Personal data is data that relates to a person. A data supplier must demonstrate how and when they received this data, under what lawful basis it was collected, by whom and how that basis complies with the GDPR today.
It is essential that any organisation involved in processing personal data is clear as to their role and responsibility.
Under GDPR, everybody in the data processing chain is responsible for the care of personal data including both controllers and processors.
It’s important to establish the provenance of data. Therefore, you should stay as close to the point of original data collection as you can. Work with collectors where you can; if you use a broker, ensure they have a clear view of the data origin and completed the relevant due diligence documentation.
Get due diligence forms completed by your suppliers, but don’t stop there. Your due diligence process should be an on-going process.
There are six lawful bases for processing (Consent, Contract, Legal obligation, Vital interest, Public task and Legitimate interest). Either Consent or Legitimate Interests could be acceptable for different forms of Direct Marketing. Neither is ‘stronger’ than the other; it’s important to establish the most appropriate for the type of processing conducted.
The standards for obtaining consent are increased under GDPR. Consent needs to have been captured “freely, specifically, informed and unambiguously” using a “clear affirmative action.”
A data collector will collect consent from a consumer for other organisations to process their data; this is third party consent and the GDPR requires that the third party should be named. Categories of third-party organisations will not be enough to give valid consent under the GDPR. If the third party is not named then consent cannot be relied upon as a lawful basis and another lawful basis is likely to be most appropriate for your processing activities, such as Legitimate Interests.
If your supplier relies upon Legitimate Interests as the appropriate legal base for processing personal data they should be able to share with you details of the Legitimate Interests Assessment they conducted, demonstrate that they have clearly informed people what will happen to their data and given the consumer the opportunity to object.
It needs to be as easy and without penalty for a consumer to withdraw their permission. Withdrawal of permission is not the same as being forgotten. A data supplier needs to retain a record of a consumer if they are to ensure they no longer communicate with that consumer. A consumer may request to be forgotten and a data supplier will inform the consumer of the implications of this choice before complying with the request.
Fines under GDPR could be up to €20m or 4% of global turnover, whichever is higher; therefore, marketers need to choose their suppliers carefully.
Lead Intelligence Limited
Lead Intelligence is a company limited and registered in England and Wales under number 12546685 Registered office 71-75 Shelton Street, London, Greater London, United Kingdom, WC2H 9JQ
CALL 07968478916 to speak to one of the team
Copyright © 2021 Lead Intelligence Limited - All Rights Reserved.
ICO Registration number: ZA745799
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. The table below explains the cookies we use and why.
CookieNamePurposeGoogle Analytics_gatUsage analyticsGoogle Analytics_gaUsage analyticsGoogle Analytics_gidUsage analyticsShare This Plugin_sharethis_cookie_test_Session tracking for user – Social sharing of blogs and articles
How do I change my cookie settings?
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set.
Find out how to manage cookies on popular browsers: