Law firms have less than six weeks to ensure they comply with the General Data Protection Regulation. As part of our series of articles, Leanne Yendell explains the changes her firm has made to ensure its marketing communications comply
The General Data Protection Regulation (GDPR) is the biggest shake-up of data protection laws in the UK for 20 years, and the implementation is due to come to an end on 25 May. The law did need to change: it is grossly outdated. To put things into perspective, the Data Protection Act 1998 (DPA 1998) was conceived before Google, Twitter or Facebook were founded. Your phone’s features have moved on from ‘Snake’ to become mobile computers. This makes data-sharing a by-product of day-to-day life.
The decision as to whether you wish to gain a fresh consent is dependent on the quality of your database and whether you are confident in your existing consents
The GDPR reflects society’s contextual use of data, and also provides additional rights and protections for the data subject – it supports the idea that personal data belongs to the person to whom it relates, not a business that holds it. Sanctions have increased, but the overwhelming theme of the new law is accountability. The GDPR only gives personal data the care and attention it deserves.
Our firm was established in 1973, and sits comfortably within the description of a small to medium-sized enterprise (SME). As with many other businesses, our GDPR journey has followed an emotional cycle: confusion, panic, understanding (cue change in guidance), panic again, realisation that proportionality is the key, and finally acceptance.
We do not have a dedicated data protection officer; instead, we have taken a firm-wide approach, led at partner level. We are currently in the process of performing an internal GDPR audit to understand what data we hold as a firm, who holds it, how, and why.
In this article, I share our GDPR findings in relation to marketing. However, I offer this caveat: there is no one-size-fits-all rule. Our steps were right for us given our size, marketing practices and resources.
Which marketing activities does the GDPR cover?
Our firm markets directly to consumers through our family, private client and residential conveyancing teams (B2C); as well as business owners and agents through our business, employment and commercial property departments (B2B). Our databases range from newsletter assignees to more comprehensive client details.
We decided to review all data used across all departments. The EU’s draft ePrivacy Regulation is rumoured to extend the scope of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003) – which currently provide the legal basis for email, SMS and automated telephone marketing – to include B2B communications (although this continues to be lobbied against). Also, the GDPR does not differentiate between B2B and B2C data.
By reviewing our marketing plan, we were able to identify the following areas that used data in order to perform marketing activities:
- email newsletters and surveys to clients (past and present) and mailing lists
- web-based marketing (social media, blogs and search engine optimisation)
- direct print mail
- analytics that influence the content of our campaigns.
Can’t we rely on existing consents for marketing?
Consent is the clearest lawful basis for communication under the GDPR. However, the standard is very high. It must be:
- given freely and unambiguously (not a pre-condition to signing up to a service)
- a clear affirmative statement or action (passive forms of acceptance such as pre-ticked boxes or silence are not sufficient)
- informed and granular (the use of ‘blanket consents’ will no longer be sufficient).
A person is also offered the right to withdraw consent at any time, which the firm must oblige without question.
The firm will need to be able to evidence each of the above factors for every recipient of marketing communications from 25 May. Previously obtained consents will not escape the GDPR standard.
Practically, this will mean that your consent mechanisms need to be upgraded for future consents. For example, we decided that a review and update of our client care letter, policies and website was required to meet this higher standard.
Should we contact everyone to seek consent before 25 May?
Business owners have understandably argued that this is a risky move, with estimates saying that this could reduce your database by between 50 and 90 per cent. An email request could, for example, be missed, making otherwise active recipients unlawfully contactable (as another lawful basis cannot be relied upon if one fails).
However, I have spoken with marketers who argue that the remaining 50 to 10 per cent will be ‘quality contacts’, and this will actually increase the efficiency of marketing efforts. This view is shared by the Information Commissioner, Elizabeth Denham.
The decision as to whether you wish to gain a fresh consent is dependent on the quality of your database and whether you are confident in your existing consents under the DPA 1998 and PECR 2003. If you wish to seek a re-consent, you must do so by 25 May, but you must take steps to cleanse the database both before and after the exercise.
Flybe is an extreme example of a ‘re-consent gone wrong’. It was fined £70,000 for emailing ‘Are your details correct?’ to recipients that had not consented to communication. By exploring the origins of the data and your existing consents, you will minimise the likelihood of the re-consent request being considered ‘spam’. Ongoing maintenance is also necessary to ensure that only those that have consented remain on the database, and those who have not are removed.
