Data Sharing Checklist

June 2024

Controller to Controller Data Sharing

Data protection law doesn’t stop us sharing personal data with other organisations, but does place on us a requirement to do so lawfully, transparently and in line with other key data protection principles.

Organisations often need to share personal data with other parties. This could be reciprocal, one-way, a regular activity, ad-hoc or a one off.

Quick Data Sharing Checklist

Here’s a quick list of questions to get you started on how to share personal data compliantly.

(The focus here is on sharing data with other controllers. There are separate considerations when sharing data with processors, such as suppliers and service providers).

1. Is it necessary?

It may be possible to achieve your objective without sharing personal data at all, or perhaps the data could be anonymised.

2. Do we need to conduct a risk assessment?

Check if what you’re planning to do falls under the mandatory requirement to complete a Data Protection Impact Assessment. Depending on the nature and sensitivity of the data it might be a good idea to conduct one anyway. Quick DPIA Guide.

3. Do people know their data is being shared?

Transparency is key, so it’s important to make sure sure people know their personal details are being shared. Would they reasonably expect their personal data to be shared in this way?

4. Is it lawful?

To be lawful we need a lawful basis and we need to meet the relevant conditions of the basis we’ve chosen. For example, if we’re relying on consent is this specific, informed and an unambiguous indication of the person’s wishes. If we’re relying on legitimate interests, have we balanced our interests with those of the people whose data we’re sharing? Quick guide to lawful bases.

5. Can we reduce the amount of data being shared?

Check what data the other organisation actually needs, you may not need to share a whole dataset, a sub-set may suffice.

6. Is it secure?

Agree appropriate security measures to protect the personal data, both when it’s share and at rest. This includes security measures where the other organisation is being given access to your systems. Are controls in place to make sure only those who need access, have access?

7. Can people still exercise their privacy rights?

Both parties should be clear about their responsibilities to fulfil privacy rights, and it should be easy for people to exercise them.

8. How long with the personal data be kept for?

Consider if it’s appropriate to have specific arrangements in place for the shared data to be destroyed after a certain period of time.

9. Is the data being shared with an organisation overseas?

If the personal data is being shared with a business located outside the UK, it will be necessary to consider the international data transfer rules.

10. Do we need a data sharing agreement?

UK GDPR does not specify a legal requirement to have a agreement in place when data is shared between organisations acting as controllers. However, the UK ICO considers it ‘good practice’ as and agreement can set out what happens to the data at each stage, and agreed standards, roles and responsibilities. ICO Data Sharing Agreement guidance.

Other data sharing considerations 

Are we planning to share children’s data?

Proceed with care if you are sharing children’s data. You need to carefully assess how to protect children from the outset, and will need a compelling reason to share data relating to under 18s. This is likely to be a clear case of conduct a DPIA!

Is the other organisation using data for a ‘compatible purpose’?

Consider the original purpose the data was collected for, and whether the organisation you’re sharing it with will use it for a similar purpose. It’s worth noting the UK Department of Education came a cropper for sharing data for incompatible purposes.

Is data being shared as part of a merger or acquisition?

If data is being shared as part of a merger or acquisition, the people the data relates to should be made aware this is happening. You’d want to be clear the data should be used for a similar purpose. Robust due diligence is a must, and perhaps a DPIA to assess and mitigate any risks.

Is it an emergency situation?

We’ve all heard the tales about people being scared they’ll be breaching data protection rules if they share personal data with paramedics, doctors or others in emergency situations. The ICO is clear on this point: in an emergency you should go ahead and share data as is necessary and proportionate.

The ICO has a Data Sharing Code of Practice, full useful information about how the Regulator would expect organisations to approach this.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO direct marketing guidance for email and other electronic mail

October 2022

The rules and regulatory expectations spelt out

The ICO has published guidance specifically outlining the rules for direct marketing using electronic mail. The guidance clarifies the position the regulator takes on consent, the soft opt-in, refer-a-friend campaigns, hosted emails, using bought-in lists and more.

The guidance specifically focuses on direct marketing by electronic mail to individuals (‘individual subscribers’). The term ‘electronic mail’ covers email, text, picture, video, voicemail, and in-app messages, as well as sending people direct private messages via social media.

The rules for sending direct marketing by electronic mail are covered by the UK’s Privacy and Electronic Communications Regulations (PECR). We’re also reminded to comply with UK GDPR if we’re handling personal data.

This summary covers the core rules under PECR, as set out in the guidance, picks up on specific areas where the ICO has clarified its position and includes an occasional soupçon from me.

Where italics are used, this is text lifted from the guidance itself – so the regulator’s words not mine.

A. Core direct marketing rules and definitions

Options for electronic direct marketing messages

PECR says you can only send direct marketing by electronic mail if:

  • You have consent; or
  • you can meet all of the requirements of the ‘soft opt-in’.

I’d just stress, this means the consent of the individuals the message is target to.

Importantly it’s made clear these rules only apply to what are termed ‘individual subscribers’. It says, you can send electronic mail marketing to a corporate subscriber without needing to comply with the above requirements.

The following definitions are given:

  • Corporate subscribers are corporate bodies with separate legal status (eg companies, limited liability partnerships, Scottish partnerships).
  • Individual subscribers are people but also include some types of businesses (eg sole traders and some types of partnerships).

Another way to put this is individual subscribers are people who’ve signed up to the email service provider themselves.

I’d also just add, where you don’t have consent for business-to-business marketing – marketing to corporate subscribers – you’d be relying on Legitimate Interests under UK GDPR. Legitimate Interests is subject to a balancing test, so it’s wise to conduct a written assessment (Legitimate Interests Assessment).

What constitutes direct marketing?

The Data Protection Act 2018 defines direct marketing as: “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. A definition which applies under PECR too.

