In the pursuit of writing about the practical application of the GDPR (General Data Protection Regulation) rather than reciting the contents of the freely available regulation document, I am writing this blog to answer a commonly asked question regarding the purchasing of marketing contact lists post May 2018.
A widespread method of new business acquisition in the IT security channel market, much lauded for its spam creating effect, is the purchase of contact lists for direct marketing; a cornerstone of business for some. Yet, the new European data protection regulation, designed to empower data subjects in taking control of their personal data and thus an ability to market to them, threatens the feasibility of this activity so much that it may cease to exist.
Consent from Data Subjects is Essential
The GDPR contains six core principles (Article 5) which among other requirements, sets out that any act of processing must be lawful. To be clear, the act of marketing to a data subject requires the use of one or more items of personal data, for example an email address, telephone number or name, therefore making it an act of processing and subject to the GDPR.
To be lawful, the GDPR specifies six possible conditions under Article 6. You are free to read all six, however to cut a long story short, there are only two likely conditions which can be met by a marketing activity conducted in a sales environment; you have the explicit consent of the data subject; or you can claim legitimate business interests due to the existence of the soft opt-in under the PECR (Privacy and Electronic Communication Regulation) regulation 22. This allows for non-consented direct marketing if the data subject is an existing customer who has not opted out of or unsubscribed from communications.
The legitimate business interest card is a nice one to have, but when purchasing a contact list it is contrary to the purpose of the purchase that an existing business relationship could exist, making consent the only realistic option.
How does Consent apply to Marketing Contact Lists?
With the requirement of marketing to a data subject only possible with explicit consent from the data subject, any marketing contact list must come with evidence of collecting consent and the purpose(s) that the data subject has consented to. Beware that risk aversion by assuming that this is the responsibility of the the company supplying the list, will not be accepted by the supervisory authority. The GDPR is intended to be peer enforced through shared responsibility in a number of areas, including this one. You must have evidence of consent to process personal data.
In the case that you do not have consent, you may need to seek it for yourself if you insist on processing. For email, the PECR makes this impossible as it only accepts email marketing (which consent seeking is considered) in cases where there is consent or you have an existing business relationship as mentioned earlier in the blog. This avenue is closed. A secondary option is to seek consent through a telephone call. This is permitted by the PECR unless the number is present on the TPS (telephone preference service) or the CTPS (Corporate TPS) or if the data subject has not objected to your calls in the past.
The Future for Purchased Data Lists
To summarise, the practise of purchasing a contact list and marketing to the contents for new business acquisition is likely to find itself confined to the pages of history. The task of being able to sell contact lists with attached proof of consent for specific marketing activities will be almost impossible to achieve. Leaving it up to the purchaser of that contact list to seek consent themselves within the confines of the PECR.
It is a data protection minefield which most will view as too risky and too much of a challenge to try. Instead, the custom of purchasing contact lists and the organisations that sell them will dwindle as their customers find their services too problematic.