Yes GDPR Also Affects Marketing
Does your Marketing Process Comply with GDPR?
Email contact lists are the bread and butter of the many companies who compile them and make them available for sale. The lists are bought by businesses that want to market to a particular level of employee, a certain senior management position across multiple businesses or even consumers who match a specific geographic and demographic profile. At every marketing webinar, seminar and online coaching class we are told to build a list, so how does GDPR affect this strategy?
Sometimes huge databases are bought, broken down into multiple categories and sold on to small businesses with very specific needs.
Any marketing mail or email must include a declaration, detailing the method the recipient can use to exercise their right to give you notice to stop processing their data for marketing purposes. This cannot be buried in the text of the marketing message but must be a clearly separate statement.
You must comply with the instruction immediately on receipt or you’ll be in breach of the law. In these circumstances you are able to retain the data subject’s information for a single purpose – so that you no longer include them as a recipient for marketing material.
However, the law is flawed because the legislators don’t always understand how data is used. You have no responsibility to pass on the ‘desist from processing’ instruction from the end recipient to whoever sold you the list. Even if you did that, the seller has no obligation to comply with your request for the data to be altered, because you’re not the data subject.
The next time you buy a list it becomes your responsibility to clean it so that you don’t send out marketing to someone who has asked you to stop. You may think that this is going to be a simple job, because you’ll already have on record those who have previously requested that you cease to process their data for marketing purposes (your ‘suppression list’).
Catch 22.5 – The Right to be Forgotten
However, what if the data subject took things a step further? GDPR supports the principle of the ‘right of erasure’ (also sometimes referred to as the ‘right to be forgotten’) under which individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- When the individual withdraws consent
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
In theory, this seems to imply that when an individual (a data subject) has invoked this right you’ll no longer have a record of who they are, so you’ll be unable to delete them from the list. Because of the way the legislation is constructed, you won’t even be able to retain a paper list of those who have asked for their data to be deleted, since this would be regarded as ‘part of a data system’.
This principle indicates that an entire sector in the marketing chain could be taken out in a single stroke. However, under GDPR (Recital 65) you will be able to retain a copy of the “erased” data for certain limited purposes (including “for compliance with a legal obligation” so, in effect, you will be able to maintain your own ‘suppression list’. This continues to result not in the actual erasure of personal data but rather in suppression.
Under GDPR you will also have a duty to tell anyone to whom you have disclosed the data about the subsequent erasure, unless it is “impossible or involves disproportionate effort to do so” but that duty does not extend to telling anyone who provided you with the data in the first place.
The originators of the data, therefore, will be in the position of retaining and supplying (processing) personal data of a data subject who has already put in effect their right of erasure. As it stands this will not be contrary to GDPR because they will not have received the request exercising that right; as data compilers sell to many customer businesses, the same data will be re-circulated over and over to different businesses, bypassing existing suppression lists which are the responsibility of an individual organisation to maintain for its own use.
If you are struggling with marketing and GDPR, want some clarity and advice phone us for a FREE No Obligation Call on 01244 300413 or email firstname.lastname@example.org
About The LH Group
Call us on 01244 300413
We help businesses stay safe – our risk management consultancy offers clear answers and problem solving for your risk questions.
What People Say
We need to have a better understanding of GDPR to implement the process at work. This gave me info
Great to work with, very helpful and was happy for us to keep asking for changes until the work was to our liking. We would happily use again.
Extremely high-quality work produced perfectly to our brief and requirements. A very engaging piece for a tricky subject, great communication throughout – would definitely use again.
Great work. Added value whenever possible also which is invaluable for non-legal folk such as myself!
Fantastic work! Law Hound really understood what I needed and their knowledge and experience made sure that every possible angle was covered.
Direct and to the point. Thanks for including the resources for download, they’re helpful.
Sue was great to work with – very communicative and explained everything clearly. Price for work was very fair given this high standard.
Sue is the total professional – in fact we wish we’d known her when we were setting up PD as I just know she would have saved us so much heartache.Straight talking, open, honest and sensible – if only all lawyers were like this. We recommend her and the team 100%
LH Group is extremely knowledgeable in their areas of law and had excellent communication. They drafted and delivered documents before the deadline! Thank you LH Group.
Very fast turnaround! Good work! Would go for them again!