GDPR caused a lot of confusion when it first appeared, and it’s still causing confusion now, but one of the most complex and tricky subjects is about when businesses can and can’t email their customers.
For years companies have been sending out emails to anyone that appears on their mailing list without thinking if it is legal to do so; it’s a classic tactic to upsell.
There were rules about this in the privacy regulations (known as ‘PECR’) long before the GDPR came along.
GDPR and PECR make the rules extremely clear and gives the ICO teeth to act (and they do act) if people break the rules.
What emails can I send?
One of the problems with sending emails is differentiating between the two distinct types.
There are transactional emails and there are marketing emails.
Transactional emails
If someone buys something off your site, then there’s likely to be a process they have to go through in order to receive their goods.
It’s usually fairly simple:
Add a product to a cart
Checkout from that cart
Fill out some details
Receive confirmation, order status, delivery emails
Those emails at the end of the process and then any updates about that order are transactional emails because they relate to that transaction.
If anything else is generated, such as a follow-up to ask if your product was received, and maybe a review, could also be seen as transactional.
However, if you then send an email trying to upsell, such as “We hope you loved your socks, would you like a pair of matching gloves?”, is marketing.
If you send emails to do with the customer’s account, such as updating passwords, changes to terms and conditions, things like that, then those are transactional also.
Marketing emails
This is fairly self-explanatory.
If you try to sell something to your customer, or your email explains new website features or other things that are meant to entice your customers to click and go check out the site – that’s marketing.
Fairly clear, no?
Confusion reigns
Here’s the problem. Some people still break the law, others are going over the top.
I’ve seen websites that have a form where people can download an e-book. They need to put their details on it. The form also has a tick box that says “Please tick this box if you consent to us sending you this e-book.”
GDPR says the customer should give clear consent, in this case, the consent would be in the form of actually filling out the details to request the e-book and submitting it. .
Imagine it if someone requested the form but then didn’t allow you to send it to them?
Gaining clear consent
When someone is checking out of your store, you can offer them the option of opting in to receive updates from you.
This is usually in the form of a tickbox somewhere on the checkout page – importantly, it needs to be un-ticked initially.
There is also something called the soft opt-in. This is where someone buys from you and gives their email to you as part of the buying process. PECR allows you to take the view that your customers, having bought from you, would not mind knowing about similar products. So as long as you give them a chance to opt-out at the time they buy the product from you and give them a right to opt-out every time you email them then that’s OK.
And that’s really it.
Summing up
The law is extremely clear on what can and cannot be sent to customers, and it leaves little to interpretation.
The simple fact is, if you want to market to customers then you need to have their permission or you act under the soft opt-in. There are no clever ways around it, and if you break the rules of GDPR and PECR, you’re in danger of being picked up by the ICO and fined.
Unless you’ve spent the last 12 months on the International Space Station, there’s a very good chance that the Covid 19 pandemic has affected you in some way. For many, it has seen a fundamental shift in the way they run their business. Those in the retail and hospitality sector have been hit particularly hard, and it’s during these difficult times, some find that they have to adapt and try new ways to bolster an income that has been severely reduced. Going online has been the obvious choice, and so 2020 became the year that shop owners, small and large, took the plunge and got themselves a website. Of course, it used to be challenging to start an online shop, but there are so many ways to do it these days; you can be up and running within a day. It’s no surprise that Shopify now has 1.5 million websites hosted on its platform, and it’s one of the fastest-growing systems for starting up an online presence. But there’s a particular responsibility that comes with owning an online store, and it’s something that needs to be taken seriously: GDPR.
It’s not just about that pop-up
For many, they install some pop-up software that tells people they’re using cookies, and that’s it. But it might not be “it” if you want to ship to countries in which GDPR applies. If you’re in the USA, for example, and want to ship to the UK or Europe, you may well have to adhere to GDPR rules and appoint a GDPR representative. Also, if you’re based in the UK, you can no longer simply post things across to Europe friction-free because of Brexit. You may also need to appoint a GDPR representative in a European country.
