This week, we introduce Mark Weston, partner and head of IT, IP and Commercial at Hill Dickinson LLP, who has taken on the role of one of our GDPR doctors. Responding to an enquiry a Real Business reader had on personal data, Weston sheds light on the issue.
We heard from Brian Connolly, the FD at Pinnacle Online. He said:
“I’ve been reading through some documents on preparing our company for GDPR and looking at a workshop/conference to go to. Most of it is making sense, clearly we hold personal data on our 106 staff in terms of their personnel record and payroll data.
“The bit I’m trying to get my head round is in terms of our marketing department. And I guess the key question is, ‘Is a company email address classed as personal data?’
“Is there a distinction between a company email address and a personal email address?
“So, for e.g. my work email address firstname.lastname@example.org is that classed as personal data under the GDPR regulations? I rang the ICO (Information Commissioner’s Office) about this, and they were initially hesitant and then said it is NOT personal data, it relates to a company not a person.
“We are B2B company, so I could break my question down into two sub sets:
“Potential customers (Marketing campaign to companies possibly interested in our product).
“So for existing customers are we allowed to continue to email them to keep them up-to-date with new developments, invite to a customer event, monitor customer satisfaction etc.
“Can we simply give existing customers an ‘Opt out” option to our emails ? or do they explicitly have to “Opt In”?
“Regarding ‘potential customers’, we do a marketing campaign to company email addresses to try and generate new business, so post 25 May 2018, do we have to explicitly get them to ‘opt in’ / agree to receiving emails from us before we include them in any email campaigns?”
Weston didn’t take the questions lightly, so for clarity divided his responses on personal data into two parts.
A company email address with an individual in the title is definitely personal data and is regulated by the law. So, to use your example, email@example.com is indeed personal data. The definition of personal data is any information about an “identified” or (and this is the new bit in the new legislation) “identifiable” individual.
Your email address certainly is information about Brian Connolly – if nothing else that it says that he has an email address at pinnacle-online.com! On the other hand, a general company email address such as Sales.Director@MadeUpCompany.com is not in and of itself personal data UNLESS you hold it on your database as being the email address belonging to Brian Connolly (always assuming that the holder of that email address changes and you have no way of working out at any one time who it belongs to).
The purpose of the new principle that personal data is also information relating to an identifiable individual (even if you do not know who they are) is to cover the fact that, for example, people carry phones, which each have a unique ID.
An advertiser might know that the owner of that phone likes to shop at Next, uses Hill Dickinson as a law firm and lives in London SE2 – but not know who that individual actually is. Well that phone ID is still personal data because that advertiser could target ads to that individual so they are identifiable!
I am not sure why the ICO gave you the answer you did; but whoever you spoke to was wrong.
Turning to your second key question, let’s assume that by “existing customers” and “potential customers” you mean businesses. This is probably a fair assumption as you say you are a B2B business.
If you are emailing a business and not using personal data to do it then actually personal data protection law (whether the existing Data Protection Act 1998 or the forthcoming GDPR) does not apply.
You would however need to comply with the Privacy and Electronic Communications Regulations 2003 (PECR) – which say that you need consent for any marketing emails. Consent has a rather weak definition at the moment, so opt-outs would be ok under the current law.
However, we are expecting the definition of consent to be upgraded before 25 May 2018 to be in line with the definition of consent in the GDPR i.e. it will have to specific, unambiguous, informed consent, on an opt-in basis – and it will have to be as easy to withdraw consent as to have given it.
However, there is (at the moment, at least) another saving grace in Article 22 of PECR. You are also allowed to email for marketing purposes if the followingthree things are all true (the “3 prong basis”) where: (a) you have obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; and (b) the direct marketing is in respect of your similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication i.e. an opt-out notice in each email.
If on the other hand, you are emailing a business and you are using personal data to email either existing customers or potential customers, then if it’s a marketing email, you would still need to comply with the PECR and so would need to comply with all of the above but in addition you will need to comply with personal data protection law (the Data Protection Act 1998 at the moment and GDPR after 25 May 2018).
I must say that your three examples of “keep[ing]them up-to-date with new developments, invit[ing]to a customer event, monitor[ing]customer satisfaction” all sound to me like marketing emails.
So, what does personal data protection law say? If you are emailing a business and you are using personal data to email either existing customers or potential customers, then whether a marketing email or not, you must select one of six possible “bases of processing” in order to legally process that data (which includes emailing, holding, storing, hosting, reading etc.).
This is a requirement of the GDPR. These six bases are listed in Article 6 of the GDPR. The first basis is that you have the consent of the individual. This means consent on the new basis detailed above. But you don’t have to choose consent as your basis.
The second possible basis is that you are processing because it is necessary for you to undertake work under a contract with your existing customer or, for a potential customer, you are taking steps at the request of that potential customer to enter into a contract with them.
So, for non-marketing emails, you could email them without any consent, opt-in or opt-outs because you are processing on the basis of a contract (the second basis), not on the basis of consent (the first basis).
There are other bases – such as you are processing personal data because it in the vital interests of the data subject – or if all else fails, you could use the final basis: that it is in your legitimate interests to email the individual, provided their interests don’t outweigh yours.
In plain English, this means if they complain you are emailing them using that basis of processing, then the regulator will weigh up your interests in mailing the individual against the individual’s interests in being emailed and work out whether you broke the law or not. In plain English, if the individual is surprised to have been contacted by you for the purpose you contacted them then you probably broke the law on this if you emailed them on the sixth possible basis of processing.
So, for existing customers, you ask if you are allowed to continue to email them to keep them up-to-date with new developments, invite to a customer event, monitor customer satisfaction etc.
The answer is that, assuming PECR is updated (as everyone expects it will be) to have the same meaning of consent as in the GDPR, then you will need consent on the new opt-in stricter basis under PECR because these sound like marketing emails. If you don’t have consent this already on the new stricter basis, you will need to get consent on that new basis.
You will always need to give them right to withdraw that consent once given on an opt-on basis, so you will need to give them a clear and easily accessible right to opt out at any time. (You will probably still have the three-prong basis available too – but we are waiting to see if this is changed or not.)
Regarding “potential customers”, for your marketing campaign to company email addresses to try and generate new business, you ask if POST 25TH MAY 2018 you explicitly have to get them to “opt in” / agree to receiving emails from you BEFORE you include them in any email campaigns.
Assuming the email addresses you use are personal data (see the answer to question one), then the answer would appear to be yes (under PECR) if they are marketing emails unless the three-prong basis applies.
If the email addresses are personal data (see the answer to question one above) then you would also need one of the six bases of processing – which might be the first (consent on the new stricter basis) or you may go for number six and take a business view that your legitimate interests in marketing outweigh the interests of the individual in receiving your emails.
So, don’t spam them and don’t send too many – and make sure your content is professional and relevant!
If you have burning GDPR questions that you’d like answered, please send them to Zen.Terrelonge@realbusiness.co.uk and we’ll get these answered for you.
Mark Weston is the partner and head of IT, IP and Commercial at Hill Dickinson LLP, an international law firm with more than 1,000 employees.