It’s a broad definition and covers any advertising, marketing or promotion of products and services. It also includes promoting aims and ideals, so covers fundraising and campaigning.

This latest guidance says; The definition doesn’t cover online advertising (eg advertisements placed on websites). It also doesn’t cover some types of direct marketing using social media (eg advertising messages shown on news feeds). This is even when organisations target these advertisements to a particular user of the site or platform.”

We’d point out targeted online advertising would fall under PECR rules where your using cookies and similar technologies.

For more information see: What is direct marketing?

Service messages

Messages sent for purely administrative or necessary customer service purposes are not considered direct marketing. However, if such messages include any promotional content, they’ll be considered direct marketing.

The ICO regularly issues fines where organisations have intentionally, or unintentionally, disguised marketing messages as service ones. An area I’ve written about before; Another ICO fine for a ‘service’ email deemed to be marketing.

Organisations have even been fined for sending messages asking people (who haven’t given permission or who’ve opted out) to confirm their marketing preferences. This in itself is judged to be direct marketing.

Solicited messages

If a customer specifically asks for information about your products and services, responding with the information requested will be considered a solicited message and won’t fall under the definition of direct marketing.

B. What constitutes valid consent?

There are specific requirements which the ICO says must be met for consent to be valid.

  • you must give people a free choice to consent so that they can refuse without detriment and you must keep the consent separate from other things, such as terms and conditions (‘freely given’);
  • you must make it clear that the consent covers your electronic mail marketing messages and you must give your name in the consent request (‘specific and informed’);
  • you must have no doubt that they are consenting to your electronic mail marketing messages (unambiguous indication); and
  • they must take a positive action to consent, so you must not use pre-ticked opt-in boxes, silence or inactivity as an indicator of consent (clear affirmative action).

You should keep a record of the consent (e.g. who, when, how) so that you can demonstrate that it is valid. People can also withdraw consent and you must make it easy for people to do this.

For more information see: How do we use consent?

At DPN we’d recommend any permission statement also includes a clear link to your privacy notice. This is so you can be confident you meet UK GDPR requirements to provide privacy information when personal data is collected.

C. Using the soft opt-in

The guidance reiterates all of the following conditions must be met to compliantly rely on this exemption to consent.

  • You want to send marketing by electronic mail to individual subscribers (includes sole traders and some types of partnerships).
  • You collected their contact details directly from them
  • You collected their details during a sale, or negotiations for a sale, or your products and services
  • You want to use their details to send them marketing about your similar products and services
  • You gave them a clear, simple way to opt-out, or say no to your marketing, when you collected their details
  • You give them a clear, simple way to opt-out, or change their mind about your marketing, in each message you send.

Just to be very clear on the fifth point, you must tell people you want to send them marketing, and give them the ability to say no.

What constitutes a ‘sale’?

Currently, the soft opt-in under PECR specifically uses the word “sale” and refers to “products and services”. The ICO says this means the soft opt-in doesn’t apply to details collected where there’s no sale (or such a negotiation), or where there are no products or services involved.

For “negotiations for a sale” to be triggered the ICO says the customer must actively express an interest in buying your products or services. Examples given include:

  • A request for a quote
  • Specifically asking for more details about what you offer
  • Signing up for a free trial

The ICO says: The communication from the person must involve buying products or services. It’s not enough for someone to send any type of query.

What about other companies in the same group?

The ICO considers use of the soft opt-in to be only available to the same entity or single organisation that originally collected the contact details. It says this means it won’t apply to other companies within the same group as the collecting organisation.

Charities and the soft opt-in

The way it’s worded in PECR means the soft opt-in only currently applies to commercial marketing of products and services. The ICO says this does not apply to the promotion of aims and ideals, for example campaigning or fundraising.

However, it could potentially apply to any commercial services or products offered. For example, if a charity has an online shop, they could use the soft opt-in to send direct marketing emails about the shop’s products, assuming all other conditions are met. In other words, the marketing could only be about products, not fundraising.

Under UK Government plans to reform data protection law and PECR it’s been proposed the soft opt-in should be extended to cover charities and political campaigning. (At time of writing, with the current political turmoil, the future direction of the Data Protection and Digital Information Bill is not known).

For more information see: How do we use soft opt-in?

An important point to highlight here, if you’re using the soft opt-in, you’ll be relying on Legitimate Interests as your lawful basis to process personal data for this activity under UK GDPR. This would therefore be subject to a balancing test – a Legitimate Interests Assessment. This is covered in the guidance under: What else do we need to consider?

D. Hosted email campaigns

The guidance doesn’t use the term ‘hosted’ email campaigns, but mentions how both the sender and the instigator of direct marketing by electronic mail will be responsible for complying with PECR.

It says you’re likely to be instigating if you; encourage, incite, incentivise or ask someone else to send electronic mail containing your direct marketing message.

We can take from this that if you ask another company to send your marketing messages to their customers, or you send a third-party’s marketing to your customers, the rules under PECR will apply.

The ICO doesn’t spell it out, but it’s clear it would not be possible to meet the conditions of the soft- in, and therefore consent would be required.

For more information see: Who is responsible?

It’s not unusual for companies to include an element of third-party marketing within their email campaigns, where this is perhaps not the main purpose. For example a travel company might include details of hire car companies within its own marketing messages.

The ICO has previously issued a fine to the Brexit Leave Campaign for including a promotion for an insurance company. In this case the promotion was totally unrelated to the content people might have expected to receive.

Where third-party content is incidental and relevant to the product or service, people are less likely to complain. Some companies may choose to take a risk-based approach here, balancing their commercial imperatives with the arguably lower likelihood of regulator enforcement action. A stand-alone message about a third party’s products and services would carry greater risks.

