We have updated OSCR Online - click here for more information on how to submit your annual return
< Older Newer >

GDPR and Direct Marketing

Wednesday April 4, 2018

Main Image


With 25 May fast approaching – and with it the implementation of the General Data Protection Regulation (GDPR) - it’s time to talk about an activity that is key to most charitable organisations, direct marketing.

It’s important to note the term direct marketing isn’t just about raising money or selling products but covers all promotional material including the promotion of aims and ideals.

At present, if you’re planning a direct marketing campaign, you’ll need to comply with the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR).

From May 25, the GDPR will replace the DPA but not PECR - so you’ll need to comply with both. The EU is in the process of replacing PECR with a new ePrivacy Regulation (ePR) but this has yet to be finalised.

We have a range of resources available on our website to help charities comply with PECR and the new GDPR legislation but in the meantime here are some top tips based on questions we regularly hear from the voluntary sector.


Lawful basis

I cannot emphasise enough the importance of identifying your lawful basis for marketing, this is the foundation for overall compliance.

Generally, there will be two lawful basis on which marketing activity may rely: consent and legitimate interests. Our website has checklists to help you identify the most appropriate lawful basis but it is important to note that:

  • You cannot change your lawful basis to suit your requirements at the time; and
  • You need to be aware of what rights individuals can exercise under your lawful basis.

 

Consent

The GDPR sets a high standard for consent. It must be a freely given, specific, informed and unambiguous indication of the individual’s wishes, with some form of clear affirmative action - a positive opt-in. Consent cannot be inferred from silence, pre-ticked boxes or inactivity.

Consent must also be separate from other terms and conditions and must be as easy for people to withdraw consent as it was to give.

You don’t need to refresh existing DPA consent if it is already GDPR compliant. The checklist on our website sets out the steps you should take and can help review existing consents and decide whether or not they meet the GDPR standard.

If existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR- compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.

You are also likely to need consent under PECR for many marketing calls, texts and emails. There’s more detail on this in our Guide to PECR.

Legitimate Interests

If you don’t need consent under PECR you can rely on legitimate interests as your lawful basis for marketing activities, if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.

There are three elements to the legitimate interest basis so it may help to think of this as a three-part test:

  • Identify a legitimate interest;
  • Show that the processing is necessary to achieve it; and
  • Balance it against the individual’s interests, rights and freedoms.

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.However, you must balance your interests against the individual’s and if they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Remember that you must include details of your legitimate interests in your privacy information.

You can find more detail in the legitimate interests section of our Guide to GDPR.

 

Profiling

Another area I get asked a lot about is profiling - automated processing of personal data to evaluate certain things about someone. Profiling is allowed but people need to know it is happening and given the opportunity to object. There’s a profiling checklist and more detail in our Guide to the GDPR.

 

ICO GDPR resources

There’s a whole suite of materials on our website to help organisations navigate through the new law. This includes a section for charities featuring a set of GDPR FAQs and a Getting Ready for the GDPR self help checklist. To keep up to date with GDPR news as it becomes available you can subscribe to the ICO’s monthly e-newsletter.