1. Des Johnston

    Des Johnston UKBF Newcomer Free Member

    4 1
    Hi. Over the years, I've created a database of prospective customers. I will approach these people irregularly, either by phone or email, with news of new products and/or services in the hope that they will put business my way. The data I hold is secure and is limited to contact details plus any notes I've made myself e.g."Called Joe Bloggs on 20th Jan but he wasn't in". I don't hold any personal data on the contact names. Does GDPR come into effect here at all? Do i need to get consent from these people that i can hold their info and send them info/ call them in the future? My obvious concern is that by approaching them, i'm giving them the opportunity to make me delete their details and impact future business.
     
    Posted: Jan 10, 2018 By: Des Johnston Member since: Jan 10, 2018
    #1
  2. Dmitry V.

    Dmitry V. UKBF Newcomer Free Member

    8 1
    Hello, Des. I have similar problem. Please, share any details if you'll find the answer. I'll make some research as well.
     
    Posted: Jan 12, 2018 By: Dmitry V. Member since: Mar 17, 2015
    #2
  3. Andrew Smith Corpdata

    Andrew Smith Corpdata UKBF Newcomer Free Member

    10 6
    Hi Des (& Dmitry)
    No you dont need "consent" (though you probably will for emailing once the new ePrivacy regulation arrives too). However whilst you can process under the basis of Legitimate Interest, there are a number of things you have to have done for THAT to be OK, and one of them is to have been fair and transparent when you gained the data, additionally you need to conduct a Legitimate Interest Assessment / Balancing Test (to check that your interest isnt outweighed by risk to the subjects)
    If you do decide to process on the basis of Consent - make sure you do it correctly it needs to be a positive action, freely given, etc etc and most importantly . . . provable.
    The data does qualify as personal data (even the B2B part) because it is possible to identify a person - even the email address alone would probably do that. This inclusion of B2B is one of the larger changes that result from GDPR.
    Hope that helps
     
    Posted: Jan 12, 2018 By: Andrew Smith Corpdata Member since: Jan 12, 2018
    #3
  4. Des Johnston

    Des Johnston UKBF Newcomer Free Member

    4 1
    Many thanks for your responses
     
    Posted: Jan 15, 2018 By: Des Johnston Member since: Jan 10, 2018
    #4
  5. Des Johnston

    Des Johnston UKBF Newcomer Free Member

    4 1
    Advice from our GDPR lawyer is we DO need to obtain consent. Business to Business relationship, though, means that pragmatic approach can be taken over a period of time not exceeding 12 months, but we do need recorded consent.
     
    Posted: Feb 6, 2018 By: Des Johnston Member since: Jan 10, 2018
    #5
  6. DavidJWSmith

    DavidJWSmith UKBF Newcomer Free Member

    14 1
    Hi Des,

    I am surprised by your lawyer’s response. It isn't entirely clear cut. This is because of the ways you are contacting people, namely by phone or by email. We need to add in a bit of context to explain this.

    GDPR is the law which (will) govern all processing of personal data, no matter how that is done. GDPR provides for 6 legal bases of processing, they are:
    6.1.a - Consent
    6.1.b - Necessary for a contract to which the data subject is party
    6.1.c - Necessary to fulfil a legal obligation
    6.1.d - Necessary to protect the vital interest of the data subject ...
    6.1.e - Necessary for a task carried out in the public interest ...
    6.1.f - Necessary for the purposes of the legitimate interests of the data controller ...

    It is unfortunate that consent comes at the top, because it should be considered as the basis you will 'have to use' if no other basis will do. As the ICO put it in their consent guidelines, if it's difficult it may be wrong. For prospecting using traditional media (i.e. not email, text etc) 'legitimate interests' is normally better.

    Now, that said, you are contacting these people using a 'publicly available electronic network', so there is additional legislation that comes into play. Currently that law is the Privacy and Electronic Communication Regulations (PECR). PECR says that you can contact people by telephone so long as they can opt-out, and you screen your unsolicited calls against the TPS (and in your case CTPS) list. PECR also currently says the only people who you need consent to send emails to are 'individual subscribers'. A subscriber is the person who has a contract with the telecoms company, so this loophole is what allows the sending of unsolicited email to people in a work context, they do not have the contract with the telco, their employer does (caveat about sole traders and partnerships being 'natural persons').

    BUT, sorry, more new laws, PECR will shortly be replaced by the ePrivacy Regulation (ePR). This was due to happen at the same time as GDPR, but is now delayed. In any case, ePR will happen, and this WILL (it's still min draft, so no-one can be 100% certain, but there is not even the slightest hint this won't be true) require email, text, and other 'over the top' services (maybe LinkedIn), to only be done on the basis of consent. ePR will not change the basis for telephone calling, that will be derogated to national governments, and so will stay the same.

