The EU General Data Protection Regulation (GDPR) forms one of the most important pieces of privacy legislation to take effect in Europe since the 1990s. It becomes enforceable from 25th May 2018.
The GDPR replaces the Data Protection Directive (95/46/EC) and is designed to align data privacy laws across Europe, to protect the rights EU individuals have on their data and to reshape the way organisations across the region approach data privacy.
GDPR extends to the UK all the time it remains part of the EU and will likely continue to apply beyond Brexit.
Incisive Media is committed to best practice and to complying with EU data protection requirements relevant to us as a data controller and processor and we will be GDPR compliant when it becomes enforceable on 25th May 2018.
What do we do currently?
Currently, Incisive Media informs attendees to sponsored events and webinars, and downloaders of sponsored content or surveys, that it will pass personal data to the sponsoring third parties.
People who have attended a sponsored event or downloaded sponsored content will have consented to the sharing of their personal data to the sponsoring third party based on these terms and their purpose. Their agreement is both time and date stamped.
Options under GDPR for processing customer data
There are three main considerations from 25th May: (1) PECR, (2) legitimate interest and (3) consent
1. Contacting people using corporate email addresses under PECR
It is important to understand the Information Commissioner’s Office (ICO) distinction between ‘Individual’ and ‘Corporate’ subscribers as this classification will alter the way in which we process data at Incisive Media.
‘Corporate subscribers’ are people using contact details from companies, LLPs, Scottish partnerships and government bodies.
Contact with ‘corporate subscribers’ is covered by the ‘legitimate interest’ ground for processing and is also permitted under PECR. For more information about this, see below.
The majority of our subscribers are ‘corporate subscribers’ and the Privacy and Electronic Communications Regulations 2003 (PECR) allow us to contact people via their business emails.
Under PECR we can contact individuals via their corporate email address and we do not need to have their consent or have had any previous dealings with them. Most of our marketing targets are business contacts rather than consumers so PECR is helpful here. However, they have certain rights, particularly where their name is part of their address, including the right to added to the ‘do not contact’ preference services or to ask us not to contact them again.
We can pass their details on directly to our sponsors. At that point, the sponsor will also become a data controller of their details and must also be compliant, including providing the subscriber with certain information required under GDPR.
An ‘Individual subscriber’ is a sole-trader, some partnerships and those using a non-corporate email address.
Contact with existing ‘Individual’ subscribers to Incisive Media’s products and services, and new subscribers between now and 25th May 2018 is, and will be considered to be, permitted under PECR as it is solicited.
Update to Privacy and Electronic Communication Regulations (PECR)
The existing PECR will be superseded by the e-Privacy Regulation. The e-Privacy Regulation was originally supposed to coincide with GDPR but is still in draft form and therefore we await further guidance.
However, in brief, the draft Data Protection Bill refers to PECR and so long as it continues to apply, we may continue to target business contacts with whom we have had no prior relationship, subject to the usual safeguards.
2. Contacting people using the grounds of legitimate interest
Legitimate Interest is another lawful basis for processing data under the GDPR and is essentially the same as the equivalent Schedule 2 condition in the 1998 Data Protection Act.
Legitimate interest enables the data controller to undertake marketing for their own business or a third party so long as the data is used in ways that the recipients of the marketing would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
When using legitimate interest as a basis for processing, it is essential to balance the assumed interests against the individual’s. If they would not reasonably expect the processing, their interests are likely to override the legitimate interest ground.
By relying on legitimate interest rather than consent to process personal data, Incisive Media understands that we take on extra responsibility for considering and protecting people’s rights and interests and we guarantee that we will do this.
3. Contacting people using the grounds of consent
Consent is another lawful basis for processing data and the GDPR is clearer than the Data Protection Act (DPA) that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in).
It bans pre-ticked opt-in boxes, and requires individual consent options for distinct processing operations.
Consent should be separate from other terms and conditions and should not generally be a pre-condition of signing up to a service.
Relying upon consent has its complications which is why we will be seeking to rely upon PECR or legitimate interest. However, where we intend to pass on to our sponsors details of ‘individual subscribers’ for sponsors to contact them directly, we will obtain consent from those individuals from 25th May 2018.
Handling unsubscribe requests
All of our emails, whether to individual or business domains have simple, highly visible unsubscribe links. We will record and act upon any unsubscribe requests. This applies whether we have sent them emails based on consent or under PECR.
Incisive Media is confident of being GDPR compliant. We are certain that we fall within the scope of PECR for ‘corporate subscribers’.
After 25th May 2018 Incisive Media will generally use the lawful basis of Legitimate Interest to contact ‘individual subscribers’ new to Incisive Media.
Also, we are confident that we will be able to pass delegates’ and downloaders’ details to the sponsors of the events and content on the lawful basis of consent as appropriate.
We will continue to review our position under the e-Privacy Regulation and will track further guidance from the ICO and the Article 29 Working Party on the GDPR. Once this is released we will revisit our processes to ensure ongoing compliance.
If you have any queries regarding this statement or would like to discuss it further please contact Emma Scheck on 020 7484 9841.