We’d stress here we do not know what stance the ICO would take should a complaint arise about a campaign which included some relevant and useful content promoting a third party.

E. Using bought-in lists

The message is clear – in order to use bought-in lists for electronic mail marketing to individual subscribers, the ICO says people must have given their consent to receive such marketing from your organisation. The ICO’s separate consent guidance states; Name any third party controllers who will rely on the consent.

For more information see: Can we use bought-in lists?

F. Viral marketing and refer-a-friend

The ICO says you must comply with the PECR rules if you engage in viral marketing, ‘refer a friend’ or ‘tell a friend campaigns. It’s stated: This applies even if you don’t send the messages yourself, but instead instigate the sending or forwarding of these messages.

For the Regulator to consider you the ‘instigator’, just encouraging someone to send or forward the message is enough.

Essentially the ICO says encouraging customers to forward your emails or texts is a non-starter. You don’t have consent from the recipients, and you can’t rely on the soft opt-in.

However, the ICO says you can take steps to avoid being an instigator, such as:

  • Don’t create pre-populated emails for marketing which customers can send their friends and family
  • Avoid actively encouraging customers to forward on an email or text. (If they do it without being encouraged to, the PECR rules wouldn’t apply).

An example is given of a customer logging into their account which includes information about a rewards scheme for friends and family. This explains, if friends or family input the customer’s unique code when signing up to the company’s services, the customer will get a discount on their bill. The ICO says this approach would be okay.

The guidance doesn’t cover viral marketing via social media. We’re presuming the rules would only apply if you sent this as a private message encouraging people to forward it, as opposed to posting something let’s say on a forum.

For more information see: Can we ask people to send our electronic mail marketing?

G. Using publicly available contact details

The ICO says it’s unlikely you can use contact details sourced indirectly from social media accounts, websites or other online or offline sources for electronic marketing. The reason being you can’t comply with PECR as you won’t have their consent and can’t rely on the soft opt-in.

The guidance makes it clear, an exception would be where this is business contact details, where the requirement for consent or soft opt-in doesn’t apply. (We take this to mean ‘corporate subscribers’).

For more information see: Can we use publicly available contact details to send marketing by electronic mail?

The above is a summary of the guidance and we’d encourage you to read the full guidance, or at least any areas specifically relevant to your organisation. In saying this, I’d recommend not taking aspects of the guidance in isolation. If you’re relying on consent, read the ICO’s consent guidance. If you are relying on soft opt-in read guidance on legitimate interests.

I’d also highly recommend making sure you have tailored marketing guidance (or a policy) for employees (and/or your marketing agency). Training for specific teams is also likely to improve awareness and knowledge. A great way to prevent unnecessary mistakes.

Relevant teams should understand the rules and your internal approach. It’s clear in recent PECR fines the ICO sometimes discovers there is insufficient guidance given to staff.

Alongside this guidance on electronic marketing mail, the ICO has also published guidance on live telemarketing.

I think we can take from these specific pieces of guidance the Direct Marketing Code of Practice has been pushed further into the long grass. The draft consultation published back in 2020 is clearly on the backburner, perhaps until there’s a clearer picture of what is, or isn’t happening, with UK data reform?

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Managing data transfers from the UK

February 2022

The new International Data Transfer Agreement (IDTA) and Addendum is a sensible evolution of the old SCCs

International Data Transfers – to recap

Whenever UK-based organisations arrange the transfer of personal data to a third country outside the UK, they need to make sure the transfers are lawful, by confirming the data security and rights of individuals remain protected when data leaves the country.

Since the famous “Schrems II” ruling by the European Court of Justice in 2020, this activity has been thrown into disarray. To remind you, this is the ruling which invalidated the EU-US Privacy Shield and raised concerns about the use of EU Standard Contractual Clauses (SCCs) to protect the data. 

Soon after, the European Commission set to work to update the EU SCCs. These were drafted and enacted fairly swiftly taking effect on 27th June 2021. 

What are the new EU SCCs?

The new EU SCCs were expanded to introduce more flexible scenarios: 

  • SCCs are now modular meaning that they can accommodate different scenarios, where you can pick the parts which relate to your particular situation.
  • The SCCs cover four different transfer scenarios, including processors:
    • Controller to controller
    • Controller to processor
    • Processor to controller
    • Processor to processor
  • More than two parties can accede to the SCCs, meaning additional controllers and processors can be added through the lifetime of the contract. This potentially reduces the administrative burden.

How did this affect the UK? 

On 28th June the UK’s adequacy decision was adopted.  On September 27th 2021, the prior version of the SCCs expired. 

In our webinar last year, it was obvious that everyone was confused. The situation caused by the “Schrems” ruling was compounded by the fact that Brexit had been completed. This meant we could no longer apply the SCCs approved in Europe. The UK needed its own SCCs, but they did not exist. 

The ICO consultation

From August to October 2021, the ICO conducted a consultation to understand how a UK version of these rules should be enacted. Since we had been granted an adequacy agreement by the EU, we all hoped it would be possible to mirror the SCCs arrangements in UK law thus re-instating the means by which we can lawfully export data to places such as the US. 

Anecdotally the resounding view was not to mess with the principles enshrined in the EU SCCs as it would simply add complexity to an already complex situation.

The ICO conclusion

In January, the ICO published the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. To the layperson, the EU’s standards have been adopted. 

What’s included in the Agreement and Addendum? 

    1. The International Data Transfer Agreement (IDTA) replaces the old EU SCCs which were relied upon to provide the appropriate safeguards required under the UK GDPR for international data transfers from the UK. There are differences to the new EU SCCs – it is a single all-encompassing agreement that incorporates all the scenarios identified in EU SCCs. One can omit sections and there is no requirement for it to be signed. This is most useful for those creating new data transfer agreements.
    2. The UK Addendum is a far simpler document. It is an addendum to the EU SCCs where references to EU laws are replaced by references to UK laws. It allows businesses to use the EU SCCs for international data transfers from the EU but also from the UK. These are useful for those already using the EU SCCs who want a simple addendum to update the legal context. 

