- Data Protection wordings not updated/removed in some documents, usually a fact find or on the firm’s website;
- In any case, Data Protection documentation and any consent should be a separate standalone document – some firms still have this as part of a, usually lengthy, disclosure document – the disclosure documents can refer to the separate privacy document but should not incorporate it;
- Data Protection information not provided early enough and lawful basis not established early enough. As indicated earlier, obtaining personal information is one element of processing data and the formalities must be done before any personal information is obtained;
- Joint advice – each party must be informed of the firm’s privacy policy and a lawful basis established for each party;
- Additional rules apply when processing data relating to children – firms are often not aware of the requirements or do not implement them – refer to the ICO website for detailed guidance;
- Firms using consent as the lawful basis do not always maintain the required records – see above;
- Marketing consent not compliant – see below.
Marketing
Many firms include a Marketing section in their data protection documents. Many fail to do so compliantly!
There appears to be a widespread misunderstanding about marketing and the GDPR. While the GDPR/DPA 2018 governs the data firms use for email marketing, the required permission to send email marketing is defined by the Privacy and Electronic Communications Regulations (PECR). ePrivacy is a European directive. PECR is the UK-interpretation of ePrivacy. The ICO has published guidance on PECR.
PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication. The rules are generally stricter for marketing to individuals than for marketing to companies.
PECR does not apply to ‘Direct Marketing’ which is marketing done by post although it is worth remembering that firms doing Direct Marketing need to ‘clean’ mailing lists to ensure that individuals who have registered with the mail preference service are not sent mailings. A similar service also exists in relation to telephone calls.
In our experience, many firms include marketing consent in their current documentation for no better reason than it was in their pre-GDPR documentation. Further, most of these firms have never actually done any electronic marketing that would require such consent – and have no intention of doing so. The first thing firms should consider is whether marketing is actually a key part of the business model. If not, then firms should remove the marketing consent text from their documents.
Firms that genuinely want to do electronic marketing can only do so on one of two bases:
- With consent;
- To existing customers or those in negotiation for a sale or service.
Marketing consent must meet all the standards for consent under DPA1018 listed above. In addition, it must be sufficiently granular to clearly identify what type is being consented to, including how sent, how often and about what. And firms need to maintain comprehensive records covering the sign up forms and wordings, and when, where and how consent was obtained.
PECR also allows email marketing, in certain circumstances, to existing customers and those in negotiations for a sale or service. Those circumstances are:
- where the email address was provided during the sale or negotiation process;
- where an option to opt-out was provided;
- where the marketing is limited to goods and services relating to the purchases or customer relationship; and
- where the customer is given an option to opt-out in each message.
This situation is sometimes referred to as a “soft opt-in” and means, for example, that firms do not need to worry about marketing consent in order to email newsletters to existing clients, communicate with existing clients about their annual review or that they can contribute to an ISA or pension, provided that the above conditions are met and that the subject of the communication is similar to what has been provided to the client before. It does not permit firms to email clients about an entirely new product or service that has never been in scope previously.
The above comments relate to marketing by the firm. Marketing by a third party is an entirely different matter and requires more consideration that we can briefly cover here.
BREXIT
As indicated, the DPA 2018 arose out of GDPR, an EU regulation. We are out of the EU as of January 2020 but still complying with EU regulations until the current transition period ends. That is scheduled for the end of 2020, although there remains a possibility that will be extended.
The DPA 2018 will remain after transition but how it will relate to the GDPR as legislated by other EU/EEA jurisdictions will depend upon the outcome of transition negotiations. Data protection within the UK and NI is likely to be unchanged but transfer of data to or from outside the UK, even with EU/EEA countries might well be subject to a new regime.
Our view and action points
ATEB does not provide expert consultancy on Data Protection but we have a good understanding of the key requirements of DPA 2018 (the UK version of GDPR).
We have indicated here some of the issues we come across when engaging with firms with the intention of ensuring that firms can review current data protection processes and ensure these are robust and compliant.
Recommended action points are:
- If you rely on consent to process personal data you will probably have to refresh that consent now for any individuals who were clients in May 2018;
- Consider whether ‘contract’ would be a more appropriate primary lawful basis, supported by consent when specifically required;
- If you currently have a marketing consent process, it should be reviewed to assess if it is actually necessary, i.e. is electronic marketing actually a key part of the business model;
- If marketing is genuinely a key element of the firm’s business strategy, the consent process should be reviewed to ensure it complies not only with DPA 2018 requirements but also with the PECR.
Page: 1 2
