GDPR – Good News For Postal Marketing.
What is GDPR?
GDPR (General Data Protection Regulation) will replace the current Data Protection Act in May 2018. GDPR is necessary to take account of technological advances since the 1995 Data Protection Directive. It will also harmonise data protection law across EU member states.
Good news for postal marketing
There’s good news for marketers using postal direct mail. Consent may not be the most appropriate lawful basis for processing your customer/enquirer data. It is likely that you will be able to rely on legitimate interests for postal marketing, meaning that consent is not necessary. You will still need to offer people the opportunity to opt out on your envelope or marketing material which we can help you with.
ePrivacy Regulation
Postal direct mail will not be subject to the proposed ePrivacy regulations set to replace the Privacy and Electronic Communications Regulation (PECR). This could mean that some of your database is only reachable by mail if customers don’t provide consent for Phone, SMS or email.
Using Direct Mail for Obtaining Consent
Because you won’t necessarily need consent for postal direct mail, it is the perfect channel for obtaining consent for other channels. Sending a letter offering the opportunity to opt out of direct mail and into Phone, Email and SMS is seen as marketing activity by Royal Mail and therefore qualifies for Advertising Mail discounts.
Examples
Marketing to existing customers (consumers or businesses)
A mail order company sends a regular catalogue to customers and enquirers offering new and existing products. The company can rely on legitimate interests to mail catalogues and offers provided that the right to opt out is made clear and that any requests for removal are carried out.
Marketing to businesses (suspects and “cold” data)
Many of our clients have opted to use a generic title such as, “The Office Manager” for two reasons. The main one being that they have found an increase in response rate and a reduction in “Goneaways” due to people changing job roles and moving on. The second is that this type of marketing is outside the scope of GDPR as no personal data is used or stored.
It may be possible to rely on Legitimate Interests to mail named contacts at companies. Discuss this with your list provider and also apply the ICO’s Legitimate Interests Checklist .
You could also use the ICO’s Lawful Basis Guidance Tool
Marketing to consumers using “cold” (bought in or swapped) data
Legitimate interests is unlikely to be seen as a lawful basis for processing bought in or swapped data for “cold” mailings to people at home. For these types of marketing, consent from the data subject is likely to be needed.
Marketing to children
You can consider legitimate interests for processing children’s data, but you must take extra care to make sure their interests are protected.
Invitation to a public consultation to seek public opinion for a new retail outlet
It is likely that data for this purpose would be bought from a data provider. The majority of the data would not contain named individuals so would be addressed to “The Occupier” or similar. Any named individuals should have consented to their data being sold to third parties. You should satisfy yourself that the data is being sold lawfully and that you are complying with GDPR when processing those records. For this purpose it would probably be as effective to use data without named contacts at all which would be outside the scope of GDPR.
New owners of a company informing people of the change of ownership
Where a company is acquired by another company, it can continue to process data acquired under legitimate interests provided that the data is used for similar purposes to those for which is was originally collected. People should be made aware of how the new company acquired their personal data and given the opportunity to opt out of future marketing. If the new company’s lawful basis for processing data is consent, then the data subjects on the acquired list would need to be contacted to gain consent to receive marketing from the new company. This is best achieved by sending them a letter in the post.
Don’t use data in a way that people would not expect.
In short, The ICO says, “You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object…”
If you think people are likely to be surprised at how their data has been used then legitimate interests would not be an appropriate lawful basis for processing. It may even be that the data should not be being used for the purpose you intend if it differs from the purpose for which the data was collected.
Legitimate Interests
The ICO say, “If you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.”
The ICO’s “Lawful Basis Guidance Tool
The ICO’s Lawful Basis Guidance Tool will help you to check whether legitimate interests is the most appropriate lawful basis for your needs and if not, which lawful basis is appropriate.
Data security
We take data security very seriously and a copy of our data security policy is available on request. For getting data to us, we recommend the use of our secure upload facility .
We discourage the use of email for sending personal data to us in un-encrypted files. If you’re able to encrypt the data, it makes sense to call us with the password rather than emailing it in the same or even a separate email. If your emails have been compromised, sending the password in a separate email won’t help.
We can help
We’re happy to talk through any queries or concerns you may have about postal marketing under GDPR. We don’t offer legal advice or compliance services but we can point you in the right direction and help you to understand how the ICO’s guidance might apply to your postal marketing.
Joint liability
Under GDPR, both the data controller (you) and the data processor (us) can be held to account for data breaches and non-compliance. It is our responsibility to ensure that your data is kept secure and not shared with third parties (other than postal carriers and data bureaus specified in our Data Protection Statement). It is your responsibility, as data controller, to fulfil your obligations under GDPR and ensure that your data is not being mis-used.
Training
There are many companies offering GPDR training and you should assess which, if any, would be most appropriate for your needs. The Institute of Digital and Direct Marketing (IDM) provide a low cost online course which gives a basic understanding of GDPR and its implications. At £100 plus VAT, it’s well worth completing.
Accuracy
All guidance contained within this document is taken from our understanding of GDPR and the Information Commissioner’s website and documentation. Every effort has been made to ensure the accuracy of the information given You should verify any information independently before relying on it. ico.org.uk is the website for the Information Commissioners Office, which is a good place to find out more.
