See our latest news articles
GDPR offers six lawful bases for processing information. ‘Legitimate interest’ is the basis most likely to be applicable for direct marketing. The advice from the Information Commissioner’s Office is:
“You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – and if you don’t need consent under PECR.”
So, on the surface, you’re covered by legitimate interest, as long as you follow these guidelines. However, it’s all a bit more complicated than that.
The PECR mentioned by the ICO is the Privacy and Electronic Communications Regulations, which sit alongside the current Data Protection Act and which will continue to operate alongside the GDPR. Although the PECR primarily applies to marketing calls, texts, emails and faxes, they also include guidance on direct marketing.
The checklist provided by the ICO under its PECR guidance includes the following list for marketing by mail:
So, although you can use legitimate interest as a lawful basis for direct marketing under GDPR, other elements of the law require you to have consents from the people to whom you are sending your campaign.
The need for consent is just as valid if you buy a list from another provider, such as Yellow Pages. The PECR states that:
Again, this applies primarily to emails, text and marketing calls, but best practise indicates that this should be interpreted to apply to marketing by mail as well.
It can be called “junk mail” with good reason: very often, campaigns are sent indiscriminately to everyone within a postal address. Many of the recipients will have no interest whatsoever in the products or services being advertised; for example, if it’s a young household, they are unlikely to need hearing aids.
The requirement that ‘people would not be surprised or likely to object’ under the legitimate interest basis for processing data places an onus on businesses to spend time sub defining their lists to make campaigns as targeted as possible. Sometimes you won’t have the information required to subdivide your list – how can you tell if a household is young unless you hold data about age or date of birth? – but where you can, you should.
In order to make everyone at the ICO happy and dodge their mighty hammer of fines, you need to follow this list:
Some of those might seem like a no brainer, but unfortunately poor practise by some firms have made it inevitable that this is an area that was likely to be tightened under GDPR.
Yes, the new rules mean you need to give greater thought to your campaigns – in particular who is receiving them – but that should deliver benefits for you. You may be sending your campaigns to fewer people, but they should be the right people! A more focused, targeted campaign should generate better enquiry and conversion rates.
Read our previous blogs on the GDPR in relation to marketing: