If you work at one of the thousands of companies waiting for guidance from the Information Commissioner’s Office (ICO) on the new General Data Protection Directive, you may have ignored last week’s release of an updated set of guidelines for direct marketing (DM). On the other hand, if you ignored these two years ago when they were first published, you could be in trouble.
It might seem odd that the most recent publication by the ICO is on DM, an activity that digital marketers assume died with the birth of the internet and big data practitioners have probably never heard of. More fool them, for two reasons. Firstly, that most of what digital marketers do falls under the description of DM used by the ICO - “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. Secondly, because most big data sets will be reclassified as personal information by the GDPR and so will transform into activities regulated by the ICO.
So, while waiting for specific GDPR guidelines and before pressing send on your latest email marketing campaign, it is worth taking a careful look at what the guidelines have to say. The first thing to note is that, when compared side-by-side with the 2014 version, there is relatively little in them that is new. That is, unless you are a charity, political party, other not-for-profit, or you operate an outbound telemarketing operation and don’t screen against the Telephone Preference Service.
Between the lines of the guidance, it is clear to see that the two biggest data stories of the last few years have had an impact - nuisance calls and the charity data sharing scandal. As a result of the first, the ICO got enhanced enforcement powers which are heavily referred to in the DM guidelines. The second has drawn the biggest rewrite with a standalone section on NFP and third sector marketing. For the avoidance of doubt, the ICO writes that “not-for-profit organisations are not exempt from either the DPA or PECR and therefore will need to ensure that their activities comply with the law.”
For all other organisations, it is worth taking a close look at how the ICO views unsolicited marketing as still being a thing, even when a customer has generally opted-in to marketing (see section 56). The note on consent to marketing is probably the closest these guidelines get to indicating how the ICO will view this issue under GDPR. Specifically, it must be “freely-given” and must not be a condition of subscribing to a service, for example.
That view has a real impact given the biggest achievement of lobbyists on GDPR was to get marketing recognised as a legitimate business interest. When the Regulation becomes law, one consent to data processing during a transaction might be considered valid for ongoing marketing. Yet these ICO guidelines suggest a different view in which this is not acceptable practice.
As with the Regulation itself, there is nothing in these guidelines to concern companies which operate their data processes transparently and fairly. Only the thorny issue of the shelf-life of permission - which the ICO broadly sees as lasting for six months (except where a product or service is annually renewable) - could trip up some DMers. But even this was stated two years ago. So, if your marketing function did not adjust its processes then, it could find the arrival of GDPR particularly challenging.