What is UK GDPR?
The UK GDPR regime is comprised of two main pieces of legislation:
- a version of the EU’s General Data Protection Regulation (Regulation (EU) 2016/679), the EU GDPR) incorporated into UK law (with various amendments made by Brexit legislation) following the end of the Brexit implementation, the UK GDPR); and
- the Data Protection Act 2018 (DPA 2018) that relate to general personal data processing, powers of the Information Commissioner (ICO, who enforces data protection law in the UK) and sanctions and enforcement, as amended by Brexit legislation.
In short, UK GDPR regulates the way in which organisations can “process” “personal data”, that is information which relates to an identifiable individual. “Process” here means carrying out any operation in relation to that data, from collecting it in the first place, holding it, consulting it, editing it, using it to communicate with the individual, through to disclosing it to another person and even destroying it. All those activities are subject to the UK GDPR as well as providing rights to those individuals whose data is processed and the requirement to have appropriate technical and organisational measures in place to prevent data breaches – in other words strong information security measures.
What does the UK GDPR mean for us?
The ICO has the power to issue fines of up to £17.5 million or 4% of our annual worldwide turnover (whichever is higher) for a breach of data protection law in the UK. Also, the information environment and awareness of data issues have moved on considerably since the 1990s, as a result of which the PR risk associated with data protection breaches is much greater than before. UK GDPR compliance will reduce the risks to your business of a data breach and protect the rights of individuals Under the UK GDPR, businesses involved in sharing or other processing of personal data understand and identify their roles, e.g. processor, independent data controller or joint controller. The role each party plays will establish the obligations of each party under data protection law and plays a vital part in allowing businesses to identify the risk mitigation steps they should take. Data controllers (see below) are responsible for ensuring their processing, including any processing carried out by a processor on their behalf, complies with the UK GDPR and must have in place. extensive compliance documentation in order to demonstrate compliance Additionally, processors have direct responsibilities and obligations under the UK GDPR, in addition to their contractual obligations.
What does the UK GDPR mean in the context of our relationship with ISC Research?
If you are a user of ISC Outreach, you will, as part of your license, have access to the contact details of various individuals within schools. Those contact details constitute personal data, and so are subject to the UK GDPR. One of the purposes for which our customers use that information is to market their goods or services to those individuals in the context of their roles within their schools. Using personal data for marketing purposes is one type of processing that is expressly subject to data protection law.
What does the UK GDPR say about using that information for marketing?
One of the main obligations under the UK GDPR is that personal data must be processed “lawfully, fairly and in a transparent manner.” Article 6 (1) of the UK GDPR then lists some conditions, one of which must be fulfilled in order for the processing to be lawful. Those conditions include having the individual’s consent, which is often the one that is relied upon, but which is by no means the only available one. Other conditions include where the processing is necessary for the performance of a contract to which the individual is a party or with a view to entering such a contract, or where the processing is necessary for compliance with a legal obligation to which the organisation is subject. The most important condition in the current context, however, is where the processing is necessary for the purposes of the legitimate interests of the organisation or another person, unless those interests are overridden by the interests or fundamental rights and freedoms of the individual. This is known as the “legitimate interests” condition. Recital 47 of the UK GDPR then says that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. So, as long as your communications aren’t overridden by the interests or fundamental data protection rights and freedoms of the individual, you can use personal data for the purposes of sending direct marketing communications so far as the UK GDPR is concerned. Relevant, targeted and unobtrusive direct business-to-business marketing is unlikely to be overridden by those interests, but please see our Purchasing Guide for further guidance.
So, is it a myth that we have to get the recipient’s consent in advance before we can send them a marketing email?
Unfortunately, the UK GDPR does not provide the whole data protection picture in relation to marketing emails. We also have the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) which sits alongside the UK GDPR, PECR contains particular rules relating to direct marketing messages via electronic means such as email. PECR makes a distinction for these purposes between people who receive such communications in their capacity as part of a wider organisation (loosely, business to business communications) and people who receive such communications in their personal capacity (i.e. business to consumer communications) via, for example, a personal email address such as Gmail or yahoo account.
PECR says that for unsolicited marketing emails to be sent to consumers, the sender must either have the individual’s prior express and informed consent, or the sender must have already engaged with the individual in relation to the supply of goods or services to that person.