When does this come into force?

The IDTA was laid before Parliament on 2nd February 2022. It comes into force on 21st March if there are no objections. To all intents and purposes, it’s in force now. The Information Commissioner Office (ICO) has stated the IDTA and UK Addendum:

“are immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval“.

What does this all mean?

In practice, UK businesses can breathe a sigh of relief and get on with their lives. There is clarity at last. Existing agreements need to be updated with the UK Addendum and new ones can be put in place with the International Data Transfer Agreement. There will be an administrative burden, but businesses now know what they need to do.  Good sense has prevailed. 

 

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO Opinion on Ad Tech – Old wine in a new bottle?

December 2021

Does the ICO Opinion piece tell us anything new?

The ICO has published an “Opinion” which can be interpreted as a shot across the bows for any Ad Tech company who is planning to launch their new targeting solutions for the post-third-party cookie world. 

If these companies thought new targeting solutions would get waved through because they don’t involve third-party cookies, it’s clear that Google’s difficulties with their Sandbox solution say otherwise. 

Google is currently knee-deep in discussions with both Competition and Marketing Authority (CMA) and ICO to come up with a targeting solution that is fair to consumers whilst also avoiding the accusation of being anti-competitive. 

In the ICO’s opinion piece they set out the clear parameters for developing these solutions in a privacy-friendly manner. You won’t be too surprised to hear all the usual concerns being re-heated in this discussion. To quote the ICO:

  1. Engineer data protection requirements by default into the design of the initiative
  2. Offer users the choice of receiving adverts without tracking, profiling, or targeting based on personal data. 
  3. Be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing
  4. Articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful, and transparent
  5. Address existing privacy risks and mitigate any new privacy risks that the proposals introduce

This opinion piece is the latest publication from the ICO in a relatively long-running piece of work on the use of cookies and similar technologies for the processing of personal data in online advertising. In their original report in 2019, the ICO reported a wide range of concerns with the following which needed to be rectified:

  • Legal requirements on cookie use;
  • Lawfulness, fairness, and transparency;
  • Security;
  • Controllership arrangements;
  • Data retention;
  • Risk assessments; and
  • Application of data protection by design principles. 

You can read the back story here

The state of play in 2021

Since the ICO has started its investigations in 2019, the market has continued to develop new ways of targeting advertising that does not rely on third-party cookies. The net result is that the world has moved to a less intrusive way of tracking which has been welcomed by ICO. Some examples include: 

  • With Google Chrome’s announcement re: cookies, there is an expectation that third-party cookies will be phased out by end of 2022. 
  • There have been increases in the transparency of online tracking – notably Apple’s “App Tracking Transparency” ATT
  • There are new mechanisms being developed to help individuals indicate their privacy preferences simply and effectively
  • Browser developers are introducing tracking prevention in their software.  A notable example is the Google Privacy Sandbox which will enable targeting with alternative technologies.

How should we interpret this opinion piece?

A lot of what has been included is information from the 2019 reports. In effect, it’s a summary of previous activities plus additional material to bring you up to date. Although it is a rather long piece, there is some clear guidance for the way forward for developers of new solutions. 

Furthermore, it is bluntly warning technology firms that they are in the ICO’s sights: 

“In general, the Commissioner’s view is that these developments are not yet sufficiently mature to assess in detail. They have not shown how they demonstrate participants’ compliance with the law, or how they result in better data protection outcomes compared to the existing ecosystem” Source: ICO

Data protection by design is paramount – no excuses for non-compliance this time

The ICO opinion clearly flags to developers that they will accept no excuses for developing non-compliant solutions. In the past, there have been difficulties because the Ad Tech solutions have been in place for some time with the data protection guidance being retrofitted to an existing ecosystem. 

With the demise of third-party cookies and the advent of a variety of new solutions, there can be no excuse for ensuring that privacy is engineered into the design of the solutions. 

It explicitly highlights the need to respect the interests, rights, and freedoms of individuals. Developers need to evidence that these considerations have been taken into account.  

Users must be given a real choice

In the first instance, users must be given the ability to receive adverts without tracking, profiling, or targeting based on personal data. There must be meaningful control and developers must demonstrate that there is user choice through the data lifecycle. 

Accountability – show your homework

There is an expectation that there will be transparency around how and why personal data is processed and who is responsible for that processing. In the current ecosystem, this is largely impossible to achieve and there is no transparency across the supply chain. 

Articulate the purpose of processing data

Each new solution should describe the purpose of processing personal data and demonstrate how this is fair, lawful, and transparent. Can suppliers assess the necessity and proportionality of this processing? The 2019 report highlighted that the processing appeared excessive relative to the outcomes achieved. How will processors change their ways? 

Addressing risk and reducing harm

As a start, it’s important to articulate the privacy risks, likely through a DPIA, but also explain how those risks will be mitigated. The previous ICO reports indicated their disappointment with the low volume of DPIAs produced by Ad Tech providers. This needed to change. 

To conclude with a useful developer checklist

The ICO provides a checklist of how to apply these principles in practice. You can probably jump to this section if you really want to know what is expected: 

  1. Demonstrate and explain the design choices.
  2. Be fair and transparent about the benefits.
  3. Minimise data collection and further processing.
  4. Protect users and give them meaningful control.
  5. Embed the principle of necessity and proportionality.
  6. Maintain lawfulness, risk assessments, and information rights.
  7. Consider the use of special category data.