How and why does Article 27 apply?
Let’s deal with the UK for now. If you have recently set up a store in the UK and want to ship to anywhere in Europe, then it’s likely article 27 will apply, unless the processing of that data is “occasional”. The ICO (the governing body for GDPR in the UK) states that “occasional” use is a “one-off occurrence, something you do rarely”. So, for example, you mainly sell to the UK, but someone in Germany finds your site, buys something and needs the product delivering there. In this case, you are unlikely to need to appoint a GDPR representative. However, suppose you actively market to Germany or France or anywhere else in the EU. You have prices on your site available in euros, and postage rates set up specifically to handle international shipping. In that case, you’re not ticking the occasional box, and you will need to appoint someone. One exemption is if you already have an office in a European country, but if you’ve just signed up for a Shopify site, that’s unlikely to be the case.
What does the GDPR representative do?
Data protection has been top of governments’ agenda for some time now as the prevalence of websites collecting personal data has clashed with the number of breaches and access to that data. It’s in everyone’s interest to ensure information is looked after. Companies should have a straightforward method of ensuring people know that their private data has been compromised if a breach does occur. Also, people who know a company is holding their data should have access to someone they can talk to. Governments should also be able to query the capabilities of companies holding that data. Therefore, a representative needs to be available in the customer’s country and have the necessary authority to act on the company’s behalf should there be any such queries. As a side note, this person or agency needs to be named in your privacy policy.
But I’m a tiny business. Does Article 27 include me?
Sorry, yes. Some tiny businesses process lots of data. If you sell to someone in Europe, then you have details that could personally identify them. Their address and other information will likely stay in your order system for some time, so they need to have confidence that you’re looking after that data.
I’m in the USA. Does it apply to me?
It certainly does! Although the laws are European in origin (and UK due to Brexit), they are international in scope. If you sell to the UK or any European country, you need to appoint an Article 27 GDPR representative.
Is it expensive, surely I don’t need to employ someone?
Luckily there are ways to comply with the law without setting up an office in the country you want to trade with. A GDPR representative can be an agent who will act on your behalf, and DPA-OK is here for you! Contact us today!
In light of the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR) legislation, you may have some doubts about what you can and can’t do regarding marketing emails. One legislation does not replace the other, but complying with one can get you closer to fulfilling the other one’s regulations. It’s necessary to comply with both.
They place specific rules on many things such as marketing calls, emails, texts, faxes, web browser cookies, and customer privacy information. These apply to both business-to-consumer and business-to-business sales and marketing. Regardless, the purpose of this article is to clarify the rules that apply to business-to-business marketing emails.
In short, yes, you can send marketing emails to companies, but you must keep a list of businesses that object or opt out. This applies to the company as a whole and the individuals working in them. However, there are more detailed business-to-business email marketing rules that you must follow, so keep reading the article to know what they are.
Whenever you process personal data, the UK GDPR provisions and requirements apply. This means that if you are able to identify an individual directly or indirectly, the regulations have effect.. To give an example, when you have a business contact’s name and number on file or an email address that can identify them, such as “firstname.lastname@company.com”, you must comply with the regulations.
Does the PECR or the GDPR State That We Require Consent for Marketing?
No, it isn’t always necessary. While consenting is a lawful way of processing information, some alternatives to it exist. For example, you can justify your business-to-business email marketing by relying on legitimate interests.
Regardless, there are situations where consent is required to comply with PECR. Still, the rules of marketing to companies are different than those of marketing to individuals. Rules on consent don’t apply to any email sent to companies or other corporate bodies (limited liability partnerships, government bodies, and Scottish partnerships). There is one requirement: the sender of the marketing email has to identify itself while providing contact details.
However, even if that’s the case, if the company goes through the trouble of stating that they don’t wish to receive further marketing emails, the best practice is to stop sending them.
What Are the Marketing Email Rules?
You can email any company, limited liability partnership, Scottish partnership, or government body. You can’t email sole traders and some particular partnerships, as the Privacy and Electronic Communications Regulations recognise them as individuals.
