What is GDPR?
GDPR stands for the General Data Protection Regulation (Regulation (EU) 2016/679), a European Regulation that was passed in 2016 and comes into force throughout the European Union on 25 May 2018. In the UK, it will effectively replace the Data Protection Act 1998 (DPA) on that date as being the main piece of data protection / privacy law in force. In short, data protection law regulates the way in which organisations can “process” “personal data”, that is information which relates to an identifiable individual. “Process” here means carrying out any operation in relation to that data, from collecting it in the first place, holding it, consulting it, editing it, using it to communicate with the individual, through to disclosing it to another person and even destroying it. All of those activities are subject to data protection law if they are applied to personal data. Another major aspect of GDPR is the requirement to have appropriate technical and organisational measures in place to prevent data breaches – in other words strong information security measures.
What does GDPR mean for us?
The headline point is that the maximum fine for a breach of data protection law in the UK will increase from £500,000 to €20 million or more (depending on your turnover). Also, the information environment and awareness of data issues have moved on considerably since the 1990s, as a result of which the PR risk associated with data protection breaches is much greater than before. GDPR compliance will reduce the risk to your business of a data breach. Another major change is that data controllers (see below) now have to create extensive compliance documentation in order to demonstrate compliance, rather than the Information Commissioner’s Office (the ICO, who enforces data protection law in the UK) having to prove a breach of the law.
What does GDPR mean in the context of our relationship with ISC Research?
If you are a user of ISC Outreach, you will, as part of your license, have access to the contact details of various individuals within schools. Those contact details constitute personal data, and so are subject to the GDPR. One of the purposes for which our customers use that information is to market their goods or services to those individuals in the context of their roles within their schools. Using personal data for marketing purposes is one type of processing that is expressly subject to data protection law.
What does GDPR say about using that information for marketing?
One of the main obligations under GDPR is that personal data must be processed “lawfully, fairly and in a transparent manner.” Article 6 of GDPR then lists some conditions, one of which has to be fulfilled in order for the processing to be lawful. Those conditions include having the individual’s consent, which is often the one that is relied upon, but which is by no means the only available one. Other conditions include where the processing is necessary for the performance of a contract to which the individual is a party or with a view to entering such a contract, or where the processing is necessary for compliance with a legal obligation to which the organisation is subject. The most important condition in the current context, however, is where the processing is necessary for the purposes of the legitimate interests of the organisation or another person, unless those interests are overridden by the interests or fundamental rights and freedoms of the individual. This is known as the “legitimate interests” condition. Recital 47 of GDPR then says that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. So, as long as your communications aren’t overridden by the interests or fundamental data protection rights and freedoms of the individual, you can use personal data for the purposes of sending direct marketing communications so far as GDPR is concerned. Relevant, targeted and unobtrusive direct business-to-business marketing is unlikely to be overridden by those interests, but please see our Purchasing Guide for further guidance.
So, is it a myth that we have to get the recipient’s consent in advance before we can send them a marketing email?
Unfortunately, GDPR does not provide the whole data protection picture in relation to marketing emails. In the UK, we also have the Privacy and Electronic Communications (EC Directive) Regulations 2003, which implement an earlier European Directive, commonly known as “PECR”. PECR contains particular rules relating to direct marketing messages via electronic means such as email. PECR makes a distinction for these purposes between people who receive such communications in their capacity as part of a wider organisation (loosely, business to business communications) and people who receive such communications in their personal capacity (i.e. business to consumer communications) via, for example, a personal email address such as gmail or yahoo account.
PECR says that for unsolicited marketing emails to be sent to consumers, the sender must either have the individual’s prior express and informed consent, or the sender must have already engaged with the individual in relation to the supply of goods or services to that person.
However, in relation to business to business communications, the general principle of data protection law applies, which is as set out under the previous question. That means that you just have to meet one of the conditions mentioned above, such as the legitimate interests condition, in order to send a marketing email to, for example, the work email account of an employee at a school.
Note also that PECR will at some stage be replaced by a European Regulation, currently provisionally known as the ePrivacy Regulation. It had been anticipated that the ePrivacy Regulation would come into force at the same time as GDPR, but there has been extensive debate over many of its provisions, so it now looks virtually impossible for that to happen.
Is that the end of the story on marketing emails?