The ICO is very clear that the industry must change. There is no appetite to approve solutions that fundamentally adopt the same flawed ways of working. There is also a clear acknowledgment that some solutions are potentially anti-competitive so a partnership with the CMA will continue. You have been warned!

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO says most public sector messages are not direct marketing

August 2021

One of the unwelcome side effects of the pandemic has been the proliferation of bogus emails and texts trying to illegally elicit personal data from us.

I speak with my elderly mother almost daily, repeating the same lines; ‘don’t click on the link’, ‘don’t respond if someone is asking you to enter your details’, ‘hang up’, ‘delete it’, ‘you haven’t ordered a package, please ignore it’.

However, we’ve also all received other communications which I feel have been largely helpful. Messages such as pandemic update emails from our local councils, notifications about vaccines from our GPs, and text messages about the NHS app.

But would some of these be regarded as direct marketing messages? Did some contravene the rules under PECR (the Privacy and Electronic Communications Regulations)?

Possibly, perhaps in some cases definitely (under existing guidance). But does it matter? Surely, there’s an argument to say some communications may not be strictly necessary but are informative and useful, and don’t unduly impact on our privacy.

This is clearly an area the ICO felt needed addressing. The Regulator has issued new guidance, which appears to alter the long-standing interpretation of direct marketing.

What does the new guidance say?

The ICO says public sector organisations can send ‘promotional’ messages which would not be classed as direct marketing, if they are necessary for a public task or function.

This is significant. ‘Promotional’ messages have always been considered as ‘direct marketing’ before, regardless of whether they are sent by commercial companies, not-for-profits or the public sector.

It also means, in the eyes of the Regulator, such public sector ‘promotional’ emails, SMS messages and telephone calls do not fall within the scope of the UK’s Privacy and Electronic Communications Regulations (PECR).

In a blog announcing the new guidance the ICO states:

“Any sector or type of organisation is capable of engaging in direct marketing. However the majority of messages that public authorities send to individuals are unlikely to constitute direct marketing.”

Anthony Luhman, ICO Director, goes on to say:

“Our new guidance will help you understand how to send promotional messages in compliance with the law. Done properly the public should have trust and confidence in promotional messaging from the public sector.”

As said, until now any ‘promotional’ message was considered direct marketing. So this new guidance raises some questions:

  • Has the long-standing interpretation of the definition of direct marketing been changed?
  • Is this a sensible new interpretation?
  • Will this open the floodgates to us being spammed by public authorities?

What is the definition of ‘direct marketing’?

The definition is broad. Under section 122(5) of the DPA 2018 the term ‘direct marketing’ means “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.

A definition which also applies for PECR.

What exactly is meant by ‘advertising or marketing material’ is not clarified in the DPA 2018 or PECR, but the long-standing interpretation of this has been that it is not limited to commercial marketing and includes any material which promotes ‘aims and ideals’.

This interpretation is clear in the ICO’s Direct Marketing Guidance and more recently in the draft Direct Marketing Code, published in January 2020, which says of directly marketing;:

“It is interpreted widely and covers any advertising or marketing material, not just commercial marketing. For example it includes the promotion of aims and ideals as well as advertising goods or services. This wide interpretation acknowledges that unwanted, and in some cases nuisance, direct marketing is not always limited to commercial marketing.”

When is a promotional public sector message not direct marketing?

In a nutshell, the new guidance states;

  • If you’re a public authority and your promotional messages are necessary for your public task or function, these messages are not direct marketing
  • If your messages by telephone, text or SMS are not direct marketing, you don’t need to comply with PECR. (But you still need to comply with UK GDPR).

The ICO is now drawing a distinction between promotional messages necessary to fulfil a public task or function, as opposed to messages from public authorities promoting services which a user pays for (such as leisure facilities) or fundraising activities. The latter would still be considered direct marketing.

The new guidance provides the following interpretation;

“In many cases public sector promotions to individuals are unlikely to count as direct marketing. This is because promotional messages that are necessary for your task or functions do not constitute direct marketing. We do not consider public functions specified by law to count as an organisation’s aims or ideals.”

This is in marked contrast to the wording of the draft Direct Marketing Code which says:

‘If, as a public body, you use marketing or advertising methods to promote your interests, you must comply with the direct marketing rules.”

What types of messages are direct marketing and which aren’t?

The following examples are given of the types of promotional content a public authority might communicate which would NOT constitute direct marketing;

  • new public services
  • online portals
  • helplines
  • guidance resources

The ICO says promotional messages likely to be classed as direct marketing include:

  • fundraising; or
  • advertising services offered on a quasi-commercial basis or for which there is a charge (unless these are service messages as part of the service to the individual)

How do you decide if messages are necessary for public task or function?

The ICO says it accepts all public authorities will have what it describes as ‘incidental powers’ to promote their services and engage with the public.
It therefore says it is not necessary for a public authority to identify an ‘explicit statutory function’ to engage with promotional activity which is deemed ‘necessary’ for a task or function.

However, the ICO does stipulate you can’t just say a direct marketing message is no longer direct marketing because the lawful basis has been stated as public task.

Nor can you just decree a promotional message is ‘in the public interest’, this won’t automatically mean it isn’t direct marketing.

What the Regulator expects is for public authorities to identify a relevant task or function for the communication they wish to send.

There’s a risk here the ICO has not been clear enough. This could cause confusion and I suspect plenty of deliberation over which messages are or are not direct marketing.

Transparency

It’s made clear that even if you determine certain promotional messages are not direct marketing, this doesn’t mean you can ignore other basic data protection principles.

You still need to make sure people know what you are doing with their personal data, and this must be within their reasonable expectations.

In other words public authorities must make it clear to people they intend to send promotional messages which are necessary for a public task or function. Which may mean updating their privacy notices.

