To ensure ongoing compliance with GDPR, More Than Words has made some changes to their data offering which is explained in full in this article.
The EU General Data Protection Regulation (GDPR) is the most significant piece ofEuropean privacy legislation in the last twenty years and will take effect from 25th May 2018. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
Brexit will not affect the new regulation as the Secretary of State for the Department of Culture Media and Sport has confirmed GDPR will apply from May 2018.
The GDPR applies to organisations processing and holding personal data within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Personal data means any information that can be used to directly or indirectly identify the person. This could be anything from a name, computer IP address, bank details or location data.
Depending on the severity of non-compliance, companies can expect to be fined up to 2% of annual global turnover or €10 million (whichever is highest) for failing to comply with GDPR. For more serious data breaches, companies can be fined up to 4% of annual global turnover or €20 million. Importantly these rules now apply to both controllers and processors.
We have been keeping up-to-date with compliancy requirements of the GDPR as and when they are published. Updates to GDPR are still ongoing.
One of the key areas that affect us and our clients is related to email marketing. Even though email marketing is currently governed by the Privacy and Electronics Communications Regulations (PECR), GDPR still applies as it covers the processing of personal data in a general sense (note PECR is due to be replaced by the ePrivacy Regulation but this has been delayed).
New expanded guidance on the lawful basis for processing has recently been published by the EU’s Article 29 Working Party. The Working Party includes representatives of the data protection authorities from each EU member state.
Part of our email feed includes sole traders and partnerships which are licensed to More Than Words for third party direct marketing by our suppliers. Permission for third party use of this data has been taken via our suppliers’ UK call-centres with a follow-up email confirmation, however under GDPR this is no longer sufficient. To allow a company to use this data, the data subject (the person to whom you want to email) must agree to that organisation emailing them.
With immediate effect, we are withdrawing this part of the feed from our UK database,to ensure we continue to comply with GDPR. However, we still hold one ofthe largest, legally-compliant email feeds in the UK and have a wide-ranging suite of highly effective targeting solutions that can continue to support your marketing objectives.
An email address at work is personal data, whether that email address is a corporate one or that of an employee of a sole trader/partnership. The Data Protection Act now and the GDPR from 25th May 2018 will apply to the processing of the email address.
The difference between sole traders/partnerships and corporates comes when youlook at PECR.
PECR deals with gaining permission to send marketing by email. The general rule is that you must gain prior consent to send a marketing email. However, in a B2B environment, there is an exemption for employees of corporates, and you can send a marketing email to these individuals without their prior consent. In summary, email addresses of corporate employees can be licensed for third party.email campaigns. Legitimate interests would be used to process this personal data as long as all the following criteria are fulfilled:
A corporate is defined as a limited company, public limited company, limited liability partnership or government departments and can be emailed without prior consent (email@example.com).
Employees of corporates must be given the option to easily unsubscribe or opt-out from receiving email marketing.
The product or service being promoted can be purchased by the recipient in a professional capacity.
The sender must identify itself and provide contact details.
The emails supplied by More Than Words for third party direct marketing are now all corporate emails to meet the current requirements of GDPR.
Email addresses that have been collected whilst negotiating the sale of a product or service (ie. existing customers and qualified prospects) could be used under follows:
Your marketing is for similar products or services offered by your company
Your company told the recipient at the time of collecting their email address that it would be used for unsolicited email marketing and you provide a clear unsubscribe/opt-out at the same time.
Your company provides a clear unsubscribe/opt-out option every time you send an email message if the recipient did not unsubscribe/opt-out at the point of data collection.
Further guidance on legitimate interest and whether it’s right for your business can be found on the ICO’s website.
You can continue to cold call corporates and sole traders/partnerships provided the telephone numbers have been suppressed against the Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS) registers every 28 days as well as any in-house suppression files you hold.
You need to always offer them the opportunity to opt out of future calls.
You can send postal mailings to corporates and sole traders/partnerships.
There is a misconception that postal mailings to businesses (including sole traders and partnerships) have to be matched against the Mailing Preference Service. They don’t.
Just ensure the data has been matched against any in-house suppression files you hold.
Our 12 month licence allows you to send 12 email messages within a 12 month period from date of supply (or a maximum of 4 every month but not exceeding the 12 in a year).
A marketing programme that sends an email message approx. every fortnight over a shorter period of time can be much more responsive than 1 send every month or so. Post 25th May 2018, if you want to continue emailing the sole traders and partnerships in a list whose licence has not expired, then they must be contacted to gain consent for your business. Information on how to obtain consent can be found on the ICO’s website.
We can help you identify the sole traders and partnerships in the list you originally licensed from us, where the licence is still current.
We can also help you gain the necessary consents through telephone verification.