As a direct marketing company, Mailing Expert has to deal with data from a variety of sources. It’s no wonder that the mailing house has taken proactive steps to comply with this year’s GDPR (General Data Protection Regulation) deadline. Ian Trevett asked David Vaughan about the impact of GDPR.
What steps has your company taken to ensure compliance?
We are very proactive. Every member of staff has taken the IDM (Industry of Direct & Digital Marketing) Award in GDPR, which is equivalent to a Level 4 professional qualification. I am taking the IDM Professional Certificate in GDPR and ePrivacy, which is a year-long course. And, we are members of the DMA (Direct Marketing Association).
We are seeing companies really start to wake up recently, and we are getting lots of enquires asking about what it will mean for their company, so we have to be knowledgeable on the subject.
People think that the law changes in May but it has actually been in force for 18 months already. May just represents the cut-off period where everyone should be compliant.
What is the most important element of GDPR for marketing?
The main idea is ensuring you have consent, though you don’t necessarily have to have consent to send someone a letter or leaflet. It’s all about ‘legitimate interest’. You need to go through an in-depth questionnaire of around 20 questions, to ascertain if the person receiving the mailer could be viewed as being likely to have an interest in the material. It is stricter with email and digital marketing.
Which types of company do you think the government are looking to catch?
I don’t think ICO (Information Commissions Office) are ‘after’ anyone in particular. That is a pessimistic view. They just want to ensure there are guidelines in place when people communicate with each other. A lot of it is about the information a company or organisation might hold about an individual. If
you start collecting loads of information about a person for no justifiable reason, then you are breaking the law. You need to think about what data I actually require about a person and is it actually relevant - and then do I have the person’s content to have this. You should ask - do I really need to know gender, date of birth, address or email or medical history?
The ICO has made some public examples. Honda were slapped severely over the knuckles by ICO as they emailed everyone on their list including people who said they didn’t want to hear from them. Honda were asking people if their information they hold was correct, which is fine as this is an exercise in tidying up their lists. But where they went wrong was the subject line said something along the lines of ‘Do you want to hear from Honda’ which was interpreted by the ICO as a marketing message rather than a tidying up process. This broke the law.
A charity accidentally sent out an email that included the whole email list in the cc box. It was a medical charity, so the email addresses were strictly confidential. ICO could have severely punished the charity, possible with a fine that would close the charity down. ICO gave them a small fine and a warning not to do it again.
IS GDPR a good or bad thing?
GDPR (or Data Protection 2018) is a positive and sensible thing in my opinion. Just see it as an opportunity to clean your database. It is okay to have a customer list and list of potential leads, but make sure you know where all the lists are, who is on the lists and what information you have. Don’t leave flash disks laying around. Most data breaches come from leaving a memory stick on a bus or train or throwing out paperwork (shred it!).
With targeted marketing you need to become more intelligent and you need more information on the potential consumer. For instance, a buying history is important for clothing company. But if the clothing company then send me the data for the mailing, there is absolutely no reason why I need anything other than the names and addresses; I just have enough information to ensure the catalogue goes to the right person.
When is it okay to gather personal information?
It is fine if it is relevant and necessary. We work with a nightclub in London and about four-six weeks before someone’s birthday they will send free tickets out for their birthday celebrations. The club see this as a good way to get people in et cetera and the clubbers have a great night. So this is an example where they require a date of birth - or at least the date of the birthday. But when people sign up for the list they will know this. So we will need to know birthdays to ensure we mail at the right time. But on the other hand, we don’t need the phone numbers; it’s all relevant and in most cases it is just common sense.