Emailmovers, Our Customers and GDPR

Emailmovers, Our Customers and GDPR

Updated March 2018

What is the GDPR?

The General Data Protection Regulation, GDPR, deadline of 25th May 2018 is prompting many businesses to look at the ways they collect, process and use any personal data in their business.

GDPR aims to further protect the privacy rights and interests of citizens and replaces all data protection laws for EU members, including the UK’s own Data Protection Act (1998).

It is to ensure that all countries that trade with or within the EU process personal data in the same way and have similar and fair penalties for breaches in data protection.

Frequently Asked Questions

Attend any business conference or networking event at the moment and you will soon see there seems to be only one thing on everyone’s mind – GDPR.

With any change like this comes a lot of scaremongering and false advice, leading to many companies taking drastic actions with their data and marketing. The first thing to do is breath!

GDPR is designed to make everyone more responsible for the personal information they hold and to give the individual more control over their data. In the long run it will improve relationships between businesses and their clients. Put the processes in now and in 6 month’s time you will wonder how you ever did things a different way.

The ICO issued a 12 step guidance to prepare for 25th May 2018 and it can be found on their website. In a summary these are:

  1. Make sure key people in your organisation are aware of GDPR.
  2. Document data you hold and what you do with it.
  3. Review privacy notices and make changes where needed.
  4. Review the 8 individual’s rights and make changes to procedures where needed.
  5. Update your Subject Access Request procedures in line with GDPR.
  6. Identify and document the lawful basis for your processing activity.
  7. Review your consent mechanisms to ensure it is GDPR-compliant, or find an alternative to consent.
  8. Obtain parental or guardian consent for processing children’s personal data.
  9. Put procedures in place to detect, report and investigate a personal data breach.
  10. Carry out a Privacy Impact Assessment (PIA) when necessary.
  11. Designate someone to take responsibility for compliance and a Data Protection Officer (if needed).
  12. Determine your lead data protection supervisory authority if you operate in more than one EU member state.

As long as you do your due diligence on your data suppliers then you can still continue to do your direct marketing. Ensure you have a process that you can follow; for example a form or document that your suppliers can fill out and return which will illustrate more detailed explanations about the source and processes of their data.

You want to get an understanding of:

  1. Who are they?
  2. What type of data they are processing and how often it is updated?
  3. Do they have systems in place for data protection?
  4. What legal basis are they processing their data under?
  5. How their data is sourced?
  6. What age and recent engagement have they had with their data?
  7. What policies and processes do they have in place?
  8. Can they confirm the data being supplied is compliant with GDPR?

If you don’t have a due diligence form or document in place, we can share ours with you to help you take responsibility for the data you license – it should apply to most email data licensing positions. We will also be providing all of our clients with a copy of it completed by Emailmovers with the sale of any data that is affected by GDPR. we are a dma memberWhilst GDPR is suddenly all everyone is thinking about and others are choosing to ignore it, it has actually been on the cards since January 2012 when the first text was published. We know that it is not going to be ‘business as usual’ and along with a handful of other data brokers, we have been preparing for these changes. We have been gearing up for the changes by requesting and following the advice of the DMA and ICO regularly through each step.

idm

We are continuously training our staff on all aspects of GDPR to give them a solid understanding of the changes. All of our current employees have completed an IDM Award in the General Data Protection Regulation and one of our Directors has sat on a panel of experts at numerous GDPR related conferences as well as being a GDPR consultant for other companies.One of the main changes is around the different legal premise for which data can be processed. There are six in all but for the purposes of marketing we are concerned with either ‘Consent’ or ‘Legitimate Interest’.

Consent
If a business decides to use consent it would need to have opt-in permission from all contacts. There is a move away from ‘implied’ consent to ‘explicit/unambiguous’ consent. Pre ticked boxes will be replaced by the active ticking of an un-ticked box or a ‘clear affirmative action’.

Emailmovers already relies on this approach to data permissioning on all the B2C consumer data it sells.

Legitimate Interest
A business can also use the legitimate interest precedent for their direct marketing particularly where they would like to contact employees of Public/Private limited companies or local authorities with a B2B communication. In this respect they would conduct their marketing on an unsubscribe/opt-out basis.

Emailmovers uses this approach to legitimise the B2B data it sells.

See how our data is GDPR Compliant

Which Lawful Basis?

We identify ‘Legitimate Interest’ as the most appropriate lawful basis for processing our third party B2B marketing data. Direct marketing is recognised as a legitimate interest in GDPR recital 47.

How was this explained on collection?

Our online business directory and preference centre, 5mins.co.uk captures, legitimises, verifies and updates the corporate data on our file. On collection it was/is explained to each individual what their personal information would be used for. The 5mins Site Subscriber Privacy Policy is accessible directly on this link: https://www.5mins.co.uk/SubscriberPrivacy.aspx.

Do we use a Layered Privacy Policy?

On collection of the data we use a layered privacy policy with the most important information upfront. This is designed to be transparent and clear with concise language.

How are individuals informed of what we do with their data and how they can refuse marketing?

We send a regular data privacy notice by email reminding individuals of what personal information we hold and what we do with their data. The email includes a link for them to update their personal information and preferences within the 5mins preference centre. At this point they are also reminded of their right to object to processing and provided with the opportunity to unsubscribe. This gives them control over their information.

What do you need to do?

In preparation and post 25th May we will be assisting our clients in doing their due diligence. With future sales of prospect B2B email lists we are going to provide our clients with a copy of our data due diligence documents before purchase. We will help with running balancing tests that ensure you are correctly targeting the right contacts. We can advise on any other necessary processes such as sending a data privacy notice on immediate purchase of an email list. We aim to help our clients as much as possible so that they understand the process and implications of GDPR.

What do we need to do with our clients?

