GDPR Preparation: The Pitfalls of Customer Marketing Preferences

The implications of the impending General Data Protection Regulation (GDPR), which comes into effect in May 2018, are already catching UK corporates. In trying to ensure that they have consent for the customer information that they hold, both Flybe and Honda UK have been recently hit by fines for not following current laws correctly. As businesses look to obtain stronger consent for the use of data in preparation for the new regulations, your business needs to ask itself ‘have you done enough to avoid the costly consequences of failure to comply?’

Flybe and Honda UK were fined £70,000 and £13,000 respectively for breaching the current Privacy and Electronic Communications Regulations (PECR) when they sent emails to their customers asking them to update their marketing preferences. These two recent enforcement decisions by the ICO demonstrate the importance of considering your current legal position before trying to prepare for the new rules.

The problem for both companies was that these emails were in themselves “direct marketing”. There is still a requirement to have some level of consent in order to send the emails, even though it is a lower standard than that which will come into effect next year. When Flybe sent emails to people who had previously opted out of marketing, and when Honda UK emailed people who had previously bought cars from Honda dealerships where there was no record that they had consented to marketing, they breached the existing laws. The fact that they were doing so with good intentions in order to prepare for GDPR was not itself a valid justification for the breach. This has made businesses reconsider their approach to refreshing consent.

The good news is that while the Flybe and Honda decisions underline the need to take care when planning any campaign of this nature, they do not completely shut the door on obtaining refreshed consent as long as it is done in line with existing rules. There is no one size fits all strategy and it is important to understand what consents (or refusals of consent) your business has currently before formulating a strategy to put better consents in place:

• Is your problem that you have consent but it was obtained using pre-ticked boxes?
• Do you have a large number of customers who have previously opted out and who you would like to contact to see if they have changed their minds?
• Do you have old data where marketing consents were obtained but you have never actually sent anything and are worried that the consent is now too old to rely on?
• Is your problem that you don’t have accurate records of what consent you have?
• Did you buy in a marketing list and are unsure as to whether the individuals were aware of how their details would be used?

Each of these will require a different contact strategy taking into account the legal requirements, the costs of different methods of communication, and the likely response rate to different forms of request.

It is also important to ensure that, if you do refresh consents, you keep accurate records of the new consent received in line with ICO guidance. This needs to go further than simply recording yes or no against a customer’s name and needs to be sufficiently specific and granular to demonstrate exactly what the consent covers. Carrying out a consent refreshing exercise without having record keeping systems meeting GDPR standards in place would be a foolish exercise.

In taking enforcement action against Flybe and Honda, the ICO has given a timely reminder that GDPR preparations cannot be seen in isolation nor as starting from a blank sheet of paper – you need to take account of your current state of DPA compliance and develop a tailored plan that keeps your business protected from unwanted fines and sanctions.

(Source: Shulmans LLP)