By the press of a button, organizations have direct contact with just about anyone to tell them about the latest sales promotion, upcoming event or offer. But have you ever wondered, how you get these messages if you didn’t sign up for them? The implementation of the Data Protection Act (“DPA”) is sure to change the ways of direct marketing and impact everyone, including marketing agencies.
What is Direct Marketing?
In its current form, the DPA defines ‘direct marketing’ as “a means to approach a data subject in person or by any means of communication (whether electronic or otherwise) for the indirect or direct purpose of promoting or offering to supply, in the ordinary course of business, any goods or services or requesting a donation of any kind for any reason.”
This covers communication in the ordinary course of business, it would likely not cover one off instances of communication but would however certainly cover many of the multiple text messages and emails that we often receive promoting the latest product, sale or giveaway of the month.
Direct Marketing and the DPA
The DPA prohibits a data controller from processing the personal data of a data subject for the purpose of direct marketing unless the data subject consents to same or is the customer of the data controller.
Where the data subject is a customer of the data controller, the data controller may only process personal data of the data subject where:
- the data has been obtained in the context of the sale of any goods or services;
- for the purpose of direct marketing of the data controller’s own similar goods or services;and
- if the data subject has been given reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of that data subject’s personal data. The opportunity to object must be given:
- at the time the personal data was collected; and
- on the occasion of each communication with the data subject for the purpose of direct marketing if the data subject has not refused such use.
Consent may only be sought by a data controller from the data subject once. This is likely intended to avoid any badgering of the data subject for consent. This request for consent must be done in the prescribed form and manner. We have not yet seen the prescribed form; however, we expect it to be included in the Regulations that follow.
When ‘direct marketing’ data controllers must also ensure that all communication to a data subject contains the details of the identity of the sender or the person on whose behalf the communication has been sent and an address or other contact details to which the recipient may send a request that such communication cease.
Marketers should also note that even after a data subject has consented to said direct marketing, the DPA allows them a right to prevent processing. While there is no specified penalty for a breach of the provision in relation to direct marketing, the DPA contains a ‘catch all’ provision which captures any offence committed under the DPA.
Who Are The Data Controller And Data Subject?
The DPA defines a data controller as ‘any person or public authority who, either jointly or in common with other persons determines the purposes for which and the manner in which any personal data are or are to be, processed. Where personal data ais processed only for the purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment’ will be the data controller. The definition appears to be intentionally extensive to catch a variety of persons involved in the processing of personal data.
Data subject is defined by the DPA as ‘a named or otherwise identifiable individual who is the subject of personal data’. In determining whether an individual is identifiable, account shall be taken of all means used or reasonably likely to be used by the data controller or any other person to identify the individual. These may include a reference to an identification number or other identifying characteristics (whether physical, social, or otherwise) which are reasonably likely to lead to the identification of the individual.’ This definition is also broadly defined with the focus however being on the ‘identification of the individual’.
What Is Meant By the Processing of Personal Data?
The term processing is a very wide concept under the DPA. It is defined as the obtaining, recording, or storing information or personal data, or carrying out any operation or set of operations (whether or not by automated means) on the information or data. It includes the following:
- organisation, adaptation, or alteration of information or data;
- retrieving, consulting, or using information or data;
- disclosing information or data by transmitting, disseminating, or otherwise making it available; or
- aligning, combining, blocking, erasing, or destroying information or data, or rendering data anonymous.
A data controller who therefore takes part in any of these operations for the purpose of direct marketing, must do so in accordance with the provisions of the DPA.
What Does This Mean For Marketers?
Given the vast amounts of personal data collected and used to facilitate direct marketing, directly or indirectly, it is expected that marketers and organizations that facilitate direct marketing are sure to be affected by the DPA.
As we await the enactment date of the DPA and the relevant Regulations, affected persons, marketers and organizations who facilitate direct marketing should adjust their operations and how they plan reach their target audience.
Joanna Marzouca is an associate at Myers, Fletcher & Gordon, and is a member of the firm’s Commercial Department. Joanna may be contacted via firstname.lastname@example.org or www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.