However, in relation to business-to-business communications, the general principle of data protection law applies, which is as set out under the previous question. That means that you just must meet one of the conditions mentioned above, such as the legitimate interests condition, in order to send a marketing email to, for example, the work email account of an employee at a school.
The EU is in the process of replacing the current e-privacy law with a new ePrivacy Regulation (ePR) to sit alongside the EU version of the GDPR. However, the ePR will not automatically form part of UK law or sit alongside the UK GDPR as the UK has left the EU.
Is that the end of the story on marketing emails?
Not quite. Even for business-to-business marketing emails, under the UK GDPR and PECR you have to provide the individual with an easy way of opting out of receiving such communications. Also, you must comply with Articles 13 or 14 of the UK GDPR. These say that you have to provide individuals with further information, such as the identity and contact details of the data controller (i.e. probably your own entity), the purpose for which you’re processing their information, and various other items depending on the circumstances.
How do we do that?
Typically, you would provide the information required by Articles 13 or 14 of the UK GDPR by sending the individual a privacy statement as part of your first communication with them, or within a month of obtaining their data.
I’ve heard the terms “data controller” and “data processor” a lot – what do they mean?
A data controller is the person who determines the purpose for which any given personal data is used. This includes deciding why and how personal data is collected, stored and how it is used. A data controller has the ultimate responsibility of ensuring data processing activities comply with data protection law. A data processor is someone (usually a business) who processes personal data on behalf of a data controller, for example a service provider hosting data or sending out emails on their customers’ behalf. Although data processors are contractually bound to ensure data security and confidentiality, they have differing responsibilities under data protection law.
What does that mean in the context of information that we obtain from you?
We obtain personal data as a data controller. When you access that information, you will determine the purpose for which you will use it, for example to send marketing communications. You will therefore also be acting as a data controller.
Can we continue to process the personal data of contacts at the Chinese based educational establishments contained in ISC Outreach (the “Personal Data”) and market to Chinese based contacts following the introduction of the Personal Information Protection Law of People’s Republic of China (“PIPL”)?
Yes, as long as you process the Personal Data for international school related business purposes such as marketing.
PIPL, in Article 13, paragraph 1, point VI states [processing of personal data is permitted] ‘where it is necessary to handle the personal information already disclosed by the individual concerned or other personal information that has been legally disclosed within a reasonable scope in accordance with the provisions of this Law’ as one of the lawful reasons for processing individuals’ personal data without requiring their consent, so long as it is done in accordance with the following conditions, which are set out in Article 27 of PIPL:
a) Personal information should be that which is disclosed by the individual concerned himself/herself or other personal information that has been legally publicised;
b) The individual concerned does not expressly refuse such processing;
c) Handling of the individual’s disclosed personal information does not have a major impact on the rights and interests of the individual; and
d) Handling is made within a reasonable scope.
We believe that the requirements of a) to c) above are met and, for d) ‘reasonable scope’ is also justified, (according to Article 28, Paragraph 1 of PIPL) when the person processing the personal data in question (such as ISC Research’s clients) does so in accordance with ‘the original purpose of use’ for which that personal data was disclosed.
Paragraph 2 (of Article 28 PIPL) further provides that if the purpose of use at the time of disclosure is unclear, the Personal Information Handler shall reasonably and carefully handle personal information already disclosed.
Accordingly, in line with Paragraph 1, we believe that, by obtaining the personal information from publicly available sources such as school websites and LinkedIn, such personal data was disclosed by the owner of that personal data with the clear expectation that it would be used for establishing international school related business opportunities and relationships (the original purpose of use), which is precisely what ISC is doing with that personal data.
With respect to the point in Paragraph 2, the fact that the personal information has been publicly disclosed is an implicit acknowledgement by the data subject that their personal data may be used for the purposes of seeking further business opportunities. Consequently, storing it on our database and making it available to our clients is likely to result in such expanded business opportunities in line with the individuals’ expectations when they originally publicly published it.
So, in conclusion, we believe that our clients’ processing of the personal data we make available to them is permitted by Chinese law, without the need to obtain the express consent from individuals in China for doing so.
Please note that the above opinion, whilst based upon Chinese legal advice we have received, does not constitute legal advice to you and if you continue to have concerns with respect to your use of the personal data we may provide to you, you should seek your own independent legal advice.
These FAQs are for guidance only. They do not constitute legal advice. If you have any concerns regarding your own compliance with the UK GDPR or otherwise, you should seek your own professional advice.
