Data Best Practice: Acquiring New Data under GDPR - A Case Study
21 Jul 2020
In this, the last of the Best Practice Hub’s recent mini-series on the DMA Data Guide, we are looking a look at compliant data acquisition in the age of the GDPR.
Following widespread concern and confusion around compliance after May 2018, there was a dip in usage of cold information for database expansion, particularly within the charity sector.
Now, with time has come clarity, not only for marketeers but also for consumers who are becoming increasingly aware of their rights, the flow of their data and how to act to stop it, if required.
Here we look at an international aid charity (“W”) who looked to acquire prospects to boost their database and how they managed this in compliance with the law.
Step 1: Remembering the 7 Ps
We all know that Proper Planning and Preparation Prevents … yes. Charity W understood that under GDPR there are extra due diligence checks alongside the requirement to demonstrate accountability. So instead of rushing in, they gave themselves several weeks lead-time to ensure they could fulfil their responsibilities.
Taking a measured approach helps facilitate data-protection-by-design. Rushing leads to corner cutting, especially when things might not be as smooth as anticipated. Errors at this stage can be exposed down the line with complaints under GDPR.
Step 2: Understanding the rules
Charity W already ran successful warm direct marketing campaigns, so looking to add in a cold pot of data to a planned mailing made practical and economic sense. This communication route also offered flexibility both in terms of using legitimate interests to process the data as well as presenting the opportunity to tailor and personalise the communication.
Different marketing communication channels have varying legal codes, so knowledge of the channel is key. legitimate interests is a flexible alternative to consent, especially for charities who are unable to rely on the soft-opt in. Running a legitimate interest assessment (LIA) fulfilled accountability obligations, showed considerations to the individual data subject and also highlighted key due diligence checks.
Step 3: Carrying out due diligence
In their preparation, the Charity had identified key compliance checks that needed to input from their nominated third-party data broker, which then had to be captured and approved or rejected. This included confirmation on:
- What is/are the data source(s)? Are they registered with the appropriate Supervisory Authority?
- What is the recency of the data?
- Does the data contain any individuals who have complained or exercised their rights under GDPR?
- Has consent been obtained?
- Was there sufficient information for the individual to expect to be contacted Charity W?
In practical terms, the Charity put together a table with a set of criteria - based on the above questions - that lists needed to meet to be acceptable to use.
Firstly, they decided to disregard data lists older than six months based on recency of signing up to the data source (and awareness of the permissions given at the stage).
All data where there was a complaint, a right exercised or an issue was immediately dismissed.
The GDPR is clear that records of consent must be obtained. What proved more problematic (and a huge time sink) was reviewing how consent was obtained. To fulfil their own accountability, the Charity requested and then logged all data capture forms per list, reviewing each for transparency, checking accompanying information for clarity and reading relevant privacy policies, all to ensure that the data subject was fully informed.
Where there was limited information on third-party sharing, the list was rejected. Where third-party sharing with charities was mentioned it was put “on amber”; with over 185,000 charities in the UK, the charity argued is this enough clarity? The clear preference was working with lists that stipulated sharing with types of charities (which were given the greenlight).
As you can see from the example table, above, the lists that met all the criteria - particularly with third-party sharing considerations – were limited. The supplier went back to the drawing board on list availability, whilst the organisation met with internal compliance on those questionable “ambers”, until both parties were reassured they had lists of the size and compliance to fulfil the marketing brief.
It’s important to never underestimate that this stage may take some time. If you are looking for a list supplier, the DMA member directory contains suppliers who have passed the DMA’s Compliance Audit, which is independently audited. You can find this here.
Step 4: Keeping the potential customer front and centre
Whilst the charity had factored in personalisation and engagement in the outbound communication, they also realised there was back-end work in preparing for questions from those data subjects that they had gone out to.
Pre-empting this, their internal customer service teams were provided with guidance on appropriate responses to inbound calls and emails from the cold audience. By being better prepared to answer queries and provide information, they helped instil confidence and increased the rapport with their cold contact.
Step 5: Cleaning up
Finally, in line with the data limitation principle, they ensured that they only retained the data of those who had engaged (responded) to the outbound marketing campaign. Records of those now-warm contacts were appended appropriately for ongoing accountability and – where required – individuals were added to ‘Do Not Contact’ lists.