So, you've been told that you need to destroy your prized contacts database unless you can prove that you have consent to process the personal data of those that you store. Maybe you can send out communication asking those contacts to re-consent... but how many would? And what about the problems which Honda incurred by doing this?
What does the GDPR say?
With the DPD (Data Protection Directive 1995) and the PECR (Privacy and Electronic Communications Regulation 2003) largely ignored over the past decade, it has been the GDPR (General Data Protection Regulation), which has thrust this issue into the limelight.
Concerned with all things personal data, the GDPR requires that the processing of personal data be lawful, with lawfulness defined in article 6. There are six conditions upon which processing personal data is considered lawful:
- Where the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Where processing is necessary for the performance of a contract.
- Where processing is necessary for compliance with a legal obligation.
- Where processing is necessary in order to protect the vital interests of the data subject.
- Where processing is necessary for a task carried out in the public interest.
- Where processing is necessary for the purpose of legitimate interests carried out by the data controller.
Note: The above has been shortened; you can refer to article 6 of the GDPR for the full text.
Without the ability to demonstrate consent for the processing of a data subjects personal data, you will need to seek justification in one of the other five lawful bases or enact that data subjects right to erasure and remove their personal data from your contacts database. One such method would investigate the viability of demonstrating legitimate interests, something which the UK's supervisory authority, the ICO (Information Commissioner's Office), have said could be used when processing for the purpose of direct marketing. While this may be the case, it is not an easy escape hole for the demonstration of lawful processing, as it requires you to consider whether or not your processing activity is balanced with the interests of the data subject; something you would be expected to document.
Consent may actually be the simpler option.
What does the PECR say?
You processing activities may be lawful under the GDPR, however if you wish you processing activity is for the purpose of electronic communication, as much as direct marketing is, then you will also need to consider the requirements of the PECR.
Let us focus on email communication.
For individuals, sole traders and partnerships are considered consumers and email communication is only permitted if one of two conditions are met:
- They have explicitly consented to receiving email from you.
- They are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent. This is known as a soft opt-in.
For companies such as limited liability and publicly traded companies, there are no such conditions, however you must still make the opt-out option available in each email; this is usually achieved through an unsubscribe button.
Take careful note of the case of Honda, who found themselves at the wrong end of the PECR and were fined £13,000. They had been sending emails to their contacts database asking for consent to continue processing in order to comply with the GDPR, yet could not show that they had the consent to be able to send such emails. There are similar examples available on your local supervisory authority.
The options based on GDPR and PECR
By now you probably would have noticed that there is a thin line to be balanced between the GDPR and the PECR. The bottom line is simple; you cannot process personal data under the GDPR without proving lawfulness and you cannot communicate under the PECR without meeting its requirements. Having one and not the other is unfortunate but one regulation does not supersede the other and you will probably be best cleansing your contacts database and improving your data collection methods.
Recently the ICO addressed much of the gloom surrounding the need to collect consent. Capturing the mood perfectly, Elizabeth Denham, the Information Commissioner at the UK's ICO said that while consent might not be the smoothest of methods for demonstrating lawfulness, it will lead to better engaged customers who are fully informed about their choices and more receptive the communications they receive.
Yes, your database may shrink substantially; but what it will be replaced with is much better.