Now before we start it is important to note that, although we have had a huge team researching into GPDR and we are confident on the following interpretation, this article does not constitute as legal advice.
So let’s jump straight in at the deep end with the main two important questions on everyone’s lips at the moment, which are…
Can I still send customers text messages after the GDPR legislation comes into affect?
Yes. Yes you can continue to text your customers.
Do I need to get my existing customers to re opt-in?
No. If you have been previously messaging your customers then you do not necessarily have to re-request their permission. However it’s very important that you read all the details below to make sure you are compliant with GDPR.
The basics of GDPR
The new rules and regulations of GDPR will come into full effect on the 25th May 2018. And one specific requirement reads: you must have a lawful basis in order to process personal data.
So what is meant by ‘processing personal data’?
“Processing… means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data… it is difficult to think of anything an organisation might do with data that will not be processing.” (Source: ICO)
So your customer database, and any emails or text messages that you send to businesses or individuals with that database would be considered as ‘processing’.
So what is a ‘lawful basis’?
Well there are six available lawful bases for processing and not one is more important than the other, however it is effectively the justification you have for processing the data.
Gaining consent is one of those six which seems to be getting all the limelight. It is a key takeaway point however where your existing customers are concerned, it’s probably not the most appropriate.
Do you have to gain consent to communicate with your customers after GDPR?
Not necessarily no. We think that the two lawful bases that most businesses will fall under when processing data are, consent and legitimate interests.
Consent is obviously more clear, have they said you can contact them, yes or no. However legitimate interests is a more flexible lawful basis for processing data, ICO state, “ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.” (Source: ICO)
Any act of processing, sending an email or text message, needs to stack up against the 3 following questions:
1 – Do you have a legitimate interest for sending the message? This can include your own need to cross-sell other products / services or promote wider use of an already purchased item, for example
2 – Do you need to send the message in order to achieve those interests? If you could reasonably achieve the same result through other, less intrusive means (such as unprompted visits to your website), legitimate interests do not apply
3 – Have you balanced the act of sending the message against the individual’s interests, rights and freedoms? This comes back to the early statement about reasonable expectations on their part.
These three steps make up the Legitimate Interests Assessment (LIA), which you should complete ahead of the GDPR coming into effect. There is a detailed explanation and a template for completing the LIA from the Data Protection Network here.
What you need to know about the ePrivacy Regulation
The ePrivacy Regulation focuses on rules and regulations around electronic communications, email, SMS etc. However these rules will not be in place until 2019, and for now, you should continue to comply with the existing PECR legislation.
Here is a post by the Data Protection Network that provides you with a reminder of what the existing requirements are. But to summarise an important key point for you…
You can continue to use a soft opt-in to send email and texts – A soft opt-in applies when you have obtained an individual’s details as part of the sales process, where you’re only marketing your own products / services, and you provide an opt-out in every marketing communication.
So to round up and summarise for you…
Most businesses will be able to continue to contact their existing customer base without interruption using legitimate interests. Providing you have assessed and documented it as your lawful basis of processing via your privacy policy (eConsultancy offers some great advice on privacy policies).
However when contacting prospects or lapsed customers, the “existing customer relationship” that makes legitimate interests possible does not apply, and getting consent with them would be strongly recommended.
We hope all that helps and if you do have any questions please do not hesitate to ask.