as a legitimate interest and ensure that it is clear to the individual that they may withdraw their permission to such processing at any time.
What are the lawful bases for processing data under GDPR?
There are six lawful grounds for processing personal data: as part of the performance of a contract, with consent, as a legitimate interest, as a legal obligation, to protect the vital interests of the individual or if in the public interest. All grounds for processing are equally valid, it is for the controller to determine the correct legal basis for processing. GDPR specifically states that Direct Marketing may be considered to be a Legitimate Interest. The ICO has confirmed in guidance that organisations can rely on LI in order to carry out postal direct marketing so long as use of personal data is proportionate, has a minimal privacy impact and an individual is unlikely to be surprised or object. It is for clients to make this assessment on a case-by-case basis.
*You may be wondering what legitimate interest means and what our legitimate interest is. Our business as a marketing service provider rests upon us being able to process personal data for our clients’ direct marketing. If we could not do this then we would not have a business so we have a legitimate interest to do so. Our clients have a legitimate interest in finding new customers or making sure that they deliver the best products and services to existing customers by direct marketing. That on its own is not enough, we also have to balance these interests with yours. We consider whether you will expect to hear from our clients regarding new offers and whether you will be surprised to know that your personal data is in our database. If on balance we think
that you will be happy to receive offers and learn about new products on the market then we can process your data. If you do not want us to do so then tell us and your data will be removed from our database.