    So, to summarise, you must choose a legal basis for processing, and you must tell the data subject what that is. If you choose 'consent', the you WILL need consent; if you need to use unsolicited email, when ePR comes in you WILL need consent. BUT, if you want to telephone prospects, or mail them, then 'legitimate interests' would be a very valid alternative. Indeed Recital 47 of GDPR states direct marketing 'may be regarded as carried out for a legitimate interest.' That's a pretty strong hint.
     
    Posted: Feb 6, 2018 By: DavidJWSmith Member since: Feb 6, 2018
    #6
  7. Des Johnston

    Des Johnston UKBF Newcomer Free Member

    4 1
    Hi David. Thanks for your response. It prompted a meeting this morning with our DPO, Marketing and Sales depts :) I think we're on the same page in that it isn't GDPR that will force us to gain consent, but rather the ePrivacy bill. I think our main concern is the way we handle our existing prospect database. Today, we will send out mailshots advertising webinars, new products and services etc. We have staff who will call these prospects on the basis that we've previously been in contact and whilst they weren't interested in us then, they might be now.
     
    Posted: Feb 8, 2018 By: Des Johnston Member since: Jan 10, 2018
    #7
  8. Nochexman

    Nochexman UKBF Enthusiast Free Member

    1,566 255
    This is a great answer, David - thank you.

    If I might summarise (without prejudice) - if we have a list of sales prospects, and we choose the legal basis for processing their data as legitimate interest, and we tell our prospects this, then we should be compliant with the relevant legislation.

    If this is the case, how and when should we tell our prospects this?
     
    Posted: Feb 8, 2018 By: Nochexman Member since: Jun 14, 2011
    #8
  9. DavidJWSmith

    DavidJWSmith UKBF Newcomer Free Member

    14 1
    Hi Des, I think that sounds like a suitable sort of plan. Given that you have people phoning, I would suggest you think about a three objective call (pragmatic business head on):
    1. give the data subject the Article 13 or Article 14 information (it's a requirement, so build it in)
    2. ask if they want to sign up to anything, have a webinar, or whatever suits best
    3. ask if it is OK to keep sending them direct marketing emails about webinars (or whatever) they might be interested in.

    By doing this, you make sure they have the 'information they must know'. You have a chance to secure a 'contract' between you, if you do so, you can use the legal basis of 'necessary for a contract' to communicate, even by email (just make sure the contract states you will 'keep them informed about upcoming events ...' wording to suit), and even if that doesn't happen you can still have a shot at the long-term beneficial thing of gaining consent for email.

    Naturally, there is detail in there about exactly what you should say etc, but your DPO should be able to help there. If you are not confident, or your DPO would like a second opinion, contact me, the company name to web search for is Dept679.
     
    Posted: Feb 8, 2018 By: DavidJWSmith Member since: Feb 6, 2018
    #9
  10. DavidJWSmith

    DavidJWSmith UKBF Newcomer Free Member

    14 1
    Hi Peter, According to the letter of the regulation, you should tell the data subject a whole bunch of information 'when the data is collected', this is all in Article 13. If you don't get it from them personally, you have to tell them all the same information within a month, or if you are using it for direct marketing, at the first occasion you contact them.

    Now, bringing existing data in to line with the regulation is not explicitly covered. However, if we return to (one of) the original objectives of the regulation, which is to put the data subject in control of how their data is processed, then I suspect, though no-one can say for sure, that you will be complying by informing them of the Article 13 or 14 information, so long as it is before 25th May 2018. If you can't find a copy of the regulation, please contact me (I don't have rights to post links yet), search for the company Dept679, drop me a line any old way, and I'll email you some links.

    The question of how to tell the data subjects this information is thorny. For now, you could continue to use the PECR loophole for email (watch out for partners and sole traders). You do not need a response (as you would for consent) if you are using traditional methods. But keep records. Don't forget, it is your duty to demonstrate you have complied with the law.
     
    Posted: Feb 8, 2018 By: DavidJWSmith Member since: Feb 6, 2018
    #10
  11. DavidJWSmith

    DavidJWSmith UKBF Newcomer Free Member

    14 1
    Hi Peter, sorry I should have said, if you don't get the data from them personally, you have to tell them what is listed in Article 14.
     
    Posted: Feb 8, 2018 By: DavidJWSmith Member since: Feb 6, 2018
    #11