Customer data is still a thorny issue for many small firms, particularly when it comes to direct marketing. Understanding what you can and can’t do is essential.
Data protection is an area of law that is developing at a rapid pace, and it still leads to confusion and regular questions on the FSB Legal Advice Line. This article will provide information on two aspects: direct marketing and paying a fee to the Information Commissioner’s Office (ICO).
Direct marketing is any advertising or marketing communication that is directed to particular individuals. It also covers promotion of an organisation’s aims and ideals – meaning the rules apply to the promotional, campaigning and fundraising activities of organisations, businesses and charities.
Standard customer service messages, such as information about service interruptions, delivery arrangements or product safety, do not count as direct marketing. However, if the message includes any significant promotional material aimed at getting customers to buy extra products or services, or to renew contracts, it is likely to be seen as including marketing material.
Quite often, organisations will need consent to send people marketing messages or pass their details on. Where this applies, organisations will need to demonstrate that consent was up to GDPR standard – knowingly and freely given, clear and specific.
Organisations must stop sending marketing messages to any person who opts out of receiving them. Therefore, an organisation must always say who it is, allow its number to be displayed (where relevant) and provide contact details to make it easy to opt out.
Generally speaking, an organisation cannot make unsolicited marketing calls to numbers that are registered on the Telephone Preference Service (TPS) or the Corporate TPS, or to anyone who has told it that they don’t want to receive its calls.
A business email such as email@example.com will not be subject to GDPR, as it does not identify an individual. However, firstname.lastname@example.org, for example, will be subject to GDPR as an individual can be identified, even though it is a corporate email address.
The main laws affecting direct marketing are the Data Protection Act (DPA), including GDPR, and the Privacy and Electronic Communications Regulations (PECR). PECR apply to electronic means of marketing and advertising, including marketing calls, texts, emails and automated calling systems.
It applies to all B2C marketing and to B2B marketing to sole traders, partnerships, unincorporated trusts, partnerships and foundations, and their staff members. Broadly speaking, PECR do not apply to B2B marketing to staff members of limited companies, public limited companies, incorporated partnerships, trusts and foundations, local authority and government institutions, but this type of processing is subject to the GDPR.
PECR also include other rules relating to cookies, traffic data, location data and security breaches. It requires marketers to ask for consent in certain contexts, such as sending an email to a consumer who isn’t an existing customer. PECR are under review, with further developments expected later this year.
A breach of the DPA or PECR could result in a fine or an Enforcement Notice requiring you to take action. Failure to comply is a criminal offence.
There are three payment tiers, determined by factors such as number of staff, annual turnover, and whether you are a public authority, a charity or a small occupational pension scheme. Many controllers can rely on an exemption.
Tier 1: annual fee of up to £40. For organisations with a maximum turnover of £632,000 for the financial year, or no more than 10 staff members.
Tier 2: annual fee of up to £60. For organisations with a maximum turnover of £36 million for the financial year or no more than 250 staff members.
Tier 3: annual fee of up to £2,900. For organisations that do not meet tier 1 or tier 2 criteria.
The ICO regards all controllers as tier 3 unless and until they tell them otherwise. If you choose to pay your fee by direct debit, you will receive an automatic discount of £5 at the point of payment.
Legal protection covers various scenarios and ensures you and your business are covered
Don’t let late payments give you sleepless nights
GDPR one year on
Card Fraud: How Do I Protect My Business?