Legal Hub - GDPR Practitioner Advice

The DMA Email Council's Legal Hub has created a series of GDPR questions and answers to assist practitioners to understand the regulation and directly tackle some of the most burning questions in the industry.

Q: If you are a service provider (SaaS, ESP, or another data processor) should you handle SARs yourself or refer them to the data controller?

Written by Steve Henderson, deputy chair of the DMA Email Council and compliance officer at Communicator.

If you are a service provider your contract should detail the updated responsibilities under the GDPR, including this process. If your contracts have not yet been amended, see the ICO data processor/controller contract guidance:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/

I think that in most cases it should be the data controller who takes the lead on SARs for a number of reasons:

• The controller should verify that the person making the request is the actual data subject
• It’s likely that the controller has more than one data store and service provider, so the SAR should be handled and coordinated centrally
• The controller may have to adhere to industry standard “data portability” requirements
• The controller may have to handle follow-up requests, such as requesting that data is amended, deleted or no longer processed – and only the data controller can determine what should be done in these situations.

The data processor does have responsibilities which should be detailed in the data controller/processor agreement. The processor should be able to pass any SARs they receive to the data controller quickly and efficiently so that the controller can fulfil their obligations. The processor should also have processes or systems in place to allow the data controller to obtain the required details necessary to respond to the SAR.

Q: Can we use legitimate interest as the legal basis for email marketing to purchased data?

Written by Simon Jeffs, member of the DMA Email Council and director at List Genie

The purchase of data or a record implies its transfer of title, becoming the property or asset of the brand. So, any brand looking to buy a record for its own use, and thus become the named data controller, must get consent to that effect at the point that record is collected.

A common practice where data is bought is through the supply of leads via credible lead generation providers. These organisations facilitate data collection on behalf of brands who are clearly named at the source where data is collected and the data subject informed of the transfer of their details to the brand to communicate with them.

It's important therefore to distinguish between list rental where a brand may wish to use a list collected by a third party data controller. In such circumstances, the brand advertiser will not be a third party data controller as they will neither receive, process nor own the data and instead use a hosted mailing model whereby the data controller has sold space in the body of their 'newsletter'. Under such circumstances, the data controller may wish to justify their support for transmitting 3rd party adverts on the basis of legitimate interest.

In summary, leads can be bought and require consent, lists or space can only be rented and ideally where a hosted model is in play. The DMA has guidance on this. A legitimate interest basis might be applied by the organisation offering a hosted rental solution.

Q: Can I bundle opt-in for multiple brands together?

Written Nick Crawford, member of the DMA Email Council director at Twist Consultancy

The ICO guidance on this is clear and simply put. If you are a single entity trading under several different names, you should not assume that a customer opting in to marketing from one brand is consenting to marketing from all your brands.

Consent must be informed and ‘granular’, and customers may not even be aware of any connection between the brands. You may also find it difficult to rely on the soft opt-in, as this only applies to similar products and services.

If you want to use one list for all your trading names, you should list them all clearly when you obtain the opt-in.

If an individual opts out of marketing from one trading name, you should assume this opt-out applies to all your trading names unless they make it clear otherwise

Q: Can I incentivise an opt-in e.g. with a competition? If so, are there limits to the incentive?

Written by Steve Henderson, deputy chair of the DMA Email Council and compliance officer at Communicator.

Yes, you can incentivise.

Recital 42 says:

Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

This language doesn’t really help. Thankfully the ICO guidance is very clear https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf on the matter: Don't coerce or force your customers and subscribers.

It may still be possible to incentivise your re-permissioning campaign to some extent – there is often a benefit to signing up to receive emails. However, in order to make sure permission is freely-given, marketers can’t make consent a condition of a service, can't unduly incentivise and "must be careful not to cross the line and unfairly penalise those who refuse".

If you use an incentive in your campaign, don’t make the call to action all about an incentive. The call to action should still be about the permission.

The best way is to give the incentive to responders, rather than subscribers, giving the incentive regardless of whether they opt-in or opt-out