The Importance of GDPR

What is GDPR and how will it affect you?

The General Data Protection Regulation (GDPR) is new European-wide legislation aimed to strengthen and protect the privacy rights of individuals.

As Direct Marketers we have a responsibility to ensure that the data we collect, store and use is compliant and meets the expectations of the data subject. The introduction of GDPR helps reinforce this and aims to help individuals better control their personal data with new regulation where the penalty for non-compliance will be significant fines.


Key facts about the GDPR and DLG and PDV’s preparation


  • What is personal data?

    Personal data is data that relates to a person. A data supplier must demonstrate how and when they received this data, under what lawful basis it was collected, by whom and how that basis complies with the GDPR today.


  • What is the difference between a Data Controller and Data Processor?

    It is essential that any organisation involved in processing personal data is clear as to their role and responsibility.

    • Data Controllers determine the means and the purpose of processing personal data.
    • Data Processors process data on behalf of a controller.


  • Who’s responsible?

    Under GDPR, everybody in the data processing chain is responsible for the care of personal data including both controllers and processors. DLG and PDV’s responsibility to data governance goes far beyond initial due diligence. We use our Active Audit programme to protect our clients from non-compliant data suppliers.


  • Are you dealing with the Data Collector or Data Aggregator?

    It’s important to establish the provenance of data. Therefore you should stay as close to the point of original data collection as you can. Work with collectors where you can; if you use a broker, ensure they have a clear view of the data origin and completed the relevant due diligence documentation.


  • Due Diligence forms

    Get due diligence forms completed by your suppliers, but don’t stop there. Your due diligence process should be an on-going process. DLG and PDV have a comprehensive Auditing Programme to monitor all our suppliers, this ensures not only are our clients protected, but so are the consumers on our database.


  • Should I only buy ‘Consented’ data?

    There are six lawful bases for processing (Consent, Contract, Legal obligation, Vital interest, Public task and Legitimate interest). Either Consent or Legitimate Interests could be acceptable for different forms of Direct Marketing. Neither is ‘stronger’ than the other; it’s important to establish the most appropriate for the type of processing conducted.


  • What constitutes consent?

    The standards for obtaining consent are increased under GDPR. Consent needs to have been captured “freely, specifically, informed and unambiguously” using a “clear affirmative action.” Where DLG and PDV rely upon consent we are able to demonstrate all five of these conditions.


  • What about Third Party consent?

    A data collector will collect consent from a consumer for other organisations to process their data; this is third party consent and the GDPR requires that the third party should be named. Categories of third-party organisations will not be enough to give valid consent under the GDPR. If the third party is not named then consent cannot be relied upon as a lawful basis and another lawful basis is likely to be most appropriate for your processing activities, such as Legitimate Interests.


  • Legitimate Interests

    If your supplier relies upon Legitimate Interests as the appropriate legal base for processing personal data they should be able to share with you details of the Legitimate Interests Assessment they conducted, demonstrate that they have clearly informed people what will happen to their data AND given the subject the opportunity to object. Avoid suppliers who cannot show this.


  • What about withdrawal and the right to be forgotten?

    It needs to be as easy and without penalty for a consumer to withdraw their permission. Withdrawal of permission is not the same as being forgotten. A data supplier needs to retain a record of a consumer if they are to ensure they no longer communicate with that consumer. A consumer may request to be forgotten and a data supplier will inform the consumer of the implications of this choice before complying with the request.


  • What if I do it wrong?

    Fines levied under GDPR could be up to €20m or 4% of global turnover, whichever is higher; therefore, marketers need to choose their suppliers carefully. DLG and PDV put the care of the data subjects at the heart of our infrastructure, security privacy and data usage policies.


  • Are there any Trade Bodies and/or Regulators?

    Any organisation handling personal data is regulated by the Information Commissioner’s Office (ICO). Additionally, the Data and Marketing Association (DMA) is the trade body responsible for ensuring standards of behaviour in the direct marketing industry. They conduct extensive Compliance Audits on their members. You should always work with suppliers who are DMA members and have passed the Compliance Audit.

If DLG and PDV manage and supply 100% of your data requirements using our extensive and rigorous processes to provide a market-wide compliant solution; you should avoid the enormous reputational and serious financial damage that using poor data practitioners could cause.