General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) takes effect on 25th May 2018, and will be implemented into UK law by a new Data Protection Act which will come into force in March/April 2018.  The UK Government has introduced the Data Protection Bill into the House of Lords where it is currently (November 2017) being debated.  The Bill’s further progress is dependent on the Parliamentary timetable.  The GDPR consists of 99 Articles covering specific issues, and 173 Recitals, explaining the Articles.  The stated objectives of the GDPR are to protect “the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”.  One of the aims of the GDPR is to give individuals greater control over the use of their personal information.  There is no doubt that the 1995 European Data Protection Directive (implemented into UK law by the 1998 Data Protection Act) needed updating as the 1995 Directive was passed before the internet was publicly available and before the era of mass data collection and storage.  The GDPR covers the collection, use and storage of personal data, in order to enhance individuals’ privacy rights.

The specific rules on email, mobile and telephone marketing contained in the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) remain unchanged.  However, the PECR’s will not need to be interpreted in the light of key definitions in the GDPR, for example the definition of consent.  The PECR implement another piece of European Legislation, the ePrivacy Directive from 2002 into UK law.  The ePrivacy Directive is being revised and replaced by the ePrivacy Regulation.  The ePrivacy Regulation is currently going through the Brussels legislative process.  The original aim was for the ePrivacy Regulation to come into force at the same time as the GDPR, but this is not going to happen and it is likely that the new ePrivacy Regulation will come into force towards the end of 2018 or early 2019.  The DMA (UK) is currently lobbying the UK Government and through FEDMA, the European Trade Association for direct and interactive marketing, the key players in Brussels to ensure that under the ePrivacy Regulation businesses can continue to send email marketing to members of staff of limited companies, public limited companies, government and local authority institutions (corporate subscribers) on an unsubscribe/opt-out basis as is the case now.  The current text of the ePrivacy Regulation is unclear on this point. We should have a clearer idea by the middle of 2018 as to whether businesses will be able to send email marketing to staff members of corporate subscribers on an unsubscribe/opt-out basis or whether such staff members will need to be treated in the same way as individual consumers are.  The general rule for email and mobile marketing to individual consumers is that this can only be carried out on a subscribe/opt-in basis.

Under the terms of GDPR the processing of personal data is only permitted if the marketer can demonstrate that it complies with one of six conditions.  It is important to note that there is no hierarchy of conditions and all of the six conditions are equally valid.

Marketers are likely to use either the consent condition or the legitimate interest condition. The first of these conditions is that the recipient (the data subject) has given consent for their data to be used.  Under the terms of the GDPR, this consent must be “freely given, specific, informed and unambiguous” Simply offering an unsubscribe/opt-out is no longer sufficient to meet the consent condition, but it may be sufficient to meet the legitimate interest condition.  The consent condition under the GDPR is a much higher standard than under the 1995 Directive.

The sixth condition is the one which is most likely to apply to data processing for direct marketing purposes.  This is referred to as the Legitimate Interest condition, and states that data processing is lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”.   According to Recital 47, “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.

The Data Protection Network have produced comprehensive guidance on the use of Legitimate Interests, in conjunction with the DMA, which has been welcomed by the ICO (  There are specific criteria which must be satisfied in order to rely on Legitimate Interests as a lawful basis for data processing and the guidance recommends the use of a Legitimate Interest Assessment (LIA).   The LIA employs a 3-stage test to:

  1. Identify a legitimate interest for processing – the legitimate interest test
  2. Assess whether the processing is necessary for the pursuit of commercial or business objectives – the necessity test
  3. Ensure that the rights of the data subject are not overridden by the data processor – the balancing test

In accordance with the GDPR’s emphasis on the rights of the data subject, individuals should be informed that Legitimate Interest is the basis upon which their personal data is being used for direct marketing purposes, and given the right to object (unsubscribe/opt-out) from this use.  The right to object must be brought to the attention of the data subject clearly and explicitly at the time of collection of their data or in the first communication made to them.  The Institute of Direct Marketing suggests the following wording to communicate legitimate interests to an individual – “Under Data Protection legislation we believe that we can demonstrate that we have a legitimate interest in using your data for marketing purposes but you always have a choice.  {You should then provide an unsubscribe/opt-out on the data collection page or via the same marketing channel you are communicating to the individual}.  By reading this, the individual will know that a company is relying on its legitimate interests to send marketing.  The opt out allows the individual to exercise their rights to object to that marketing.

Conditions 2 to 5 cover processing necessary for the performance of a contract, for compliance with a legal obligation, to protect the vital interests of a data subject or for the performance of a task carried out in the personal interest.  These are not relevant to direct marketing activities.

Compliance with the GDPR will impose new requirements on the direct marketing industry.  It is important that marketers see this as an opportunity to increase customers’ trust and confidence in direct marketing and not just as a burden.  It is important that marketers start their GDPR compliance programmes now if they have not already done so as the GDPR comes into force in less than five months’ time.

Comments are closed.