The Data Protection and Digital Information (DPDI) is a new bill that is intended to replace the General Data Protection Regulation (UK GDPR) in the UK.
It promises to give organisations more confidence in managing data protection in order to promote themselves. What might this mean in practice if it passes?
In the UK, direct marketing and fundraising are governed by a number of laws and codes including:
- UK GDPR;
- Privacy and Electronic Communications Regulation (PECR);
- UK Code of Non-Broadcast Advertising and Direct and Promotional Marketing (CAP Code); and
- Code of Fundraising Practice.
There are also other voluntary codes such as the DMA Code.
The GDPR requires organisations to identify a lawful basis for all data processing activities. There are six bases, of which two typically apply to marketing and fundraising: legitimate interests and consent.
Under the UK GDPR, ‘processing that is necessary for the purposes of direct marketing’ is listed as a legitimate interest in Recital 47. PECR and the CAP Code set out certain kinds of direct marketing that must only be carried out on the basis of consent.
At the moment, data protection laws govern that almost all types of processing based on legitimate interests require a legitimate interest assessment or ‘balancing test’ to be carried out to establish whether the processing is necessary and proportionate. Where consent is used, organisations must collect explicit consent shown by a clear and specific action. They must also keep records showing how and when that consent was given and what the individual was told at the time.
In practice, many marketers have been put off carrying out any marketing on the basis of legitimate interests. The Data and Marketing Association (DMA) estimates that £250m of spend on direct marketing by post has been lost because marketers don’t have the confidence to use this channel without consent. The Advertising Association says that £1 of advertising spend equates to £6 of gross domestic product (GDP – a measure of the size of the economy) – so if that direct postal marketing had been carried out, UK GDP could have been £1.5bn higher.
The DPDI doesn’t change what is legal today, but it does reduce the paperwork required for a legitimate interest – based marketing campaign and makes it clearer that some kinds of marketing can be carried out without consent. Under the new DPDI, it will only be necessary to show that processing for direct marketing is ‘necessary’ and organisations will no longer need to carry out balancing tests .
How could this change the way organisations approach marketing?
There are specific rules for electronic marketing that will not be affected by DPDI. These rules are set out in PECR and the CAP Code.
Consent is mandatory – and will still be needed:
- For all email, SMS, targeted online advertising, and social media direct marketing except:
- Where contact details have been obtained during or in negotiations for a sale
- Where the promotion relates to products and services that are similar to the product or service that was being sold when the contact details were collected.
In this case, the marketer must give the consumer the option to opt out of marketing when they collect the contact details and in every subsequent marketing communication.
- For processing special category data for direct marketing, for example data about health or political opinions
- For processing personal data relating to children for direct marketing
- For non-live automated telephone marketing calls.
Legitimate interests could be available for the following:
- Live telephone marketing calls, except:
- Where the individual has opted out
- Where the individual has registered with a preference service such as the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS)
- Calls relating to claims management services
- Calls relating to pension schemes, except in certain circumstances
- Direct marketing by post
DPDI will also relax the data protection rules for fundraisers by allowing them to think about donations in the same way that commercial organisations think about sales. So, they will be able to send email marketing to previous donors if the email relates to a similar fundraising activity to the one the individual originally donated to.
It’s worth noting that DPDI will also increase the fines for breaking PECR rules to bring them in line with the fines for other data protection offences. The maximum fine will increase from £500,000 to £17.5m or 4% of global groupwide turnover, whichever is higher .
What can marketers do now?
Marketers can start using legitimate interests for these kinds of marketing today – they don’t need to wait for the DPDI Bill to pass. Fundraisers do need to wait for the bill to pass before treating previous donors like previous customers, though. Customers are used to these forms of marketing and if the rules are respected and individuals are given an opportunity to opt out and live calling lists are checked against TPS and CTPS, it is likely that the response will overall be positive.