The ICO (the data protection and privacy regulator) is taking a very robust line in relation to marketing as evidenced by its recent enforcement action and guidance.
You should ensure that your marketing practices comply with data protection law. It is also worth keeping in mind that the definition of marketing is very broad. It goes beyond selling products. As such, an email to a customer telling them about the plans for your business or products is likely to count as marketing.
When carrying out marketing you should keep the following in mind:
You should ensure that individuals are told how their personal data is used for marketing purposes. This should be done via the appropriate privacy notice.
Some fundraising practices require consent. It is usually unlawful to send a marketing email or text unless the recipient has consented. Consent must be freely given, specific and informed. It must also be accompanied by a positive action. As such, a statement such as "You consent to us sending you marketing emails. Please email us to opt out." is not valid consent by any standards.
In order to cover off the transparency and consent requirements, we envisage more family businesses using 'opt in' tick boxes to obtain consent as appropriate with a detailed description of how personal data is used for marketing purposes.
In respect of emails and texts an alternative to consent is what is known as the 'soft opt in'. This provides that you do not need consent to send marketing emails or texts where:
Even if you are satisfied that your family business has a compliant privacy notice/consent form in place going forward, you will also have to consider what steps to take to make your existing database compliant.
The General Data Protection Regulation (GPDR) will replace the Data Protection Act from 25 May 2018. Although implementation is still over a year away, you should be taking steps now to ensure that you are compliant.
Emails are particularly vulnerable to sophisticated cyberattacks. Eg, a fraudster might intercept an email from a supplier to your family business and replace the supplier's bank details with their own. Another common attack involves the fraudster sending an email to customers requesting payment of invoices, but again, the payment details are the fraudster's and not the family business's.
Family businesses should take steps to ensure that they are adequately protected against such risks. This includes:
We can assist with all aspects of data protection compliance including with the issues set out above.