We clearly have a responsibility to comply with the new law ourselves. This includes the need to ensure that, when we share personal data with you, it will be in good hands. Therefore we have to do our own due diligence on our customers. You will notice that we are asking you more questions, for instance about your lawful basis and data processes.

In summary

In summary, we are GDPR compliant with the UK B2B email data we supply because we do the following:

  1. We are clear with individuals why we need their data at the point of collection
  2. We always use clear and concise language appropriate for our target audience
  3. We give individuals control over their data. They are always able to decide whether to share their personal data with us or not

Under the GDPR principle of accountability, Emailmovers is able to demonstrate that we are compliant. We always record the legal grounds for processing an individual’s personal data
We have done our Due Diligence on our suppliers of B2C data which has included documentation, site visits and a thorough understanding on how they collect data for third parties. Their details are as follows:

Data OD Ltd | Data On Demand – http://www.dataondemand.co.uk/privacypolicy

Data OD Ltd, Platform, New Station Street, Leeds, LS1 4JB

ICO: ZA231384

UK Reg No: 10183365

Which Lawful Basis?

When collecting data under GDPR for Third Party Marketing, after the 25th May 2018our suppliers consider consent to be the most appropriate basis for lawful processing.

How was consent gained on collection?

They collect data for Third Party Marketing from their Data Contributor Network (DCN).

Consent from the Data Subject on the Data Contributors websites is collected with the following rules:

  1. Prominent and separate from other terms and conditions
  2. Requires a positive opt in
  3. Does not use pre-ticked boxes or default consent
  4. Uses clear, plain language that is easy to understand
  5. Specifies why we want the data and what we are going to do with it
  6. Gives individual options to consent to the preferred marketing channels they choose
  7. Third Party Controllers relying on consent are named in the Privacy Policy or linked in the Privacy Notice.
  8. Individuals can withdraw their consent at any time
  9. Consent is not a precondition of a service. Individuals can refuse consent without detriment to their original reason for visiting the website, i.e. to enter a competition, apply for a loan or subscribe to a newsletter.

How is consent recorded?

  • They keep a record of how and when they got consent from the individual
  • They keep a record of exactly what they were told at the time

How is consent managed?

  • They regularly review consents to check that the relationship, the processing and the purposes have not changed.
  • They have processes in place to refresh consent at appropriate intervals
  • They have a preference-management tool called The Marketing Preference Service.
  • They make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
  • They act on withdrawals of consent as soon as we can.
  • They don’t penalise individuals who wish to withdraw consent.

What do you need to do?

You need to do you due diligence with any data supplier and in preparation for this we will be assisting our clients with this. We will provide a copy of our data due diligence documentation for B2C email lists before purchase. We will help you correctly target your audience and will offer advice on any other necessary processes. We aim to help our clients as much as possible so that they understand the process and implications of GDPR.

In summary

In summary, the UK B2C data we provide to clients is GDPR compliant because we ensure our suppliers do the following:

  1. Clear with individuals why their data is needed at the point of collection
  2. Clear and concise language appropriate for our target audience is always used
  3. At the point the data is collected information is given to the individual and is not hidden in small print.
  4. Individuals are given control over their personal data and are given access to decide whether their personal data is shared or not.
  5. We can demonstrate GDPR compliance and the lawful grounds of consent for processing the personal data of every individual. If challenged we would be able to provide screenshots of the tick box and the corresponding privacy notice.
  6. Our customers can be specifically named as a company that data will be shared with, giving them the required consent under PECR to the GDPR standard of consent

We have been doing due diligence on our UK and overseas suppliers to ensure that their data collection is compliant with GDPR fair processing policies, and that their systems are robust enough to be able to deal with the rigours of GDPR such as SAR’s.

Which Lawful Basis?

The European third party B2B data we provide is processed under the legal basis of ‘Legitimate Interest’. Direct marketing is recognised as a legitimate interest in GDPR recital 47. In the B2B environment it can be assessed that sending relevant promotional materials to data subjects in their job roles will be appropriate.

How are individuals informed of what we do with their data and how they can refuse marketing?

  • Our suppliers using LI have been sending messages to their European data subjects informing them of what data is held on them and why it is being held.
  • Data subjects have been given the opportunity to opt-out.
  • Data subjects have been given the opportunity to study the suppliers Privacy Policy.
  • Data subjects have also been informed that third parties may use the data on the grounds of Legitimate Interest.
  • Data subjects have been kept informed, offered opportunities for the processing not too happen, and offered extra information about their rights.

What do you need to do?

In preparation and post 25th May we will be assisting our clients in doing their due diligence. With future sales of prospect B2B email lists we are going to provide our clients with a copy of our data due diligence documentation before purchase. You will be expected to do an Impact Assessment to assess if your processing is relevant and appropriate. We will help with running balancing tests that ensure you are correctly targeting the right contacts. We can advise on any other necessary processes such as sending a data privacy notice on immediate purchase of an email list. We aim to help our clients as much as possible so that they understand the process and implications of GDPR.

What do we need to do with our clients?

We clearly have a responsibility to comply with the new law ourselves. This includes the need to ensure that, when we share personal data with you, it will be in good hands. Therefore we have to do our own due diligence on our customers. You will notice that we are asking you more questions, for instance about your lawful basis and data processes.

I would like to know more…

There will be certain things you will also need to do in order to be compliant with the new legislation – talk to one of our experts to see how you can benefit from using Emailmovers GDPR ready data.

We will be updating all of our customers on the latest developments from the EU regarding data protection and the GDPR, in the run up to May 2018.

Our team of data protection experts are on hand to support any requirements or questions you may have regarding data protection and GDPR. Please do not hesitate to contact us for further advice and information on compliance@emailmovers.com.

Posted in

Get In Touch With Us!

Call us on 01723 800030