If consent isn’t suitable, what else can we do?
The high standard of valid consent can make it problematic to use for direct marketing activities. There are alternatives, but this has been the trickiest part of the puzzle for us, owing to contradictory information being published.
In her keynote speech to the Direct Marketing Association in February, Denham stated that ‘there is potential to use legitimate interests as a legal basis for processing in some circumstances, but you must be confident that you can rely on it’. Direct marketing has been named a legitimate interest under recital 47 of the GDPR. ‘Legitimate interests’ is one of five alternatives to the lawful basis of consent. It provides for the ‘necessary’ processing of data, unless overridden by the individual’s interests or fundamental rights.
The Information Commissioner’s Office (ICO) has made it clear that this is not a ‘get out of jail free card’. Firms must demonstrate and record a true balancing exercise of the rights of the individual against those of the firm. We must also comply with the consent requirements of the PECR 2003 and any future ePrivacy Regulation regardless.
One area likely to benefit from legitimate interests will be communications with former clients and prospects. The PECR 2003 currently allows direct marketing without consent to those who have bought (or negotiated to buy) a product or service – known as a ‘soft opt-in’ consent. So long as the PECR 2003 requirements are also satisfied, a legitimate interest can be justified under the GDPR for communications relating to similar products or services post-25 May, unless that person opts out. However, should an opportunity to re-consent arise, such as re-engagement, it would be sensible to seek a renewal of express consent under your updated consent mechanism.
How does the GDPR relate to email?
Some GDPR commentators have argued that an email address in isolation cannot be considered personal data. But it is not that simple.
If my email address is Leanne.Yendell@ExampleLLP.co.uk, the question is whether I could be personally identified from that address. My name is not common, and also states my (fictional) place of work, which makes it likely that I could be identified through an online search. I therefore share the view of Europe’s Article 29 Working Party and the European Data Protection Supervisor that this could be considered personal data.
Email addresses and other personal data are likely to be shared with data processors such as MailChimp, Clicky, telemarketers etc. It will be your responsibility, as data controller, to demonstrate that you have done your utmost to ensure that any third-party processor is compliant. This can range from a basic review of the terms, to a full data protection impact assessment (reserved for high-risk agreements). Instead of waiting to be told what you need to do, be proactive and get in touch with your account manager.
How does the GDPR relate to web-based marketing and analytics?
As with many firms of our size, we retain IT specialists and an external marketing team. Again, it is important to communicate with these organisations, rather than assume all is well. An SME named Boomerang Video Ltd was fined £60,000 by the ICO for having ‘overlooked the need to ensure that it had robust measures in place despite contracting with a data processor that could have carried out the work’. Imagine how much that fine could have been under the GDPR.
Personal data could include IP addresses, location data and cookies. Yet these are commonly processed when performing marketing analytics. An operational understanding of your website and other digital assets is vital when performing your data audit.
Is print marketing covered?
Given society’s reliance on all things electronic, print marketing appears to have been somewhat neglected by the GDPR in terms of requiring explicit permissions. The PECR 2003 also focuses on e-communications, meaning there will likely be a resurgence of printed marketing efforts. Take a look to see if you could benefit from the revival!
Next steps
We have found that proportionate efforts are expected, rather than a complete change of systems and activities at great expense. The ICO’s view is that sanctions will be ‘reserved for those who wilfully or persistently flout the law’.
The demonstration of legal compliance is, in itself, an obligation under the GDPR, and so you should record and document the results of any audit, decision-making process and resulting action.
Below are some actions from our marketing plan going forward:
- cleanse, streamline and minimise (to what is necessary to achieve our marketing outcomes) personal data
- perform regular maintenance to prevent processing of outdated, unnecessary and unlawful data
- explore the possibility of adding marketing and communication preferences to our case management systems
- redraft our policies and engagement documents to factor in any changes under the GDPR
- review third-party processing agreements
- keep an eye on the proposed ePrivacy Regulation
- work to a ‘privacy by design’ ethos by updating our website and linking to privacy notices where data is requested
- review and update any existing consents or bases for processing.