Nearly all companies use some form of direct marketing to generate leads and grow their business.
Profiling prospects can make targeting those who are most likely to buy your products or services easier and your direct marketing effort more effective.
The Information Commissioners Office (ICO) does not want privacy legislation becoming a barrier to effective direct marketing: “The laws are there to ensure you think about your customers privacy”.
The ICO is clear that when you collect customer data for direct marketing purposes:
- you must tell people that you want to use their information;
- you must be clear about what you want to do with their information;
- your privacy policies and procedures must be easy to understand and easily accessible.
You may already have information about people who buy from you or support your cause for non-commercial organisations. Being transparent with those we have an existing relationship with is clearly important.
We have talked in earlier blogs about the privacy information that you need to provide to data subjects when you collect their personal data. If they place an order with you for instance, their ‘right to be informed’ means that you have to provide additional privacy information if you plan to use their data for other purposes, away from the original lawful purpose, with direct marketing being an often cited example.
The other way you may obtain personal information about people is from data houses who sell lists of contact details. It is vital to obtain proof that the personal data sets you are buying from these data houses are UK GDPR compliant. For example has the data subject consented to their information being transferred to a third party for direct marketing purposes?
Remembering that the data subject (the prospect on the bought-in list) can submit a Subject Access Request (SAR) at any time to ascertain why their personal data is being processed it is important in the eyes of the ICO that the following must be readily available to the data subject:
- the categories of personal data you hold (e.g., contact details, interests);
- the source of their personal data (e.g., the particular organisation you acquired it from);
- their right to withdraw consent at any time (the right to object).
Collecting personal data from publicly available sources, such as the electoral role, social media or newspaper articles does not mean it is ‘fair game’ for direct marketing activity.
You need to consider whether your direct marketing activities will be expected or unexpected by the data subject? An often cited example is a data subject’s social media page (e.g. LinkedIn) that has not been made ‘private’. They will have signed up to the social media platform, LinkedIn in this example, as they may have been seeking a large audience for their social media content. They would not have signed up to have been a target for wide scale direct marketing by others!
In short CSRB agrees with the ICO about direct marketing activity – just be honest, transparent and up front about what personal data you wish to collect, why you wish to collect it, what you will do with that personal data and how you will safeguard that personal data.