Are individuals prepared to forego their privacy for convenience?

Guest blog by Grace Roddie, Solicitor – Technology and IP, TLT.

Individuals are increasingly aware of the data they are giving away online.

This has been driven by a rise in media coverage over your “digital self”, the General Data Protection Regulation (GDPR) and high profile data breaches.

While it is widely accepted across the retail sector that consumers are willing to provide their information to companies in exchange for convenience or a benefit (how many times have you consented to receive marketing from a company in exchange for a freebie?), challenges arise for businesses when individuals decide they want their privacy back.

Individuals have a number of rights under the GDPR, including the right to withdraw their consent for their data to be used for direct marketing. They also have a right to object to their personal data being processed for direct marketing purposes.

It is paramount that companies have processes in place to enable them to act quickly and to unsubscribe individuals, placing them on suppression lists. This can be a burden where marketing lists are set across different databases. In this case, businesses should undertake appropriate due diligence to ensure that no further marketing is sent to those individuals.

Since the GDPR was implemented, individuals have a right to receive compensation where they have suffered material or non-material damage because a company has breached the law. In addition to dramatically increased numbers of complaints regarding marketing, savvy consumers are issuing claims against companies where they have received direct marketing emails after allegedly unsubscribing.

This emerging claims culture is proving to be an additional burden on businesses when dealing with their direct marketing compliance obligations. Our three top tips for businesses to help mitigate the risk of any customer complaints and claims are:

1. Review your customer journey. You should review the stages during the customer journey: where personal data is collected, the information provided at these stages and the lawful basis you are relying upon to undertake direct marketing to individuals. Is your privacy information up to date? Are you obtaining valid consent?
2. Keep a record of consents. You should have an effective audit trail of how and when consent was given, so that you can provide evidence if challenged. In light of increasing numbers of complaints from individuals, you should ensure you have a record of what individuals were told at the time they provided consent.
3. Policies and procedures. Documentation is key to evidence your compliance with the accountability principle under the GDPR. Ensure you have policies in place relating to your direct marketing practices, and consider whether data protection impact assessments should be undertaken. In many cases, the Information Commissioner’s Office (ICO) is sceptical about the use of legitimate interests as a lawful basis for marketing. If you are marketing on this basis, ensure you are undertaking and documenting the “balancing test”.

The ICO recently closed its consultation on the draft Code of Practice for Direct Marketing (available here). While there is currently no indication on when a final version is expected, this will be a statutory code of practice to provide guidance to those undertaking direct marketing or operating within the broader direct marketing ecosystem. Businesses should therefore ensure that they review their marketing practices and undertake the above steps in preparation for publication of the final code.