That means that you can only send marketing emails towards these small businesses when they expressly consent or buy a product or service from you and fail to opt-out from the marketing emails when given the opportunity to do so. This case only applies if the message includes a unsubscribe, refuse, or opt-out option.
For corporate bodies, proper business sense and regulations recommend the practice of keeping a “don’t email” list for businesses who opt-out. Any new marketing list you obtain should be screened against that list to ensure that you don’t send emails to companies that object to them.
Some GDPR provisions apply whenever you email company workers with an email address with the corporation’s domain. Individual employees have a right to ask you to stop sending them marketing emails on these types of addresses.
What Counts as Consent?
The General Data Protection Regulation’s standard for consent is relatively high. It must leave nothing to doubt, involving a clear and concise affirmative action in the form of an opt-in option. You can’t use a pre-ticked opt-in box. It’s also necessary to include different consent options whenever the data is processed in various manners.
It would be best if you didn’t tie the consent’s processing as a precondition to a service, as it isn’t an adequate lawful basis. A consent request requires the inclusion of the following information:
Your business’ name
Third parties that make use of the processed information gained on consent
The reason you want their data
What you want to do with their data
They can opt-out their consent whenever they want
Keeping evidence of it is essential: who consents, when the person did so, how they did so, and what you told them. Try and make it easy for them to withdraw their consent whenever they wish to do it.
However, as previously stated, it isn’t always necessary. Whenever acquiring approval proves difficult, you can look for an alternative lawful basis.
When Can I Use Legitimate Interests in Practice?
Legitimate interests are a considerably flexible lawful base. As it doesn’t focus on a single purpose, it allows you to rely on it in different situations. However, that doesn’t mean that it’s always adequate to use. There is an appropriate foundation where you can use it, which is during these scenarios:
The impact on the individual’s privacy is minimum
Your processing has a convincing justification
It’s reasonable for the individual to expect their data to be used in that way
There are more situations where you can use legitimate interests, but these three are the most useful.
What Are the Rules for International Marketing Emails?
Whenever you send emails to companies outside the UK, you need to comply with their countries’ laws. For the moment, countries in Europe possess similar data protection regulations to the United Kingdom. However, some of their rules are more stringent than the UK ones, even more so for business-to-business marketing.
You need to seek legal advice if you want to send marketing emails to companies in other countries.
Can I Hire Another Company or Individual to Send Marketing Emails?
The hired party and yourself must still comply with the GDPR and PECR. You are responsible because you are technically prompting the other party to send the emails. Should your contractor fail to comply with some provisions and requirements, any legal action could be taken directly against you.
The authorities can also consider interceding with the contractor if they continue to ignore the rules, whether deliberate or not. For that reason, having a written contract stipulating the responsibilities your contractor has is ideal. It may be wise to ask your contractor to indemnify you in case they commit a PECR violation.
Should they break the law, causing your organisation some reputational damage and making you subject to legal action, you can seek legal advice and take measures for the contract violation.
What More Should I Consider?
As stated throughout the article, you must remember that whenever you process the personal data of an individual with the purpose of sending business-to-business emails, they have the right to object.
This right applies whenever you process their data for direct marketing. Whenever an individual objects to marketing emails, complying with their wishes is mandatory. You must adhere to their demands even if the processing basis is that of legitimate interests.
You must provide information on what you’re using the personal data for, your processing basis, the length of time you plan to store their information, and the parties with access to it.
If you rely on consent, there isn’t a right to object. However, any individual can withdraw it at any point, and you must cease the processing of their data when they do so.
A long time ago in a galaxy far away …….. (22 January 2020) the Information Commissioner’s Office [‘ICO’] introduced the Children’s Code.
If you are a provider of ‘Information Society Services’ likely to be accessed by children -defined as under 18 and you are not aware of it then you need to get up to speed.
The Code applies to apps, social media platforms, online messaging, online marketplaces, content streaming services and any websites offering goods or services to children over the internet.
