People still aren’t sure what GDPR means or how it affects agency new business, and since that’s something we do very well, we thought we would clear it up once and for all.
So, will GDPR effect agency new business efforts?
The Short Answer?
“When dealing with employees of corporates, that is limited companies, LLPs, partnerships in Scotland and government departments, the rules for telephone and direct mail are the same, opt-out.
When emailing or texting, you do not need the prior consent/opt-in from the individual. You can, therefore, send them a marketing email/text as long as you provide an easy way to opt out of future communications.”
The Long Answer?
The GDPR applies wherever you are processing ‘personal data’. This means if you can identify an individual either directly or indirectly, the GDPR will apply – even if they are acting in a professional capacity.
So, for example, if you have the name and number of a business contact on file, or their email address identifies them (eg email@example.com), the GDPR will apply.
But, one of the main points of confusion is the difference between processing and consent.
GDPR is about needing ‘a basis for data processing’, basically, a reason why you are doing something with someone’s data.
But consent (the thing everyone is scaremongering about) is only one of the six lawful bases for processing data under GDPR. There are alternatives.
In particular, you can rely on ‘legitimate interests’ to justify your new business efforts.
However, there is no absolute rule here and you need to apply the three-part test.
- Identify a legitimate interest – The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
- Show that the processing is necessary to achieve it – If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
- Balance it against the individual’s interests, rights and freedoms – If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
You also must include details of your legitimate interests in your privacy information and keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
That’s all folks. It’s pretty simple really and makes the whole facade look a lot like Y2K; a lot of jumping to conclusions and misleading legal text, but not much common sense.
Hopefully, this helps provide a little more clarity for those that need it.