What is personal data?
Personal data is data that relates to a person. A data supplier must demonstrate how and when they received this data, under what lawful basis it was collected, by whom and how that basis complies with the GDPR today.
What is the difference between a Data Controller and Data Processor?
It is essential that any organisation involved in processing personal data is clear as to their role and responsibility.
- Data Controllers determine the means and the purpose of processing personal data.
- Data Processors process data on behalf of a controller.
Under GDPR, everybody in the data processing chain is responsible for the care of personal data including both controllers and processors.
Are you dealing with the Data Collector or Data Aggregator?
It’s important to establish the provenance of data. Therefore, you should stay as close to the point of original data collection as you can. Work with collectors where you can; if you use a broker, ensure they have a clear view of the data origin and completed the relevant due diligence documentation.
Due Diligence forms
Get due diligence forms completed by your suppliers, but don’t stop there. Your due diligence process should be an on-going process.
Should I only buy ‘Consented’ data?
There are six lawful bases for processing (Consent, Contract, Legal obligation, Vital interest, Public task and Legitimate interest). Either Consent or Legitimate Interests could be acceptable for different forms of Direct Marketing. Neither is ‘stronger’ than the other; it’s important to establish the most appropriate for the type of processing conducted.
What constitutes consent?
The standards for obtaining consent are increased under GDPR. Consent needs to have been captured “freely, specifically, informed and unambiguously” using a “clear affirmative action.”
What about Third Party consent?
A data collector will collect consent from a consumer for other organisations to process their data; this is third party consent and the GDPR requires that the third party should be named. Categories of third-party organisations will not be enough to give valid consent under the GDPR. If the third party is not named then consent cannot be relied upon as a lawful basis and another lawful basis is likely to be most appropriate for your processing activities, such as Legitimate Interests.
If your supplier relies upon Legitimate Interests as the appropriate legal base for processing personal data they should be able to share with you details of the Legitimate Interests Assessment they conducted, demonstrate that they have clearly informed people what will happen to their data and given the consumer the opportunity to object.
What about withdrawal and the right to be forgotten?
It needs to be as easy and without penalty for a consumer to withdraw their permission. Withdrawal of permission is not the same as being forgotten. A data supplier needs to retain a record of a consumer if they are to ensure they no longer communicate with that consumer. A consumer may request to be forgotten and a data supplier will inform the consumer of the implications of this choice before complying with the request.
What if I do it wrong?
Fines under GDPR could be up to €20m or 4% of global turnover, whichever is higher; therefore, marketers need to choose their suppliers carefully.
Are there any Trade Bodies and/or Regulators?
Any organisation handling personal data is regulated by the Information Commissioner’s Office and the Direct Marketing Association responsible for ensuring standards of behaviour in the direct marketing industry.