The Code recognises that the digital economy can provide benefits to children but is often not a “safe space” for them. The Code looks to change that – not by seeking to protect children from the digital world, but by protecting them within it.
The Code is already in force but, like the GDPR, it has a 12-month transition period for providers to make the necessary changes.
Affected providers need to be ‘Code Ready’ by 2 September 2021.
Before there was a Code there was a law…
Providers are already obliged to comply with the GDPR and Data Protection Act 2018 and PECR 2003 when processing [collecting, storing, using, sharing, erasing etc.] the personal data of children -any information that relates to them.
It is not enough to comply with the GDPR – an organisation has to be able to demonstrate that it is compliant. It’s called ‘accountability’. The Information Commissioner’s Office [‘ICO’] has made it clear that if a provider does not follow the code then they may find it difficult to prove that they comply (are ‘accountable’) with the GDPR.
Failure to comply may lead to complaints from children or their parents, potential ICO investigations, claims for compensation, bad publicity, time dealing with issues and, worst-case scenario, fines.
Providers can avoid all of that by being proactive and taking steps to be Code Ready now.
The starting point for any Provider processing personal data is that they must comply with the data protection principles. Simplified these are:
(a) they must process children’s personal data lawfully, fairly and in a transparent manner.
(b) a child’s data should only be collected for specified, explicit and legitimate purposes…
(c) any processing of personal data should be adequate, relevant, and limited to what is necessary
(d) personal data should be accurate and, where necessary, kept up to date
(e) it should be kept in a form that identifies the child for no longer than is necessary and,
(f) it should be processed in a manner that ensures appropriate security of the child’s data….
As stated above a Provider must be able to demonstrate that they comply with the 6 principles above.
Not sure about the principles or how to prove you comply? Contact us -but following the Code will help.
Rights
Don’t forget children may have the following rights:
1) to be informed about how their data is used
2) to access a copy of it
3) to rectify inaccurate information
4) to erase it
5) to restrict what is done with it
6) to have others who have received their data notified about any rectification, erasure, or restriction of it
7) to have it ported to another provider
8) to object to how it is used and to direct marketing
9) to object to automated decision making and,
10) to be notified of certain types of personal data breaches.
What does a Provider need to do?
The code puts forward 15 standards.
Not all will apply to every provider. They are summarised below:
What is best for the child should be a primary consideration when providers design and develop online services.
Providers should do a Data Protection Impact Assessment (‘DPIA’) to inform them as to what they should do to do away/ reduce risks of harm to children who are likely to access the services.
If you do not know how to do one of these contact us.
Providers should take a risk-based approach to recognising the age of child users and ensure they effectively apply the standards in the code to those users.
Privacy information and other published terms, policies, and community standards, must be concise, prominent, and in clear language suited to the age of the child. Providers should provide additional specific ‘bite-sized’ explanations about how they use personal data at the point data is collected.
Provider’s must not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions, or Government advice.
Providers must uphold their own published terms, policies, and community standards.
Providers must collect and retain only the minimum amount of personal data needed to provide the parts of the service in which a child is actively and knowingly engaged. Children should be given separate choices over which parts they wish to activate.
Providers must not disclose children’s data unless they can demonstrate a compelling reason to do so.
Providers must switch geolocation options off by default (unless they can demonstrate a compelling reason it to be on by default, taking account of the best interests of the child), and provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others should default back to ‘off’ at the end of each session.
If a provider provides parental controls then they should give the child age-appropriate information about this. If a parent or carer can monitor their child’s online activity or track their location, then there should be an obvious sign to the child that they are being monitored.
Providers should switch options which use profiling ‘off’ by default (unless they can demonstrate a compelling reason for it to be on by default, taking account of the best interests of the child). Providers should only allow profiling if they have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
Providers should not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections.
Where providers supply a connected toy or device, they should ensure they include effective tools to enable conformance to the code.
Providers should provide prominent and accessible tools to help children exercise their data protection rights [see above] and report concerns.
