GDPR and TPS Screening - Made Easy
Article added: 08/06/2018
What’s it all about?
GDPR stands for General Data Protection Regulation (GDPR) and is the new Data Protection regulations that came into law on 25th May 2018.
It’s essentially stricter than the Data Protection (DPA) Act 1998 it replaces.
Companies have been flouting the DPA for many years, growing lazy and managing their data in ways designed solely not to create problems or complaints. GDPR now places many of these businesses in a potentially difficult situation as failure to comply with GDPR has lots of potential consequences.
GDPR is complicated, anyone who’s tried to understand their obligations under GDPR will undoubtedly agree. However, failure to screen your data against the Telephone Preference Service (TPS) could land you in hot water.
Although the Data Protection Act has been replaced, the Privacy Electronic Communications Regulations (PECR) has not.
Whilst GDPR allows for you to gather and manage data under two main methods (there are others) there are some limitations.
A simple way to look at consent is this:
If you put yourself in the position of the data subject and can honestly answer yes to the following then in all probability you have valid consent:
- Do you know who you are giving your data to?
- Do you know what they are going to do with the data?
- Do you know who they are going to share your data with? Of those people they will share your data with some are reasonable and necessary (such as the IT company that hosts their servers for example, their accountants and solicitors) and others would reasonably require your specific consent such as a completely unrelated business. Did you give that specific consent for these other companies?
- Are you clear on how are they going to contact you in the future i.e. by mail, email, text or telephone?”
If you can honestly state that your method of data collection and management ticks all those boxes, then you have consent.
Consent means that even if the telephone number they provided you is on the TPS then you have overriding permission to call them.
According to the Information Commissioners Office (ICO), it is the individual’s last indication that stands, which means if they subsequently register on the TPS after you’ve gathered their consent then you should cease making sales and marketing calls to them.
However, under GDPR, if your consent is valid (and sufficient) then you no longer need to be concerned about people registering on the TPS after they’ve registered with you.
If it makes you feel more comfortable you could, during the 28 day period it takes for any TPS registration to become effective, opt to re-contact your data and re-opt them in.
The chances are that you’ve either never heard of Legitimate Interest or you’re in the data industry and potentially banking on it being your saving grace!
Legitimate interest, unlike consent, gathers data on the basis that you have a right to use it rather than asking for the data subjects consent. It’s a little more complex than that and if you’re thinking of using it, then you should get some advice.
There are of course some rules. To use data under legitimate interest you need to pass a three part test.
- Purpose test - is there a legitimate interest behind the processing? This could be as simple as “we have a legitimate interest in marketing our goods to existing customers to increase sales”. As daft as it might sound?
- Necessity test - is the processing necessary for that purpose? For example, if you’re selling windows you don’t need to be processing the data subject’s religious beliefs.
- Balancing test - is the legitimate interest overridden by the individual’s interests, rights or freedoms? This is not quite so easy to explain in only a few words, but is basically a test to see that the risks to the data subjects are proportionate. One example that was recently in the news would be the construction industry scandal involving the operation and sharing of an Employment Blacklist where a list was shared of workers the industry wanted to prevent getting work. Such a list would not past the balancing test as it would affect the rights of the data subjects.
Legitimate interest does not override PECR, so if you collect data in this way you still need to TPS screen your data and if you collect data in this way specifically to make calls to it, you won’t be able to if the number is on the TPS. You’ll have to contact the data by post to get Consent to call it.
Consumers may sue you
A more worrying aspect of GDPR are the subtle changes that could potentially allow consumers to sue companies for using their data. Notably, the Data Protection Act required a claim for damages to prove financial loss. Something an email or phone call did not do. However, GDPR does not require this.
If you call someone registered on the TPS, their registration will be a matter of fact and it will be down to you to prove you had consent to call them. Calling someone on the TPS is against the law (unless you have their explicit permission) so a case for this brought by a data subject is potentially in their favour. If you cannot prove consent sufficient to satisfy the data subject, you could potentially be opening yourself up to a Small Claims Court action.
For those of you unfamiliar with the Small Claims Court, it’s nothing short of a joke. Anyone who has ever been there, especially those that go regularly, will tell you that you may as well flip a coin!
Rumours are already circulating about potential consumer action for breaches of GDPR and it could well become a feeding frenzy.
The problems with fighting a consumer claim in the Small Claims Court are:
- You (the business) have to travel to their court if you are being sued by a consumer, sole trader or partnership. So good luck if that’s the other side of the country or Northern Ireland!
- The judges in a small claims court invariably side with consumers against the “big bad business”. Remember, judges are people too and probably (unfairly so) fed up with cold calls and texts as well.
- It’s not uncommon for small claims court judges to take a “middle of the road” approach, the point about which is not a case of if you lose, more by how much.
- A loss at small claims court could be newsworthy
- If you forget to settle on time, your business will gain a CCJ
- The time needed to deal with a Small Claims Court action far outweighs the claim itself, but could settling set a precedent for others to claim and give the claimant bragging rights?
There’s simply no upside to facing a Small Claims Court action, in particular from a consumer, trust us on this. Don’t hand it to them on a plate
Don’t take the risk. TPS Screen your data.
The ICO Guide to Legitimate Interest
Updated ICO Guide to Marketing
TPS Services Richard Kane said:
GDPR is incredibly complicated to understand. You'll reach a point when you think you just about have it and someone will ask you a question and you’ll find that your questioning yourself.
The ICO seem to think they’ve laid it out for eveyone in a clear and easy to understand manner, but everyone we’ve spoken to is still very confused and concerned.
I hope these guides help. The updated Direct Marketing guide has additional orange sections added by the ICO to reflect the GDPR changes. It’s a must read for anyone marketing.
Looking to market by post?
If you're looking to switch some or all of your marketing to Direct Mail, why not ask us about our new MPS Screening services?
Mail Preference Service (MPS) screening now available from TPS Services