<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Will purchasing contact data lists become illegal under GDPR?

Topics: Data Protection, Regulation, GDPR, General Data Protection Regulation, Data Protection Bill

Posted: 08 November 2017

Data List Purchasing Becomes Illegal with GDPR

In the pursuit of writing about the practical application of the GDPR (General Data Protection Regulation) rather than reciting the contents of the freely available regulation document, I am writing this blog to answer a commonly asked question regarding the purchasing of marketing contact lists post May 2018.

A widespread method of new business acquisition in the IT security channel market, much lauded for its spam creating effect, is the purchase of contact lists for direct marketing; a cornerstone of business for some. Yet, the new European data protection regulation, designed to empower data subjects in taking control of their personal data and thus an ability to market to them, threatens the feasibility of this activity so much that it may cease to exist.

Consent from Data Subjects is Essential

The GDPR contains six core principles (Article 5) which among other requirements, sets out that any act of processing must be lawful. To be clear, the act of marketing to a data subject requires the use of one or more items of personal data, for example an email address, telephone number or name, therefore making it an act of processing and subject to the GDPR.

[You may also like "The Six Commandments of the GDPR"]

To be lawful, the GDPR specifies six possible conditions under Article 6. You are free to read all six, however to cut a long story short, there are only two likely conditions which can be met by a marketing activity conducted in a sales environment; you have the explicit consent of the data subject; or you can claim legitimate business interests due to the existence of the soft opt-in under the PECR (Privacy and Electronic Communication Regulation) regulation 22. This allows for non-consented direct marketing if the data subject is an existing customer who has not opted out of or unsubscribed from communications.

The legitimate business interest card is a nice one to have, but when purchasing a contact list it is contrary to the purpose of the purchase that an existing business relationship could exist, making consent the only realistic option.

How does Consent apply to Marketing Contact Lists?

With the requirement of marketing to a data subject only possible with explicit consent from the data subject, any marketing contact list must come with evidence of collecting consent and the purpose(s) that the data subject has consented to. Beware that risk aversion by assuming that this is the responsibility of the the company supplying the list, will not be accepted by the supervisory authority. The GDPR is intended to be peer enforced through shared responsibility in a number of areas, including this one. You must have evidence of consent to process personal data.

In the case that you do not have consent, you may need to seek it for yourself if you insist on processing. For email, the PECR makes this impossible as it only accepts email marketing (which consent seeking is considered) in cases where there is consent or you have an existing business relationship as mentioned earlier in the blog. This avenue is closed. A secondary option is to seek consent through a telephone call. This is permitted by the PECR unless the number is present on the TPS (telephone preference service) or the CTPS (Corporate TPS) or if the data subject has not objected to your calls in the past.

[You may also like "GDPR: Seek re-consent or burn your contacts database, really?"]

The Future for Purchased Data Lists

To summarise, the practise of purchasing a contact list and marketing to the contents for new business acquisition is likely to find itself confined to the pages of history. The task of being able to sell contact lists with attached proof of consent for specific marketing activities will be almost impossible to achieve. Leaving it up to the purchaser of that contact list to seek consent themselves within the confines of the PECR.

It is a data protection minefield which most will view as too risky and too much of a challenge to try. Instead, the custom of purchasing contact lists and the organisations that sell them will dwindle as their customers find their services too problematic.

Data Protection for Life GDPR Data Processing

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts