Answers to questions from DP2016 Update | DMA

Filter By

Show All

Connect to


Answers to questions from DP2016 Update


Below are questions submitted to our experts during the DP2016 Update conference in September. We didn't have the time to respond to all the queries in the live sessions, so we have answered those questions below:

Consent and legitimate interest

  • Can a company process data using both consent and legitimate interest, for example calling those not on the TPS and getting consent to provide to third parties?

Technically yes, but if you want to contact the person again you might want to get consent for your own marketing. General third party consent would not be allowed - you would have to name the company that was going to call.

  • Is legitimate interest broadly equivalent to calling those individuals not registered with the TPS?

Legitimate interest means that you would have to be able to demonstrate that it was in the legitimate interests of your business to call people not registered on TPS. For example, if they had been customers or if they were people you had selected because they were likely to be customers. Just not being on TPS would probably not be a sufficient reason.

  • So is it going to be all opt-in?

No, if you can show that your business has a legitimate interest in contacting certain people then you can use the traditional opt out channels of mail and phone (with TPS).

  • If not all opt-in now, isn't it just a matter of time and that it is inevitable?

Email and SMS have always been opt in. There are no plans at present to make mail or telephone opt in.

  • We collect workplace teacher email addresses without their consent. Our understanding is that for schools this will remain unchanged.

This will remain the same. You should offer an opt-out in your first email communication.

  • Charities are now being advised to renew their consents for phone fundraising every 24 months. Is that fair or overly zealous?

This advice is a recommendation from a working party that has been submitted to the Fundraising Regulator. The Fundraising Regulator will most likely have a broader consultation before updating its code of practice.

  • We hear a lot about sector level consent in guidelines to PECR. How should organisations interpret this as there seem to be many variations in privacy policies?

Sector level consent is only needed when you are collecting email addresses for third party marketing. The sectors should be small, so house insurance rather than general insurance.

  • How long does consent last? Would customers expect different lengths of consent depending on the product and how often they might purchase e.g shampoo v car?

There is no specific time limits in the legislation for consent. The ICO's guidance suggests that first use of third party should be no longer than six months. They also say that consent decays over time. Some products could justify longer periods between communication such as annual insurance or the purchase of a car, but I think it would be hard to argue that periods longer than two years would be appropriate either between communications or from initially gathering a person’s data.

  • Question for consent session-under GDPR, does legitimate interest only begin once a person becomes a customer? If person declined yor product, how can you market to them?

No, Legitimate interest is not just for customers, if you can demonstrate you have a relationship that may well constitute legitimate interest.

  • Do you think that due to higher bar for consent, organisations are likely to rely more on Legitimate Interest?

The concept of 'legitimate interest' is not new. If companies have been relying on this to communicate with consumers they can continue. It only applies to opt out channels (mail and telephone (with TPS). I think that under GDPR companies will make a greater effort to show the benefits of opting in to communications and make sure it has real value for the consumer.

  • How much proof of consent is required? If all done over the phone are the answers recorded in a database enough or are the actual call recordings required?

The legislation says that it is a company’s responsibility to prove that consent was given, we may have to wait until the guidance from the ICO is published to see exactly what they will accept.

The right to be forgotten

  • How will I stand if a person asks to be forgotten... and then I get their data from a third party when I no longer have their data to suppress against?

The legislation says that you do not have to 'forget' all aspects of a person's data if there is a legal reason for keeping it. Suppression from further marketing is a legal reason so you could keep just enough data to prevent that person from contacted.

  • If models / segments aren't updated daily are we falling foul of the regulation if customers have opted out since we built the model / segment?

The analysis could probably go ahead including a customers who subsequently opted out, but the results of the analysis would not to able to be applied to that customer.

Implications for B2B marketing

  • Can you advise how consent for marketing to B2B vs B2C under GDPR?

The minor differences between B2B and B2C will remain after the GDPR comes into force. Sole traders and partnerships are treated as consumers. Employees of limited companies, LLPs and Government departments can be emailed without prior consent but can object to their work email address being used for marketing.

  • PECR treats B2B marketing to Corporate accounts differently to B2C. B2B is opt out. Does this still apply in data collection and use for electronic marketing.

This will still apply when collecting email addresses of corporate employees for use in marketing.

  • B2B has been opt-out therefore no consent - will post GDPR require consent to be gained?

No, the rules for corporate employees will continue to be opt-out from marketing. For sole traders and partnerships, it is opt-in as they are treated as consumers.

Impact of Brexit

  • Do you think GDPR has dropped in importance across boardrooms as a result of the referendum result?

There may have been a downgrading of GDPR in some boardrooms since the Brexit vote, but it is likely that this has now returned to the level it should be given we will all have to comply with GDPR for some time before we leave the EU.

  • Assuming the UK adopts a version of GDPR post Brexit which parts (if any) would you like to see tightened and which parts relaxed?

I think the proposed data protection reform is in principle reasonable and proportional. The guidance published by the ICO will hopefully hold to the spirit of this.

Implementing GDPR

  • How will the GDPR have an impact on how you market to your former customers by channel?

If you collected your customers consent then you market to them in whatever way they agreed to. If you do not have evidence of customers opting in to email or SMS you can still communicate with them using the traditional opt out channels, mail and telephone as long as you screen against TPS and provide an opt out mechanism with each subsequent communication.

  • As a consumer, how much time (each week say) am I going to have to spend on my privacy and data checking?

Hopefully whatever it is it will be less time under the new legislation, as privacy policies will be clearer and more transparent.

Hear more from the DMA

Please login to comment.