At the risk of sounding like a scratched record, General Data Protection Regulation (GDPR) came into force on 25th May 2018. Its aim is to harmonise data protection laws across Europe and give citizens better control of their personal data, as well as imposing stringent rules on those who host and process this data anywhere in the world. The key principles are the rights of data subjects (that’s you), security of personal data, lawfulness and consent, and accountability of compliance.
There’s been no shortage of information about how GDPR will now affect companies with online databases, and the need for consent for telephone calls, emails and texts, for example, but what about postal marketing? How is that affected? Or is it affected at all?
Unravelling legitimate interest
In the Information Commissioner’s Office (ICO) explanatory material it states: “Processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest,” which could be read as, ‘carry on as before.’ So where does this ‘legitimate interest’ apply?
In a nutshell, legitimate interest is defined as the use of people’s data in ways they might reasonably expect, which will have minimal impact on their privacy. It involves a balancing act between the business interests of the organisation and the rights and freedoms of the individual. It’s important for you as a company to identify and document why you are processing personal data based on your legitimate interests, so you can show that it’s been carried out fairly and lawfully in the future.
Compliance with the legislation for processing data for direct marketing still doesn’t necessarily mean that you’re free to send out material by post with no restrictions. In most cases, this requires you to:
Collect, store, process and share the personal data required for the mailing (names, addresses) within GPPR legislation
But what if obtaining consent isn’t possible or practical? Where do you stand then? This is where legitimate interest could come in and it’s particularly relevant to charities (but not exclusively). What if a charity wants to send out a mailshot to existing supporters informing them of upcoming events or updating them about successful projects? Here, it can reasonably be claimed that it’s in the interest of the recipients to receive the information and it doesn’t compromise their data privacy either.
As the ICO states, in answer to a recent question about mailing on behalf of charities without consent (and, again, note that it will apply more generally too), “You can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.”
So, good news for the print and direct marketing sectors!
We all know how effective direct mail can be. You can continue with your direct mailing initiatives without panicking about consent, as long as your data processing meets the GDPR regulations and you can demonstrate the potential benefits to the end consumer.
We’re here to help with any direct mailing queries, please contact us on 01825 983033 or email us at