Right to object

People have an absolute right to object to direct marketing, but they also have a general right under data protection law to object to processing, which includes when organisations are relying on the lawful basis of public task. A right people should be made aware of.

The guidance makes it clear – if someone objects to a promotional message from a public authority, it will only be possible to continue sending messages if ‘compelling legitimate grounds’ to do so can be demonstrated.

The ICO makes the point it would be difficult to justify continuing to send unwanted promotional messages if this goes against someone’s wishes.

My advice would be to include a clear ability to opt-out on any promotional message; any message which isn’t an essential service message.

(Albeit, this could cause some configuration issues for public authorities who don’t have sophisticated systems which can distinguish between different types of messages and opt-outs).

Lawful basis for promotional non-marketing messages

The ICO points to two lawful bases under UK GDPR for sending promotional messages necessary for a public task or function, either public task or consent.

The guidance suggests just because you can rely on public task, doesn’t mean you shouldn’t consider consent, which may be considered appropriate for public trust reasons.

The ICO accepts that Public Authorities may be reluctant to rely on consent, due to a potential imbalance of power, but says it may be considered appropriate if the individual has a genuine free choice to give or refuse to consent to promotional messages.

A change in interpretation

This new guidance certainly seems to represent a marked change in the ICO’s previous interpretation of direct marketing.

It’s interesting to note the following pertinent examples which are present in the draft Direct Marketing Code (which I suspect may be altered in the final version).

Example

Scenario A
A GP sends the following text message to a patient: ‘Our records show you are due for x screening, please call the surgery on 12345678 to make an appointment.’
As this is neutrally worded and relates to the patient’s care it is not a direct marketing message but rather a service message.

Scenario B
A GP sends the following text message to a patient: ‘Our flu clinic is now open. If you would like a flu vaccination please call the surgery on 12345678 to make an appointment.’

This is more likely to be considered to be direct marketing because it does not relate to the patient’s specific care but rather to a general service that is available.

It seems to me Scenario B, under the new guidance could be classed as a promotional message, but NOT direct marketing.

(Personally, I would never have complained about Scenario B, it’s a helpful, informative message and hardly in the realms of the untargeted nuisance spam).

The draft Code goes on to confirm the following would be direct marketing;

  • a GP sending text messages to patients inviting them to healthy eating event;
  • a regulator sending out emails promoting its annual report launch;
  • a local authority sending out an e-newsletter update on the work they are doing; and
  • a government body sending personally addressed post promoting a health and safety campaign they are running.

The specific examples from the draft Code were used by people to question whether some of the messages they received during the pandemic contravened PECR.

Would these types of communications now no longer be direct marketing?

It would certainly seem like they aren’t if you go by the clear message from the ICO that; ‘the majority of messages that public authorities send to individuals are unlikely to constitute direct marketing.’

Will the above examples disappear from the final Direct Marketing Code?

In summary

This new guidance is likely to be welcomed by some who have been frustrated, or indeed bewildered their communications could be considered direct marketing.

However, it could also muddy the waters. It leaves the public sector needing to clearly define different types of communications and make sure relevant teams are adequately briefed to understand the difference.

As I see there are three types of communication:

a) Service messages – essential messages relating to the provision of a service
b) Promotional messages for public task or function (which are highly likely to need an opt-out)
c) Direct marketing messages (must have an opt-out to honour the individual’s absolute right to object).

I just wonder whether the term ‘promotional messages’ could have been avoided in this guidance. I am not sure I have a satisfactory alternative, but perhaps something like ‘information messages’ – i.e. messages that are not essential service messages but provide helpful information.

I also wonder whether there could have been a carve out for important health-related messages, rather than applying this new interpretation to any ‘promotional’ message from any public authority.

Let’s hope the public sector now pays due care and attention to transparency, provides an opt-out to all but essential messages, and doesn’t abuse this new-found power to engage with us beyond what is actually necessary.

 

 

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Getting to grips with Accountability

July 2021

Accountability is a key principle underpinning GDPR and has become the foundation of successful data protection and privacy programmes. It can though be difficult to know where to start and how to keep up the momentum.

Luckily the ICO has developed what I think is a great tool, and it’s just been updated it to make it even more user friendly.

The Accountability Framework can really help DPOs and privacy teams. It takes less than an hour to complete – which sounds to me like an hour well spent!

When working with our clients I often find they benefit from help both to recognise their data compliance gaps and then to scope out practical solutions. Any help from the ICO to support businesses down this road should be encouraged.

The Framework focuses on helping you to assess the effectiveness of the measures you have in place to protect personal data, understand where your weaknesses lie and gain clarity on the areas you need to improve.

It’s aimed at senior management, DPOs and those with responsibility for records management and information security.

Ten core areas of accountability

The Framework identifies ten important areas organisations are accountable for.

1. Leadership and oversight
2. Policies and procedures
3. Training and awareness
4. Individual’s rights
5. Transparency
6. Records of processing and lawful basis
7. Contracts and data sharing
8. Risks and data protection impact assessments
9. Records management and security
10. Breach response and monitoring.

Self-assessment tool and tracker

A vital part of the Framework is the self-assessment tool. It enables you to assess your level of compliance in each of the 10 core areas above.
For each area the Framework lays out the ICO’s expectations and asks you to rate how your organisation performs against key measures.

At the end you receive a report which grades your organisation’s performance on each area and helps you to:

  • understand your current compliance levels
  • identify gaps in your privacy programme
  • confirm the next steps you should take to improve accountability
  • communicate what support is needed from senior management to enhance compliance

If you want to go further, you can use the accountability tracker (provided in Excel) to record more detail and create an action plan so you can your track progress over time.

You may also find this useful when you provide management information, e.g. to your Board and/or to other stakeholders.

