Question: If a user purchases or enquires through your website, can you still market to them after May 25th 2018? Or would the customer have to specifically opt in for this in order to do so?
This is a big one as I know quite a few of our e-commerce clients, and many sites out there currently do this.
Recital 47 of the GDPR says direct marketing is a legitimate use of personal information. Legitimate use is the lawful basis for processing personal data lawfully (one of the 6 that can be used lawfully to process personal data, consent being another key one for marketers). So the answer is yes, providing you can cover all the requirements in the appropriate sections of the Direct Marketing Checklist.
ICO states the most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you're targeting has given you their permission.
However, there is an exception to this rule. Known as the 'soft opt-in' it applies if the following conditions are met;
- where you've obtained a person's details in the course of a sale or negotiations for a sale of a product or service;
- where the messages are only marketing similar products or services; and
- where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in future messages.
When you send an electronic marketing message, you must tell the recipient who you are and provide a valid contact address.
Yes, if they’ve covered all the requirements in the appropriate section in the Direct Marketing Checklist.
To make sure you are GDPR compliant, there is a strong focus on auditable records. Recording interactions such as ‘soft opt-ins’ with prospective client's helps provide you with evidence to show the UK Authority your lawful basis for processing personal data, or in other words, sending them direct or postal marketing. Always think to yourself, if a person filed a case against you with the ICO regarding a data breach or misuse of personal data, can you provide the ICO with evidence that is legally sound.
For more crucial insights into GDPR and preparing for 25th May 2018, read another from SOZO’s GDPR Blog:
Disclaimer: The information in this article is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor, or consult the Information Commissioner’s Office (ICO - https://ico.org.uk/)