Conclusion
Providers need to review their offerings now to ensure they do the right thing and are ‘Code Ready’ by 2 September 2021. Failure to do will make it more difficult to prove that a provider is compliant with the GDPR. DPA/OK can advise Providers on what their legal obligations are.
A data breach response plan is a strategy that helps businesses detect and respond to information security violations in a quick and coordinated way. Having a response plan will minimise the financial and reputational damage that comes with a breach incident and ensures compliance with GDPR rules.
If your business is unprepared following a data breach, it will put you under huge pressure. Under GDPR rules, a breach incident must be reported to the Information Commissioner’s Office (ICO) without delay and within a maximum of 72 hours.
Trying to cope with meeting compliance rules and simultaneously managing the fallout of a data breach will stretch your resources and disrupt day-to-day business operations. That’s why we cannot understate the importance of your business having a data breach response plan.
Worryingly, according to a PwC Global Economic Crime and Fraud Survey, just 30% of businesses worldwide have a data breach response plan in place. Unfortunately, in the event of a breach, no plan often means slow action by which time the long-term damage may have been done.
How to Create a Data Breach Response Plan
To avoid the pitfalls that follow a data breach, here’s how to create a robust, effective response plan:
#1 – Assemble a data breach response team
Assembling a data breach response team ensures an effective and efficient way to mitigate the damage and execute your response plan. Having a team that’s aware of its responsibilities means that your plan can be activated the moment a breach is discovered.
The size of your organisation will determine the structure of your team. It could include the following personnel:
Data Protection Officer
Data Breach Response Team Coordinator
Legal and Compliance Officer
Head of IT
Human Resources Manager
Marketing and PR Executive
Each individual role plays its part in a coordinated response. However, activating the team isn’t always necessary. It’s down to the person responsible for compliance at board level to decide if a breach is so serious that it needs escalating to the data breach response team based on who has been affected, the potential legal, financial and reputational ramifications and the disruption to the business.
#2 – Get cyber insurance
Data breaches are a daily threat to your business, so having cyber security insurance as part of your data breach response plan gives you coverage if you have to activate your response team. Having the right insurance coverage is crucial to safeguarding your company against significant financial losses.
You can then call on your insurance policy as part of your response plan to protect the wellbeing of your business financially.
#3 – Include a containment process
Having a containment process as part of your plan means that your response team and other personnel know exactly what to do to contain a breach when it’s discovered. This should include:
Date and time recording of the breach
Alerting and activating your response team – including the date and time of activation
Closing down systems affected
Gathering documentation
#4 – Include an evaluation process
Every response requires an evaluation process to identify areas for improvement in cyber security. An evaluation should include:
An initial investigation into the breach
A risk assessment
Establishing the priorities following a breach
A forensic investigation into the breach – you may need to engage a forensics firm for this
#5 – Include a notification process
Your data breach response plan should include a notification strategy to, where required, alert the authorities within the 72-hour timeframe and any people that have been affected by the breach. This is where you can utilise your marketing and PR team and seek legal advice to effectively, and honestly, make the necessary people aware of a breach incident.
#6 – Include a prevention plan
Your response plan should have a future prevention plan to improve your data protection measures. A prevention strategy should include:
A review of the findings into your investigation
An update of your response plan
A plan to train staff on updated procedures and responsibilities
An audit of your response process
Expect the unexpected
Data breaches can happen unexpectedly and it’s best to be prepared. It’s a cliché, but fail to plan, then you plan to fail. You might think that protecting your IT is sufficient, but with more than 80,000 cyber-attacks occurring per day, you can never be too careful.
The time, cost and resources it takes to develop a plan will be significantly less than experiencing a data breach.
If you would like to create a data breach response plan, get in touch with DPA/OK today.
Data breaches come with many consequences for your business, the most severe of which is loss of customer trust and damage to your reputation. Building your reputation takes years, but it can be destroyed in an instant by a data breach. However, there is a right way and a wrong way to handle a data breach…
With data protection heavily regulated, even more so since the introduction of GDPR Laws in May 2018, there’s greater pressure on your business to comply with legislation and protect the personal information of customers. So, what should your business do in the event of a data breach?