Improvements to the Framework

After listening to feedback, the ICO has made changes to:

  • improve the Framework’s layout. For example the 10 core topic areas have changed since the original version, making it easier to navigate
  • adjustments to the Accountability Tracker, so it complements people’s existing working practices

An example: training and awareness

The Framework provides practical ways in which you can meet the legal requirements. ‘Training and awareness’ is a great example.

The ICO expects organisations to provide appropriate data protection and information governance training for staff, including induction for new starters prior to accessing personal data and within one month of their start date.

The training must be relevant, accurate and up to date. Refresher training should be provided at regular intervals.

Specialised roles or functions with key data protection responsibilities should receive additional training and professional development, beyond the basic level.

Organisation should be able to demonstrate that staff understand the training, for example, through assessments or surveys.

In addition, you should regularly raise organisational awareness of data protection, information governance and your data policies and procedures in meetings or staff forums and make it easy for staff to access the relevant material.

What next?

The ICO tells us the next steps for the Framework include adding real life case studies which aim to illustrate the innovative ways organisations can demonstrate their accountability.

They also plan to run online workshops to look at how they can adapt and improve the self-assessment tool to better meet business needs. You can register your interest here.

Help for small businesses too

The ICO reminds us that if you work for a smaller organisation you will most likely benefit from their existing resources, available on their SME hub.

For example, you should take a look at their assessment for small business owners and sole traders and you may want to try the data protection self-assessment toolkit. ICO Accountability Framework 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Marketing and the ‘soft opt-in’ – are you getting it right?

June 2021

The ICO has recently issued a £10,000 fine to a pizza company for sending ‘nuisance marketing messages’ to its customers.

Papa Johns claimed it was relying on the exemption to consent, known as the ‘soft opt-in’, but it was found to have not abided by the rules of this exemption.

So, what is the ‘soft opt-in’ and how can you use it, within its limitations, and not fall foul of the rules? What did Papa John’s get wrong?

What is the soft-opt-in?

The laws governing electronic marketing are covered in the UK’s Privacy and Electronic Communications Regulations (PECR) and these govern email, SMS and telemarketing.

Under PECR you need to have consent to send electronic marketing messages (e.g. email or SMS) to what are termed ‘individual subscribers’. These are people who personally subscribe to their email/SMS service provider (this is often referred to as B2C marketing).

But you don’t always legally need consent…

There’s an exemption under PECR for electronic marketing to existing customers. This is commonly known as the ‘soft opt-in’. An annoyingly ambiguous term as it permits the use of an ‘opt-out’ mechanism!

When relying on the ‘soft opt-in’ you need to be careful to make sure you follow the rules about when this exemption applies, which can be summarised as:

  • The contact details are collected during the course of a sale, or negotiations for a sale, of a product or service;
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication;
  • You only send marketing about your own similar products and services; AND
  • You provide the ability to opt-out in every communication

For more information see PECR Regulation 22 and the ICO’s Guide to PECR.

It’s worth noting the rules on consent and the soft opt-in under PECR do not apply to ‘corporate subscribers’. A corporate subscriber is where the organisation (as opposed to the individual) has subscribed to the email/SMS service. (Commonly referred to as B2B marketing).

To quote the ICO on this, here’s an extract the draft Direct Marketing Code of Practice:

“The PECR rules on marketing by electronic mail (e.g. email and text messages) do not apply to corporate subscribers. This means you can send B2B direct marketing emails or texts to any corporate body. However, you must still say who you are and give a valid address for the recipients to unsubscribe from your emails.”

You do however need to be mindful sole traders and some partnerships fall under the definition of ‘individual subscribers’, so would fall under the consent / soft opt-in rules for B2C marketing.

What did Papa John’s get wrong?

The ICO says it received 15 complaints from Papa John’s customers about the unwanted marketing they were receiving by text and email. The Regulator points out, ‘the complaints noted the distress and annoyance the messages were causing’.

Subsequent ICO investigations found the pizza company sent more than 168,000 messages to its customers without valid consent.

Papa John’s claimed it was relying on the ‘soft opt in’ exemption in order to send these marketing messages. But the ICO ruled they were unable to rely on this exemption for customers who’d placed orders over the telephone, as people had not been given the opportunity to opt-out at this point. The ICO also makes the point that customers were not provided with a privacy notice.

Andy Curry, ICO Head of Investigations said:

“The law is clear and simple. When relying on the ‘soft opt in’ exemption companies must give customers a clear chance to opt-out of their marketing when they collect the customers details. Papa John’s telephone customers were not given the opportunity to refuse marketing at the point of contact, which has led to this fine.

“We will continue to take action against companies who may be gaining unfair advantage over those companies that adhere to the law and comply with electronic marketing law”.

The message is clear, you need to tell people you’d like to send them marketing and give them an opportunity to object when you collect customers’ details in order to rely on the ‘soft opt-in’. You can read more from the ICO about this case here.

This latest fine comes hot on the heels of action against another company for falling foul of PECR. A case which focused on the often fine line between a service message and a marketing one. I wrote about this here; Are your service message actually direct marketing?

Both these fines act as warnings to organisations, and provide a good opportunity to review practices and check you aren’t taken any unnecessary risks.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Social media targeting: consent or legitimate interests?

April 2021

Social media marketing is well established and mainstream – lots of organisations carry out targeted advertising via various social media platforms.

But are we being open and upfront about it? Do our customers, or supporters, know enough about how you use their data on social media platforms?

From retargeting your own customers by uploading pseudonymised data to a social media platform, through to targeting ‘lookalikes’, there are a variety of options available.

Are there any compliance risks when we conduct these activities? Do people have enough control over the use of their data and the advertising they see? And to what degree are people even bothered by it?

What does the ICO think?

