MacSweeney & Company Solicitors Galway

  • 1

How Does GDPR Affect Your Mailing List?

Social media icons

The General Data Protection Regulation (“GDPR”) comes into effect on 25th May 2018 and an important issue facing businesses is whether it will be lawful to continue to use their existing mailing list for the purposes of direct marketing.

In general terms, consent is one of six lawful bases to process personal data under the GDPR. For consent to be valid, it must be freely given, specific, informed, and unambiguous in how it is provided by the relevant person. Also, the individual should be informed of the right to withdraw consent at any time.

The position is that if current practices are in line with GDPR, then a refresh of all existing consents is not required. Whilst the theory of this is great, the practical reality is not so great for businesses.

If current practices are not GDPR compliant, which often they may not be, controllers will have to obtain updated consent and implement new GDPR compliant processes. For example, if your current direct marketing list was compiled over the years and on an “opt out” basis, i.e. the person was required to “opt out” in order not to receive your marketing material, then this is not sufficient consent under the new GDPR regime. That will necessitate fresh consent, which will in turn require that all persons are contacted and asked to specifically “opt in” to continue to receive marketing material. That is where the challenge lies for many businesses.

There is an argument that businesses can use another basis for using personal data in direct marketing campaigns, that is the “legitimate interests” of the business. Paragraph 47 of the GDPR states that the processing of personal data for direct marketing purposes “may be regarded as carried out for a legitimate interest”. That being said, using the “legitimate interests” of a controller for direct marketing could be open to challenge. For example, it is not clear that a controller could justifiably claim that its legitimate interests are to repeatedly contact persons with special offers and so forth. If an issue arises, the exact content of the direct marketing may be scrutinised, to ascertain if it fulfilled the legitimate interests of the controller.

As a result, we have already seen a significant number of businesses contacting all persons on their direct marketing lists and asking them to consent to the continued use of their data. This should be done in advance of 25th May 2018 when the GDPR comes into force.

Businesses should establish with legal advisors now that they have in place the correct legal basis for every processing activity and full legal advice should be sought in all cases.

  • 1