Now the dust has settled a little around GDPR, here at LawBite we are frequently asked about how businesses can continue to contact their customers in the post-GDPR world.
When considering what is ok within GDPR, it is important to consider why you are making the contact- perhaps marketing, maybe to inform your customers about some changes to your services, or possibly you need information for legal or regulatory purposes. By now you probably know that in order to collect and process personal data, you must have a lawful basis to rely on – it is therefore also important to consider which basis you are relying on in order to hold and process the data in question.
The main lawful bases are contract (i.e. the processing of personal data is necessary for the performance of that contract), consent (simply that you have the consent of the individual concerned) and legitimate interest (that you have a legitimate business interest in processing the data of an individual and that this interest is not outweighed by the individual’s right to privacy). You may also have a legal obligation to process the personal data (for example to comply with HMRC requirements) and, for some organisations, the processing may be in the vital interests of the individual (for example, healthcare professionals) or, for government bodies, in the public interest.
If you have a contract in place or are negotiating one, any contact you make with customers for reasons connected with the contract – for example about delivery updates, invoicing queries or asking for feedback – should be lawful within GDPR on the basis that it is necessary for the administration of that contract. We recently posted on how to know when you actually have a contract in place.
Telling contacts about some great new service or product you are planning to offer, is likely to require their consent. If you updated the consents you already had in place prior to the May 25th deadline to be compliant, you should be able to continue to market to your customer base as you always have. If not however, tread carefully – if you don’t have adequate ‘GDPR’ consent, or no consent at all, and no other lawful basis to rely on, then don’t send unsolicited marketing communications. Remember individuals must be able to withdraw their consent at any time. A few weeks ago we wrote about making sure that you are GDPR compliant with 3rd party supplier contracts and protecting your customers’ data.
In the absence of consent, or outside of a contract, you may be able to continue with communications with your customer base (maybe for marketing purposes, or maybe to get back in touch with old contacts for example) if you can fulfil the legitimate interests test. This basis acts as a bit of a ‘catch-all’, however you must be able to demonstrate a genuine business interest.
GDPR isn’t about stopping businesses from communicating with their customers and contacts but is about making sure communications are necessary and appropriate and handing some control to individuals. The key with any communication is to identify why you want or need to make it. This should then help you identify your lawful basis so that you can confidently continue with your day to day operations.
It may all seem quite daunting but it is more important than ever to tackle your GDPR compliance. Now is the time for ACTION and remember LawBite is here to help!
To consult with the Lawbrief lawyer Jessica, please submit an enquiry for a free 15-minute consultation or call the dedicated GDPR Hotline 0845 241 1843.