Consent is King… Or is it?
With the introduction of the General Data Protection Regulation, the Independent Garage Association has received numerous phone calls from members worried about their responsibilities. A high number of the queries have been around the issue of MOT/service reminders and the consent that will be required before they can be sent, once the Regulation comes into force.
The processing of personal data requires a lawful basis before it can be carried out. If it is decided that consent is the most applicable basis for marketing operations, it will therefore be required in most circumstances where businesses have been sending out reminders and have previously not gained consent from customers. Ideally this will be in the form of a suitably composed written document that the customer signs. Moreover this requires to be obtained before any further reminders are sent out and this has understandably caused consternation amongst some of our members.
An alternative to using consent is using legitimate interests as the lawful basis. This is most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
The ICO have stated that legitimate interest is likely to apply to direct marketing , but before you can justify using legitimate interests for sending out mot and/or service reminders by letter or phone, you must ensure that
- The person has previously not objected to receiving reminders; and
- The marketing material is for the same and/or similar products or services; and
- You provide a method to opt out of receiving the reminders on every one you send
- You do not phone those individuals or businesses who have opted out of receiving marketing calls via the TPS/CPTS service
However, if you intend to process personal data for the purposes of direct marketing by electronic means (by email, text, automated calls etc) legitimate interests may not always be an appropriate basis for processing. This is because the e-privacy laws on electronic marketing – currently the Privacy and Electronic Communications Regulations (PECR) – require that individuals give their consent to some forms of electronic marketing as well as conforming to the above conditions.
You can continue sending electronic reminders and details of other offers to customers if you gave them the opportunity to opt out when they first received reminders from you and during subsequent marketing. However, if at any point, they were not given this opportunity, you will need their consent.
If you’d like further assistance with GDPR compliance, the IGA offers on-site GDPR auditing and certification services to members. Call us on 0845 305 4230 to find out more or book.