It is now quite common to receive promotional text messages, emails and even phone calls. We often ask ourselves why am I getting these messages? As all of the provisions of the Data Protection Act (“DPA”) come into force towards the end of this year, it is safe to say the days of direct marketing in this way are numbered.
DIRECT MARKETING AND THE DPA
In the DPA “direct marketing” is defined as any means used to approach a data subject for the indirect or direct purpose of promoting or offering to supply, in the ordinary course of business, any goods or services, or requesting a donation of any kind for any reason. The approach may be in person, electronically or otherwise.
The DPA prohibits a data controller from processing the personal data of a data subject for the purpose of direct marketing unless the data subject is the customer of the data controller or they have provided consent to receive it.
Where the data is being processed for direct marketing pursuant to a customer relationship, the data controller may only do so where:
- the data controller has obtained the data in the context of the sale of any goods or services to that data subject;
- it is for the direct marketing of the data controller’s own similar goods or services; and
- the data subject has been given reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to the use their personal data for direct at the time the personal data was collected and on the occasion of each communication with the data subject for the purpose of direct marketing if the data subject has not previously refused such use.
A data controller must also ensure that all communication to a data subject contains the details of the identity of the sender or the person on whose behalf the communication has been sent, and an address or other contact details to which the recipient may send a request that such communication cease.
DIRECT MARKETING IN PRACTICE: CUSTOMER VS CONSENT
Data Controllers with existing customer databases that intend to rely on these databases for direct marketing should assess whether there is still a relevant and appropriate customer relationship between themselves and the data subject. This review will also be useful for compliance with data protection principles such as ensuring the processing of data is directly relevant and necessary to accomplish the specified purpose, and the data is being retained only for as long as is necessary to fulfil that purpose.
Where the data subject’s consent is sought for direct marketing, this may only be requested once and must be done in the prescribed form and manner. It is expected that the prescribed forms and manner will be published in the Regulations to the DPA.
For consent to be validly given, it must be informed and freely given. For consent to be considered “informed”, at the relevant time, “the data subject must be informed about how the personal data will be processed, including the purpose for which the data will be used and the class of persons to whom the personal data may be transferred. Consent will not be freely given if the provision of any goods or services to the data subject is conditional on their consent to the collection, use or disclosure of the data subject’s personal data beyond what is reasonable for the provision of those goods or services. Where consent is given, to receive direct marketing messages, it may be withdrawn at any time.
Data controllers must also ensure direct marketing complies with other principles set out in the DPA including:
- data is processed fairly and lawfully;
- data is processed for one or more specified purpose and any further purpose must be consistent with the original purpose(s); and
- data must be accurate and where necessary kept up to date.
WHAT DOES THIS MEAN FOR COMPANIES AND MARKETERS?
Direct marketing can be done in house, outsourced or a combination of both. Where direct marketing is outsourced, it is important that a data controller clarifies the third party’s role in the processing of the data. Where the third party is deemed a data processor, additional considerations arise, including the third party’s provision to the data controller of sufficient guarantees in respect of technical and organisational security measures. Data controllers must keep in mind that they may not ‘outsource’ their obligations under the DPA and are responsible for the actions of the data processor and any consequences of same.
Regardless of the method of direct marketing, data controllers must assess their professional and contractual relationships with the data subject and determine if consent is required for the processing. It is also important that data controllers ensure accurate and clear wording of their privacy policy, which is the cornerstone of a data controller’s data protection ecosystem.
The provisions of the DPA will result in a significant shift in direct marketing and companies and marketers must adjust accordingly. The challenge lies in striking a balance between meeting customers’ needs and expectations and the data controller’s commercial objectives and compliance with the DPA. Preparation for this shift is key and consulting with an attorney-at-law for advice on the dos and don’ts for your organization is the first step!
Joanna Marzouca is an Associate at Myers, Fletcher and Gordon. He may be contacted at Joanna.marzouca@mfg.com.jm or through the firm’s website www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.
