Did You Know: GDPR
GDPR is here to stay.
It is still a hot topic and causing a lot of debate.
As with all data-related companies, we did our due diligence in preparation for 25th May 2018.
Our ISO 27001:2013 certification requires that we comply with all relevant legislation and that the data we hold is strictly controlled and secure. We have signed contracts with each client with details of their data requirement for each mailing.
In addition we have made our directors and management staff aware of their responsibilities under the new GDPR ruling.
Learn how ADM implemented GDPR
ADM is a mailing house, providing the best direct mail in the business. We cannot offer legal advice on GDPR but we can give you an overview of how we and our clients prepared for the introduction of GDPR.
GDPR was talked about for a long time – all sorts of horror stories circulated. For lots of people it remained on the too hard to do pile for a long time!
Once we realised that GDPR was here to stay – we firstly had to understand the purpose and the scope of this new legislation and how it would impact on our business and that of our clients.
GDPR is an extension of the Data Protection Act that we are all familiar with. It came into force last week – 25th May 2018. It applies to controllers and processors of personal data.
A controller is responsible for how and why the personal data is processed
A processor is responsible for the processing of data on behalf of the controller.
So in terms of a direct mail project – our clients and/or our clients third party data providers are the controller. Whereas we at ADM (a mailing house) are the processor.
GDPR applies to all controllers and processors of personal data within the EU and also to organisations outside the EU that are offering services to EU individuals.
Because we have ISO27001 in place the only major internal change we had to implement was contracts with each client detailing the on-going mailing programme and in particular details of the data processing requirement. These details can include – how we will receive, process, store and eventually delete your data files.
For our clients the data controller, the biggest headache is establishing the legal bases for processing their data. There has been a lot of discussion and conflicting views on this point.
Under GDPR there are 6 legal bases for processing personal data. From a direct mail standpoint only 2 apply. These are consent or legitimate interest.
The definitions for both are made clear
Consent is defined as ‘any freely given specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmation action, signifies agreement to the processing of personal data relating to him or her’
Legitimate interest applies where processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data is a child.
GDPR states that processing of personal data for direct marketing may be regarded as carried out for legitimate interest.
One point that did not become clear until relatively late in the process that as a processor you cannot ask for consent but if this is not granted then opt for legitimate interest.
In the UK the ICO will oversea the implementation of GDPR – they are if you like the GDPR police. Their website and in particular their blogs are very useful www.ico.org.uk They do have the power to issue huge fines but quotation from the Commissioners blog ‘the law is not about fines. Its about putting the consumer and citizen first’. Fines would be used as a last resort.
What will be the overall impact on direct mail – well in truth only time will tell. There will undoubtedly be less clean data available, naturally making it more expensive. There are usually was to mitigate some of these additional expenses – moving to unwrapped mailing, increasing the number third party inserts, making sure all the correct postal discounts are in place – are a good place to start.
We see signs of mailings becoming more focused, more intelligent. Volumes may not necessarily increase but frequency of mailings looks likely.
RM recently issued GDPR Opportunity with Mail that highlights opportunities and what changes that you can expect to see – well worth a read. w.mailmen.co.uk/gdpr
Finally, it goes without saying that Advanced Direct Mail, as always, will be here to help you get the most out of your marketing campaigns. We pride ourselves on the service we provide and supporting our customers is key to this.
Maybe you are considering an additional mailing directly relating to GDPR, please talk to us first to check if you will qualify for a 15% postal discount.
So of course, if you have any questions about GDPR (or your direct mail marketing), please contact me, Julie Ray on 01384 215790 or Julie@advanceddirect.co.uk and I will do our very best to help you.
I rely on the following three websites to help me sort the facts from the fiction.
Royal Mail – www.mailmen.co.uk
Not surprisingly you will find interesting and relevant information on GDPR that is primarily focused on direct mail. These pieces cover the impact that the new legislation will have on direct mail campaigns, looking at data collection and consent and legitimate interest under GDPR. The GDPR Opportunity with Mail – The Key Facts is a really useful document. Worth a read.
Information Commissioner’s Office – www.ico.org.uk
ICO are if you like the policemen – they will ensure that GDPR is implemented correctly. They are therefore a useful information source, this website focuses on all things data, and more specifically, data protection and privacy. They have a plethora of articles and blogs relating to GDPR.
Direct Marketing Association – www.dma.org.uk/gdpr
Is a great website to have a browse on various subjects relating to GDPR, including how DMA GDPR Guidance: Consent and Legitimate Interest.