Yes GDPR Also Affects Marketing
Does your Marketing Process Comply with the GDPR?
Email contact lists are the bread and butter of the many companies who compile them and make them available for sale. The lists are bought by businesses that want to market to a particular level of employee, a certain senior management position across multiple businesses or even consumers who match a specific geographic and demographic profile.
Sometimes huge databases are bought, broken down into multiple categories and sold on to small businesses with very specific needs.
Any marketing mail or email must include a declaration, detailing the method the recipient can use to exercise their right to give you notice to stop processing their data for marketing purposes. This cannot be buried in the text of the marketing message but must be a clearly separate statement.
You must comply with the instruction immediately on receipt or you’ll be in breach of the law. In these circumstances you are able to retain the data subject’s information for a single purpose – so that you no longer include them as a recipient for marketing material.
However, the law is flawed because the legislators don’t always understand how data is used. You have no responsibility to pass on the ‘desist from processing’ instruction from the end recipient to whoever sold you the list. Even if you did that, the seller has no obligation to comply with your request for the data to be altered, because you’re not the data subject.
The next time you buy a list it becomes your responsibility to clean it so that you don’t send out marketing to someone who has asked you to stop. You may think that this is going to be a simple job, because you’ll already have on record those who have previously requested that you cease to process their data for marketing purposes (your ‘suppression list’).
Catch 22.5 – The Right to be Forgotten
However, what if the data subject took things a step further? GDPR supports the principle of the ‘right of erasure’ (also sometimes referred to as the ‘right to be forgotten’) under which individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- When the individual withdraws consent
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
In theory, this seems to imply that when an individual (a data subject) has invoked this right you’ll no longer have a record of who they are, so you’ll be unable to delete them from the list. Because of the way the legislation is constructed, you won’t even be able to retain a paper list of those who have asked for their data to be deleted, since this would be regarded as ‘part of a data system’.
This principle indicates that an entire sector in the marketing chain could be taken out in a single stroke. However, under GDPR (Recital 65) you will be able to retain a copy of the “erased” data for certain limited purposes (including “for compliance with a legal obligation” so, in effect, you will be able to maintain your own ‘suppression list’. This continues to result not in the actual erasure of personal data but rather in suppression.
Under GDPR you will also have a duty to tell anyone to whom you have disclosed the data about the subsequent erasure, unless it is “impossible or involves disproportionate effort to do so” but that duty does not extend to telling anyone who provided you with the data in the first place.
The originators of the data, therefore, will be in the position of retaining and supplying (processing) personal data of a data subject who has already put in effect their right of erasure. As it stands this will not be contrary to GDPR because they will not have received the request exercising that right; as data compilers sell to many customer businesses, the same data will be re-circulated over and over to different businesses, bypassing existing suppression lists which are the responsibility of an individual organisation to maintain for its own use.