Tuesday, 21 Aug 2018 15:32 GMT

GDPR legal ‘loophole’ for print industry

The introduction of General Data Protection Regulation (GDPR) may not be the nightmare many believe it is, according to a direct marketing firm in London.

Romax says the thorny issue of using existing customer personal email addresses in a data bank may not have to be deleted and reassembled by asking each and every one for permission. Romax notes that the Information Commissioners Office (ICO) say you don’t necessarily need consent. They comment: “You won’t need consent for postal marketing if it’s aimed at existing or past customers, or people who have previously shown an interest. This is because you may have a lawful basis under ‘legitimate interest’.”

The marketing company sent out information about the ICO’s guidance on GDPR to help the printing industry to understand what can and cannot be done with lists of emails and date files after the new rules came into play this year. And they picked out a loophole which they believe allows firms to assume some existing personal data is legitimate.

They say: “As a lawful basis, legitimate interest has no strict definition and is therefore quite flexible. Essentially it boils down to whether there is any negative impact on a person’s privacy and/or wellbeing. If you can reasonably say that the recipient wouldn’t be surprised or annoyed by communications from you, and indeed they might find it beneficial and it won’t lead them into harmful situations, then you may have a case for legitimate interest.

As a lawful basis, legitimate interest has no strict definition and is therefore quite flexible

“You just need to make sure the recipients can opt out, to respect their right to object. In addition to this, you won’t need to gain consent if the print material is part of the service you provide i.e. what the recipient expects from you. For example, if you’re running a membership programme that sends out seasonal catalogues, you won’t need to regain consent because this is part of what the members signed up for. In fact, if you send out consent requests to all your members or mailing lists, you could be causing a nuisance.”

The ICO explain on their website the various changes to data protection along with the most recent updates with GDPR. Their guiding principles help firms to use common sense when compiling or amending their personal data files. The ICO’s seven key principles are: Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality (security); Accountability.

There has been considerable confusion in some quarters over GDPR and its implementation with some firms setting themselves up as experts and charging clients for a job they can do themselves. For instance, in Cornwall, the Duchy Hospital was reported to have taken ‘some additional compliance checks with third-party companies currently based outside the EU’ which resulted in them cancelling a number of scans at short notice over so-called data protection issues.

What do you think? Email your views to Harry - Harry@linkpublishing.co.uk or call me on 0117 9805 040. Or react to the story on Twitter and have your say.