+44 (0)1271 866 112
Latest Issue: May/June 18

Customer loyalty schemes have extra benefits for the GDPR

The GDPR is due to finally arrive this month and to be unaware of it or its key changes by now is highly unlikely, so this month I want to draw attention to some of the less obvious elements and highlight some of recent changes or not.

Firstly, the much anticipated ePrivacy Regulation (ePR) that was due to coincide with the GDPR has been delayed and according to the ICO, is expected by the ‘end of the year’. That means that the Privacy and Electronic Communication regulation 2003 (PECR) still applies in the interim but with a slight complexity about consent where that is relied upon for processing.

To explain that further, there are 6 possible legal bases that you can use to justify processing data:

Consent

Contract

Legal Obligation

Legitimate Interest

Public Task

Vital Interest

Whilst most people seem fixated on the first, consent, often a business or organisation actually can process and communicate on other grounds. Those who have a Customer Loyalty programme for example, have a ‘contractual’ reason to process and this is often overlooked. Some would argue that it is ‘thinly veiled’ form of marketing but that could well be the basis for lawful processing.

Much has been made of the news that ‘Legitimate Interest’ (LI) has been accepted for direct marketing (off-line) which wasn’t expected this time last year, but few seem to appreciate that with PECR still in existence, the on-line equivalent ‘soft opt-in’ still applies too. Again therefore there is a clear alternative when consent hasn’t been gained. A good example of this would be an abandoned basket communication. When writing this article, I was concerned that as the contract with an abandoned basket customer hadn’t been completed as they hadn’t finished the purchase, that we couldn’t use their information so I checked with the ICO and they confirmed that we could use ‘soft opt-in’ in that situation.

Another legacy of PECR is the exemption of B2B marketing by email, which has become a significant part of B2B activity. There is however a complexity that will apply after GDPR; email addresses that are associated with unincorporated businesses (sole traders and partnerships), are to be treated as personal and so will need consent (again unless there is a soft opt-in element or some other legal basis for processing). The ICO also confirmed that a personal email address but associated with the corporate will still be exempt so for example, fred.bloggs@abc-Ltd.com is ok to use without consent. This situation may change when the ePR comes in but hopefully this vital marketing will be understood and accepted by then. My advice remains, as the ICO herself I think would say, that ‘consent’ is a great place to be, so ideally accept it and aim to achieve consent so that you can rely on it.

The transition period is proving to be challenging for some, particularly the risk of the loss of significant legacy databases due to the lack of an appropriate level of consent. Hopefully, the retention of PECR will for the time being, allow more time to transition, build new processes and rise to a higher standard. I have been sharing a ‘paradigm shift’ as the start point, if you accept that the data you collect isn’t yours and that you are entrusted with it to look after it on behalf of your customer, your view naturally changes to recognise that the GDPR is an obvious way forward.

I’m encouraged to see a greater acceptance of the ‘Data Bible’ concept when preparing for GDPR. The idea is simple, in the absence of firm or fixed rules and regulations or clear interpretations of guidelines, it is necessary to provide an ‘evidence pack’ showing where your organisation has tried to comply to or interpret the guidelines. The ‘Bible’ includes key components for compliance or the guidelines interpretation for each individual business. As guidelines become clearer or specific rules established, it is then easier to update yourself for example recently there has been clarification on the role and responsibility of a Data Protection Officer and also on Data Protection Impact assessments, the former being more relaxed than the original guideline and the latter a change so that a DPIA is now a reportable event, seeking approval from the ICO before the processing can take place but is relevant to many fewer situations.

The ‘Bible’ shows you have attempted compliance and hopefully enables dispute rather than prosecution as the explanation of your actions is clear and can only be disagreed with. A good example is how long you can reasonably hold data. In my experience the circumstances differ case by case and the evidence for your decision can be easily seen.

Finally, the question of registration fees, contrary to what the ICO published in 2017 that the new fees would be in place for April 1st - many paying increases from £35 to £1020 per annum. The clue was probably the date because that is now completely different and the good news is that you can still save money if you haven’t registered, or you can renew before May25th when the new fees do come in. According to the latest guidelines they are:

Tier 1 – micro organisations t/o < £632,000 and <10 staff = £40

Tier 2 – small and medium organisations t/o <£36m and <250 staff = £60

Tier 3 – large organisations if you do not meet the criteria for tier 1 or tier 2, you pay the tier 3 fee of £2,900... but there is a £5 discount on all fees if you pay by DD!

by Rob Bielby, Marketing Innovation Group (MIG)

This article appears in the May/June 2018 issue of Direct Commerce Magazine.