Coming into force on May 25, the General Data Protection Regulation (GDPR) - which replaces the Data Protection Act 1998 - is something which all businesses are expected to comply with.
For a while, many estate and letting agents will have been working hard to prepare for the new rules.
To help you on your way, in association with The ValPal Network, we've assembled a panel of experts who will be answering a GDPR-related question each week.
If you have a question you'd like to ask our experts in a future edition of GDPR Weekly, please get in touch on firstname.lastname@example.org.
Do estate and letting agents now need consumer consent for all direct marketing?
Damon Bullimore, chief information officer at BriefYourMarket.com:
The simple answer to this is no. The ICO has recently released its reviewed guidance on using lawful bases for processing, and it should make for very good reading for agents.
Agents might consider looking at the news like this: If you choose to use consent as your lawful basis for processing, the individual has given you clear consent for you to process their personal data for a specific purpose, e.g. for direct marketing, so you have evidence to support your lawful basis for sending them marketing communications.
If you choose to use legitimate interest, they have not, so it is your responsibility to show justification for why you are sending them marketing communications. To do this, you should undertake a Legitimate Interest Assessment (LIA) and conduct a three-part test which will help you to understand what you are trying to achieve from your direct marketing messages, and if they will have any impact on your customers’ rights.
When it comes to emails, texts, and automated calls, you should risk assess if legitimate interest is the most appropriate basis for processing, as e-privacy laws may require that you obtain consent.
The ICO has stated that the EU is currently “in the process of replacing the current e-privacy law” but it is yet to be finalised.
You may find the ICO’s guidance useful, as for legitimate interest to be viable, ‘soft opt-ins’ must have previously been obtained. A soft opt-in means that a customer has bought or discussed a product or service with you, and you have always provided a means for them to opt-out of communications.
To cope with the demands of the GDPR, we have developed our system with a ‘planning for the worst and hoping for the best’ approach. In light of the news, we’re delighted that we have covered all bases, as it means our customers can determine their own approach to the GDPR.
Annemarie Proudfoot, head of customer relations at BestAgent:
For each person you directly market to, but with whom you do not have signed terms of engagement, you must have recorded GDPR-adequate consent. We advise you put together a mass email now to convert as much of your database as possible.
This way, if 'Mrs Adams' asks why she’s receiving a list of properties from you, you can say: ‘because on X date you consented to hear from us, and here’s a copy of the email’.
If you are marketing services to someone who has recently transacted with you for a similar service or product, who was also given the chance to opt out but did not, then they fall under the soft opt-in exception and you can continue to direct market to them.
Bernard George, solicitor for Socrates Training Ltd:
You do not always need consent for direct marketing. People are understandably worried and confused.
We have even had subscribers ask us if they can still send out Christmas cards. You can, and in general you can still mail out marketing letters too.
The basics are these:
1. Direct mail is generally fine.
2. Marketing by electronic means is more tightly controlled.
- To send out marketing by emails or text you will generally need consent, and that has to be a positive opt-in consent.
- But where you have an existing client relationship there is an exception which allows you to send out e-mail marketing on an opt-out basis.
Sharon Tan, partner at Mishcon de Reya LLP:
The GDPR is designed to give people more control over their personal data, whilst also ensuring that businesses across the EU benefit from a level playing field.
Although estate and letting agents may have a legitimate interest to use personal data for direct marketing, this can't override the obligation to have recipients' consent for any electronic direct marketing (unless it is to an existing customer who has not objected to receiving it).
It is therefore always advisable to seek consent, which under GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
When seeking consent you should be clear about the purposes for which the personal data will be used (normally done through the privacy notice). In addition to the general right to withdraw consent, you should also inform individuals of their right to object, at any time, to the processing of their personal data for directing marketing (and this should be brought to their attention at least at the time of the first communication with them).
Annabel Kaye, managing director of KoffeeKlatch:
For direct marketing to identifiable individuals, you have to be able to show that you have a lawful basis for processing this information and that specific consent has been given for you to do this.
- If individuals submit their own contact information you need a clear and prominent privacy notice so the individual can understand at that point exactly what you are proposing to send them. GDPR will change what ‘consent’ means, as pre-ticked opt-in boxes, opt-out boxes, or any other ‘consent by default’ methods will no longer be valid.
- Bought-in lists will be subject to more rigorous 3rd party data consents as well.
- You must you get valid consent and be able to demonstrate it by keeping records. A consent to be emailed is not automatically a consent to be phoned or texted or recorded. Each must be separately identified.
The need to screen against Telephone Preference Service and Mailing Preference Service lists is not changing.
A ‘soft opt-in’ is allowed as ‘consent’ for previous and existing customers, but this is limited to promoting your own service that is similar to the one they previously purchased – and you must give a way to opt out.
Avoid using consent when you have another legitimate method of processing data (for example an existing customer you wish to invoice) as consent can be withdrawn at any time.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.