With the General Data Protection Regulation coming into full effect on the 25th of May this year, your business should already be in tip-top shape and should be adhering to the responsibilities the GDPR provides you with.
To be GDPR compliant, your company must identify which of the six legal bases for processing data you are using. The six lawful bases for processing data are as follows:
(a) Consent of the data subject;
(b) Processing is necessary for the performance of a contract with the data subject, or to take steps to enter into a contract;
(c) Processing is necessary for compliance with a legal obligation;
(d) Processing is necessary to protect the vital interests of a data subject or another person;
(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and/or
(f) Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Failure to have the necessary legal ground to process an individual’s data could result in legal action.
The ICO (Information Commissioner’s Office) issued an assessment to help you decide if your business really needs to process data and if you are actually able to. The assessment is broken down into a three-part test:
Purpose test: are you pursuing legitimate interests?
Necessity test: is the processing necessary for that purpose?
Balancing test: do the individual’s interests override the legitimate interests?
This assessment ensures that you only data you definitely need is processed, and that the use for that data is completely legitimate.
For direct mail marketing, you will not actually need the initial consent from consumers to advertise to them. However, they still of course have option to opt out if they no longer wish to receive your advertisements or they no longer wish for their information to be used for direct marketing. When advertising to them, you must check how consumers wish to be contacted, and always give them the opportunity to opt out, and make it easy for them to do so. You must also ask for the permission for you to share their information with other companies.
Before the 25th of May hits, please ensure you are fully adhering to these new regulations set by the ICO. Ensure all you customers know exactly how and why their data is being processed and that they can opt out at any point. By studying the GDPR and following it very carefully, you can ensure your business can still thrive and can avoid getting into any legal action with regards to data protection.