Here are 6 steps you should take to handle a data breach the right way and recover:
#1– Get confirmation of the breach
Before you push the panic button, get confirmation that a breach has occurred. It’s not uncommon for a hacker to send an anonymous email to an unsuspecting staff member claiming that your firewalls have been breached. This is often a ploy to trap companies into giving up data unwittingly.
Check with your in-house IT team or external service provider to determine if a breach has occurred. Diverting resources to deal with a non-existent breach can cause disruption to the day-to-day running of your business. It’s best to be sure so that you know what you are dealing with.
#2 – Contain the breach
If a genuine breach has occurred, contain it. Time is of the essence when trying to stop a breach, and how you contain it depends on the type of attack the business is facing, plus the systems affected. To stop a breach:
Isolate any system(s) you know the hacker has accessed to prevent the breach from compromising your entire network
Disconnect any breached accounts
If a specific department in your business was targeted, shut it down
Once the breach has been isolated and contained, you can then take steps to eliminate the threat and prevent further damage. For example, depending on the type of attack your business has experienced, reformat affected systems and restore them or blacklist the IP address from which the attack originated.
#3 – Check the damage
Once the threat has been extinguished, you will need to assess the damage done by the breach. Understanding how the attack happened enables you to put preventative measures in place to stop a repeat incident.
You will need to ensure that all affected systems are checked for malware, which can remain dormant and spark future attacks.
When assessing the damage, gather information on:
The type of attack
How the attack was administered (i.e. through user accounts)
The data that was targeted
Whether the data was encrypted and can be safely restored (i.e. check if the data was backed up)
#4 – Inform people affected
Assessing the data breach will reveal who has been affected. This is where you have to take ownership of the breach. According to nCipher Security, a staggering 61% of businesses worldwide said they would cover up a data breach if it meant they avoided a fine.
This is not advised. You are likely to be found out and would face severe sanctions.
The repercussions are likely to be less severe if you make every effort to ensure any customers, stakeholders, the authorities and anyone else that needs to know, are aware of the breach.
You can notify those affected by a breach by email, phone or any other method of communication you would normally use.
Reporting a data breach goes a long way toward maintaining your integrity and rebuilding your reputation long-term.
#5 – Conduct a security audit
Once the necessary initial actions have been taken, you should conduct a security audit to review your company’s current security measures and how they can be improved to prevent future breaches.
In fact, security audits should be a regular part of your operation. This will help you to find gaps in your security systems and improve system infrastructure. You should have a strategy in place to check network and server systems, IP blocks, open ports, rDNS networks and security certificates to ensure that your business is protected against malicious attacks.
#6 – Improve preventative measures
A regular, thorough security audit will expose flaws in your systems, which will help you improve preventative measures to stop attacks. Data breaches are a regular threat to your business and it’s likely that you will be targeted more than once if an attacker is successful the first time round.
It’s important that you’re ready. Having a strategy is the first step towards your recovery.
Create a data breach response plan
Prevention is better than cure, and creating a response plan is the final piece of the jigsaw in effectively handling a data breach. Having a company-wide strategy ensures that your staff can better identify the signs of a data breach and raise the alarm quickly.
Most companies don’t become aware of a breach until it’s too late. Having a data breach response plan in place can help you minimise the damage done, reduce fines, decrease the negative press and enable your business to recover more quickly.
Protecting your reputation
How you respond to a data breach has a huge bearing on your company’s ability to recover. Customers, stakeholders and more share their sensitive information with you, with an expectation that you have the proper security measures in place.
A PwC study carried out in 2017 revealed that 92% of customers expect companies to be proactive about data protection. As your reputation is most likely your best asset, you must be prepared to handle data breach incidents in the right way.
For help with preventing data breaches and complying with GDPR rules, get in touch with DPA/OK today.
