The new rules extend the scope of EU law on individuals’ data protection and privacy as well as addressing the export and processing of personal data outside the EU. Its main aims are to update the current, obsolete regime and to harmonise data protection regulations across the EU, which in turn will simplify non-EU countries compliance when conducting business in the EU. It also recognises the growing value of personal data and aims to bring a greater degree of control for individuals over how their data is used.
Alongside the fact that wealth managers are endeavouring to meet best practice in the appropriate use and protection of data, firms are also compelled by the potential steep cost of non-compliance. GDPR grants invasive investigative powers to the Information Commissioner’s Office (ICO), as well as a range of sanctioning tools going from warnings, to potentially substantial fines, to outright bans on processing.
There are multiple facets to compliance with GPDR, and below we address a few of the most frequently queried areas relating to email marketing – from marketing to individuals to the use of third party contacts and B2B activities.
Email marketing to individual clients
When planning an email marketing campaign firms should keep in mind that, along with GDPR, they should also consider the Privacy and Electronic Communications Regulations (PECR), which regulates electronic communications such as email, telephone and text.
GDPR requires firms to identify a lawful grounds in order to process personal data. When it comes to marketing, the most common lawful grounds under GDPR are data subject consent or legitimate interest.
If your firm is distributing content via email, both GDPR and PECR apply and the general rule is that you need to have consent from the recipients. However, there are a number of exceptions:
- If the marketing email is directed to existing customers who bought a similar product or service from you, S.22 PECR permits use of the so-called soft opt-in, an exception allowing you to continue sending marketing emails, provided that the person is given the opportunity to unsubscribe at any time.
Soft opt-in is a way to continue sending marketing messages to existing customers even if they haven’t specifically consented to receiving them. It does not apply to prospective customers or new contacts (e.g. from bought-in lists). It also does not apply to non-commercial promotions (e.g. charity fundraising or political campaigning).
- Content tailored to a specific customer or to specific customers (e.g. “targeted advertising”) could be considered “direct marketing”, which is a form of legitimate interest under GDPR.
Although GDPR does not define direct marketing, ICO guidance on PECR define it as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”.
However, you must still consider PECR – although you may be able to publish on the “subscriber” area of your website or send marketing communications directly to a prospect via post without consent (or the soft opt-in), you would be unable to market via email/phone/instant messaging without the recipient’s consent unless soft opt-in applies.
Use of third party contacts
Another consideration is that the purchasing of marketing lists, or using an agent or introducer to gain access to prospective investors, will become more cumbersome under GDPR.
If your firm purchases a marketing list or enter into an introducer/agency agreement, your firm remains responsible for the data contained in the marketing list or provided to your firm by the introducer or agent, therefore it is essential that your firm carries out thorough due diligence on the third party and obtain assurance that the data was obtained lawfully.
Marketing B2B
Marketing to companies will be subject to different rules depending on who the wealth manager is marketing to. GDPR and PECR protect individual users, whether they are using their work or their personal address – and a person’s work email address is still considered personal data.
Marketing emails sent to a “general” company address will fall outside of the scope of GDPR – as there is no personal data involved and the person(s) behind the email address cannot be identified. However, PECR does apply, which means that the company can opt out of the communications.
When marketing B2B to a named individual, the content of your email is crucial. If you are marketing a service to a company with a view to contracting directly with that company, and the corporate contact email is to an individual, this could still be configured as a B2B communication, a form of legitimate interest. However, if your message is to the individual in their individual capacity, then you would need prior consent to e-mail marketing.
When emailing individuals in a business setting it is good practice to evidence the thought process and demonstrate the steps taken to establish that the individual concerned is the appropriate point of contact for B2B communications.
Email marketing is a key area of the regulation but just one of many – firms should look to understand the lawful basis and purpose of processing, the application of individuals’ rights, how they are evidencing their accountability and governance, and their security measures and processes to prevent and respond to data breeches.
Those looking to find out more can visit the ICO website who have a host of useful resources. Pimfa members can also access our GDPR Policy Support area and guides such as ‘Useful Guide on Marketing’ and the ‘GDPR Action Plan and Checklist’.