We began to get an insight into the ICO’s expectations when they published their draft Direct Marketing Code, back in January 2020.

Firstly, yes they are in scope:

Online behavioural advertising and some types of social media marketing are not classed as electronic mail under PECR but these are still direct marketing communications.

The ICO points out the need for transparency:

Individuals may not understand how non-traditional direct marketing technologies work. Therefore it is particularly important that you are clear and transparent about what you intend to do with their personal data.

Individuals are unlikely to understand how you target them with marketing on social media so you must be upfront about targeting individuals in this way.

You must be transparent and clearly inform individuals about this processing so that they fully understand you will use their personal data in this way. For example, that you will use their email addresses to match them on social media for the purposes of showing them direct marketing.

When using “list-based” tools (e.g. Facebook Custom Audiences or LinkedIn contact targeting), where you upload personal data you already have to the platform (e.g. list of email addresses) you must be transparent and clearly inform people about this processing.

The draft DM Code says:

You must be upfront about this processing. Individuals are unlikely to expect that this processing takes place, therefore you should not bury information about any list-based tools you use on social media within your privacy information.

It is likely that consent is the appropriate lawful basis for this processing as it is difficult to see how it would meet the three-part test of the legitimate interests basis. However you will still need to ensure you also meet transparency requirements.

If an individual has objected to you using their personal data for direct marketing purposes, you cannot use their data to target them on social media, including by using list-based tools.

So, the ICO says we need consent.

But actually many disagree with this rather draconian interpretation of the law. Remember this is still draft guidance and we don’t know if it will change or when the Code will be published.

(When finalised, as a Code of Practice it will replace and carry more weight than the existing Direct Marketing Guidance, which doesn’t really touch on social media marketing).

So, is Legitimate Interests out of the question?

Many organisations may be currently relying on Legitimate Interests, especially when using “list based tools”. It’s not been made clear why the ICO believes these tools would not meet the three-part test for Legitimate Interests.

In contrast, the European Data Protection Board (EDBP) suggest in their August 2020 social media guidelines that Legitimate Interests might be suitable for social media targeting:

Generally speaking, there are two legal bases which could theoretically justify the processing that supports the targeting of social media users: data subject’s consent (Article 6(1)(a) GDPR) or legitimate interests (Article 6(1)(f) GDPR). A controller must always consider what the appropriate legal basis is under the given circumstances.

The EDPB goes on to explain the 3 conditions for a Legitimate Interests must be met:

(i) the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed
[i.e. the processing must be for a legitimate purpose]

(ii) the need to process personal data for the purposes of the legitimate interests pursued, and
[i.e. the processing must be necessary]

(iii) the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence.

The EDPB reminds us that, in cases where a controller envisages to rely on legitimate interest, the duties of transparency and the right to object require careful consideration in relation to (iii) above.

Therefore it is important to make sure your privacy notice is clear about the use of personal data for social media targeting.

The EDPB also reminds us that CJEU have previously specified that, in a situation of joint controllership (as there might be with a controller and a social media platform):

It is necessary that each of those controllers should pursue a legitimate interest […] through those processing operations in order for those operations to be justified in respect of each of them.

Why would you want to be a trail blazer and limit the scale of your marketing activity by adopting a consent-based approach, when others don’t do it too?

John Mitchison is Director of Policy and Compliance at the Data and Marketing Association (DMA);

“The current compliance landscape can be very confusing for marketers, not least in the area of online advertising and social media.  We have a ‘draft’ version of the ICO’s Direct Marketing Code of Practice and guidance from the EU, of which the UK is no longer a part.

If a person has a first party relationship with a brand and a first party relationship with a social media platform it seems entirely reasonable for that person to see ads about the brand on the social site, and for this processing to be done under Legitimate Interest. 

Transparency and control are essential if you want to retain the trust with your customers; clearly explain what is going on in your privacy policy and allow people to opt out if they really want to.”

Consumer expectations

It can be argued people nowadays expect to see relevant advertising when they browse social media and that ads which are relevant to their interests have got to be better then untargeted ads.

So is there really any harm in this type of targeted advertising?

It’s important to acknowledge there could be harm if data is used in intrusive, appropriate or unlawful ways, especially were individuals may be minors or vulnerable people.

When data is used without the proper controls to protect people, such as offering dieting tablets to anorexics, targeting alcohol offers to alcoholics, or offering gambling services to problem gamblers – it is highly likely to be harmful.

This type of advertising is also regulated under the CAP code, so we’re not entirely reliant on data protection rules here.

But outside of these concerning situations, where targeted advertising is used for non-sensitive products and services, is this type of targeting likely to cause harm?

What user-controls are available within social media platforms?

Most social media platforms which carry advertising provide user controls on the advertising you are exposed to. For example, Facebook Ad Preferences enable users to:

  • see which advertisers are targeting you directly and hide ads if you wish
  • manage advertising topics and ‘see fewer’ if you wish
  • view data about your activity from ad partners
  • decide if you wish to share certain profile information (employer, job title, education & relationship status) for advertising purposes
  • edit you’re your interests and other categories used by advertisers to reach you
  • find out whose targeting you via audience-based advertising and hide those ads if you want

What are the risks to advertisers?

At this point in time, it seems the likelihood of enforcement action by the ICO regarding social media targeting (for non-sensitive products & services) appears rather low. But of course this could change.

It’s certainly wise to keep a close eye out for customer / supporter complaints which might arise from social media targeting, as if these are not handled properly, people could escalate their concerns to the ICO.

At the end of the day the key is making sure you are open and upfront about how you use people’s personal information.  Take a risk-based judgement call on the right lawful basis for your business and try to avoid any unwelcome surprises!

 

If you’d like any advice or support regarding social media marketing, or any other use of data, please get in touch – Contact Us 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.