How do companies properly use the information collected from consumers, that benefits companies, customers and the market in general, allowing the production and sale of goods and services that are vital for the economy to work. How does a company develop it business while protecting itself against breaches of GDPR?
Most companies hold details of the customers: the customer’s name, address and contract details and while they are customers this is fine. However, you do not hold the right to retain the financial details of customers for any reason.
Opt-in and Opt-out:
Opt-in/out describes the process of positive action in which a user/customer takes an affirmative action to provide their consent to their information being retained and/or used by the company. Unticked checkboxes are the most common way in which opt-in mechanisms are implemented. Once a user ticks the box, it is taken as their consent for whatever consent request you made. It is not appropriate to provide pre-ticked boxes which the user/customer has to untick to decline consent.
The right to retain this information is permitted so long as the user/customer agrees to you holding their details. The details are given on the legal understanding that the processer, the Company providing the service or goods, has a robust GDPR process; it is implicit in the relationship between the consumer and the supplier.
Nonetheless, it is not data that can be sold or passed between companies including holding companies.
Direct Marketing:
Direct marketing involves a person being targeted as an individual, and the marketer attempting to promote a product or service or attempting to get the person to request additional information about a product or service. Unaddressed mail received at your home is not covered by data protection legislation as no personal data is used. It also does not include market surveys seeking your views on say political matters or radio listenership preferences.
However, if the Company has had an existing relationship with the Customer, then part of the relationship may have included the right to use this information or the Customer made the request to the Company providing the information and clicking the opt in for future marketing.
Mobile Phone:
Under the e-Privacy Regulations (SI 336 of 2011) marketing calls to mobile phones are prohibited unless the caller has been notified by the subscriber or user that he or she consents to the receipt of such calls on his or her mobile telephone, or the subscriber or user has consented generally to receiving marketing calls and that such consent to receive marketing calls is recorded in the NDD in respect of his or her mobile telephone number.
In relation to email and mobile phone text based direct marketing, it is an offence to send such communications to the customer without your clear consent in advance. In the case of businesses, messages can be sent until such time as the sender is asked to stop and any subsequent messages from that sender would then be an offence.
So, if you wish to market your products, you need to have three primary guides:
Data Permission-Data Access-Data Focus
Data Permission is about how you manage email opt-in/out process.
Data Access is the right to be forgotten.
Data Focus is where the company collects more data from a person than is need.
Conclusion:
Ensure you have a robust scrubbing process, that is to say, examine the data you have, confirm you have the right to it, if not contact the Customer and give them the option of opting in or destroying it.
Ensure you have a Security Protection System to prevent any access that is not necessary or approved.
Have security passwords that are more than 1234 or your name.
If you are merging or selling your business, you must contact the customer and get their permission to transfer the customer details. You must include any holding company who would also access the data if there is a change.
Therefore, it is not illegal to market your service or products, it is not illegal to use customer data where you have their permission and it is not illegal to do a blanket (no names) mailer to an estate.
You can call a customer re promotions or service where you have the customer’s permission, or if not, the customer must be able to contact you to ask you to stop. If you don’t, then it’s illegal to directly market to the customer’s mobile/landline.
The above information is a short synopsis of a very complex issue and while a good guide should not be taken as legal advice. Please contact ESA for specific advice in relation to any queries you have to ensure you are getting the clearest advice.