The use of personal data for marketing purposes has the potential to be one of the more contentious and sensitive areas of data protection. 
We have all heard of and perhaps experienced unwanted phone calls, texts, emails or letters from organisations we’ve never heard of or had previous dealings with. Some recipients couldn’t care less, whilst others can be very upset even angry. The Information Commissioner’s Office (ICO) has focussed much attention in recent years on organisations misusing personal data in this way. But since the arrival of the GDPR and UKs Data Protection Act (DPA) in 2018 their powers and the fines they can levy against those who transgress have been significantly increased. But to focus on regulatory enforcement and financial penalties seems to be missing the point somewhat, when ones talking about marketing. If the purpose of marketeers is to design and implement a product or service lifecycle, which the customer appreciates, even enjoys, so that they not only engage with you, possibly on a repeat basis, but are also an advocate for your organisation with friends and associates, then it seems counter-intuitive to misuse their data. So, what are some of the key data protection factors marketeers should be considering.
Firstly, the source of the personal data. Was it collected direct from the data subject by your own organisation, or has it been acquired from a third party? If you received the data direct, what was the original purpose of the collection? What Lawful Basis was cited at the time of collection? And does your use for marketing accord with your privacy notice and supporting documentation (Article 30)? Its quite possible that at this point, as well as operating in accordance with the GDPR and DPA 2018 you may also need to operate within the Privacy & Electronic Communications Regulations (PECR). Are you sure you understand these and not only the opportunities, but also the responsibilities they place upon the marketing activities?
Secondly, if you’ve acquired your marketing data from a third party, perhaps you procured it from a Lead Generation company, then you have an added layer of consideration? The supplier of the marketing “list” is a third party and your business is required under the Regulations to do a few things. Firstly, before you proceed with your relationship you need to do some due diligence. How much and of what nature will depend upon the data you are procuring and the level of risk your use of their data poses to the data subjects.
But is your supplier a reputable firm, perhaps they belong to a professional body, such as the Direct Marketing Association? And where did they get their data from and under what Lawful Basis? Assuming you are comfortable with how the organisation selling you the data came by it, then the Regulations require that there should be some form of data sharing agreement in place between you and them too.
Okay, so you are comfortable that you’ve acquired the data by legitimate means and have a lawful basis for its use in connection with your marketing activity. Remembering that your aim is to make your engagement with your audience a positive one, what are the expectations of the data subjects. Is what your contacting them about helpful and if they enquired as to how you came by their information would that accord with their expectations? Or are you going to be irritating them and revealing that their data is being used for a purpose they could not have reasonably expected? This is where your marketeers really show their value. If the contact is positive, then the data subject is likely to be more relaxed about you holding and using their data. But if your approach is clumsy and irritating you could find the object of your campaign turning the Data Protection Regulations on you and using them as a stick with which to beat you. Making Subject Access Requests (SARs), which merely impose a valueless administrative burden upon your business. But which if you don’t handle correctly, are likely to result in complaint to the Regulator and the risk of sanction to your company. Added and unnecessary cost!
Third and lastly, remember that however inconvenient you might feel the new data protection regime, its purpose is to strengthen the rights of the individual data subject to control what organisations can do with their personal data. So, don’t forget those rights. Ensure your own team understands them, in case anyone you contact wishes to exercise any of them, (such as the right to restrict, or object to your use and the right to deletion).
Finally, remember you’ve probably spent considerable time, effort and money on your marketing campaign. You want it to be a positive experience and a quick and easy way to undermine that objective is by playing fast and loose with someone’s personal data. So, make sure data protection is a consideration when you plan your marketing campaign.
If want further information regarding how you could improve your marketing team’s outputs, including data protection considerations, check out the Lonely Marketer.
Millbridge Systems recently partnered with Lonely Marketer to bring some simple and insightful online training to businesses and you can find out more here. Or why not just contact us directly with your questions?
Loading...