Not quite. Even for business to business marketing emails, PECR says that you have to provide the individual with an easy way of opting out of receiving such communications. Also, you have to comply with Articles 13 or 14 of GDPR. These say that you have to provide individuals with further information, such as the identity and contact details of the data controller (i.e. probably your own entity), the purpose for which you’re processing their information, and various other items depending on the circumstances.
How do we do that?
Typically, you would provide the information required by Articles 13 or 14 of GDPR by sending the individual a privacy statement as part of your first communication with them, or within a month of obtaining their data.
ISC will be sending each contact already on the ISC Outreach database a privacy notice compliant with Articles 13 and 14 of GDPR prior to the new legislation coming into force. Privacy notices will also be sent to each contact that is added to the database subsequently.
I’ve heard the terms “data controller” and “data processor” a lot – what do they mean?
A data controller is the person who determines the purpose for which any given personal data is used. A data processor is someone (usually a business) who processes personal data on behalf of a controller, for example a service provider hosting data or sending out emails on their customers’ behalf. They have differing responsibilities under data protection law.
What does that mean in the context of information that we obtain from you?
We obtain personal data as a data controller. When you access that information, you will determine the purpose for which you will use it, for example to send marketing communications. You will therefore also be acting as a data controller.
If GDPR and (when it arrives) the ePrivacy Regulation are EU laws, will they be affected by Brexit?
For our purposes, no. The flow of personal data around the European Union is enormous, and only permitted because all member states have approximately the same laws in place on data protection. That is why you may have heard of difficulties associated with the transfer of personal data to other countries, such as the USA. If that data flow is to continue between the UK and other European countries after Brexit, the UK will need to retain GDPR (or something very similar to it) in force, otherwise the flow will have to stop. The UK Government has already confirmed that the European rules on data protection will continue to apply post-Brexit.
Can we continue to process the personal data of contacts at the Chinese based educational establishments contained in ISC Outreach (the “Personal Data”) and market to Chinese based contacts following the introduction of the Personal Information Protection Law of People’s Republic of China (“PIPL”)?
Yes, as long as you process the Personal Data for international school related business purposes such as marketing.
PIPL, in Article 13, paragraph 1, point VI states [processing of personal data is permitted]‘where it is necessary to handle the personal information already disclosed by the individual concerned or other personal information that has been legally disclosed within a reasonable scope in accordance with the provisions of this Law’ as one of the lawful reasons for processing individuals’ personal data without requiring their consent, so long as it is done in accordance with the following conditions, which are set out in Article 27 of PIPL:
a) Personal information should be that which is disclosed by the individual concerned himself/herself or other personal information that has been legally publicised;
b) The individual concerned does not expressly refuse such processing;
c) Handling of the individual’s disclosed personal information does not have a major impact on the rights and interests of the individual; and
d) Handling is made within a reasonable scope.
We believe that the requirements of a) to c) above are met and, for d) ‘reasonable scope’ is also justified, (according to Article 28, Paragraph 1 of PIPL) when the person processing the personal data in question (such as ISC’s clients) does so in accordance with ‘the original purpose of use’ for which that personal data was disclosed.
Paragraph 2 (of Article 28 PIPL) further provides that if the purpose of use at the time of disclosure is unclear, the Personal Information Handler shall reasonably and carefully handle personal information already disclosed.
Accordingly, in line with Paragraph 1, we believe that, by obtaining the personal information from publicly available sources such as school websites and LinkedIn, such personal data was disclosed by the owner of that personal data with the clear expectation that it would be used for establishing international school related business opportunities and relationships (the original purpose of use), which is precisely what ISC is doing with that personal data.
With respect to the point in Paragraph 2, the fact that the personal information has been publicly disclosed is an implicit acknowledgement by the data subject that their personal data may be used for the purposes of seeking further business opportunities. Consequently, storing it on our database and making it available to our clients is likely to result in such expanded business opportunities in line with the individuals’ expectations when they originally publicly published it.
So, in conclusion, we believe that our clients’ processing of the personal data we make available to them is permitted by Chinese law, without the need to obtain the express consent from individuals in China for doing so.
Please note that the above opinion, whilst based upon Chinese legal advice we have received, does not constitute legal advice to you and if you continue to have concerns with respect to your use of the personal data we may provide to you, you should seek your own independent legal advice.
These FAQs are for guidance only. They do not constitute legal advice. If you have any concerns regarding your own compliance with GDPR or otherwise, you should seek your own professional advice.