GDPR – consumer rights
Under GDPR, direct mail marketing to your existing customers is defined as being in the legitimate interest of your company and its customers. In most cases it will be sufficient to provide your customers with a clear opportunity to object when their data is collected or used.
Marketing mail is also an effective way to target new prospects and, while the details are still being ironed out, it should still be possible to buy in prospect mailing data under GDPR, just make sure that the data provider is able to demonstrate GDPR compliance and the necessary consent.
Consent under GDPR must be verifiable and a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent.
You are not required to automatically refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, you need to make sure it will meet GDPR standards on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the Data Protection Act (DPA)
- The right to be informed – you have an obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
- The right of access – individuals will have the right to obtain confirmation that their data will be processed, to access their personal data and other supplementary information
- The right to rectification – if data is inaccurate or complete individuals are entitled to have their data corrected. If you have shared the personal data in question you must inform them of the rectification where possible and inform the individual about the third parties to whom the data has been disclosed.
- The right to erasure – in specific circumstances, individuals have a right to have personal data erased and to prevent processing.
- The right to restrict processing – when processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
- The right to data portability – allows individuals to obtain and reuse their personal data for their own purposes across different services.
- The right to object – individuals have the right to object to: direct marketing (including profiling), processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); processing for purposes of scientific/historical research and statistics
- Rights in relation to automated decision making and profiling – the GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.