5 things you should consider
GDPR will affect how direct mail campaigns are undertaken, it is the new data protection law that comes into force on 25th May 2018. It will have an impact on all personal data processing. Personal data is any data which can identify a living person, including a name, especially in combination with an address.
Most organisations have lists of existing customers or prospects. These are the 'go to' resource for generating new business. GDPR doesn't prevent this being the case, but is does make certain demands of the organisation before it can be legally used.
The principle of transparency requires that data subjects know you hold data about them and what you intend to do with it. They must also be told about their rights.
If you intend to use existing lists, you must communicate this information to data subjects before doing so, but for direct mail you can do this the first time you contact them. The list of things you must tell them is itemised in Article 13 of GDPR which we have covered in our blog titled Article 13 – Information to be provided to the data subject
Many people have jumped to the conclusion that consent will be required as a result of GDPR. This is not the case. Consent is only one legal basis for direct mail, and it will often not be the best one.
For direct marketing including direct mail, 'legitimate interest' will often be better. Indeed GDPR explicitly says direct marketing is a legitimate interest. This will often be the best legal basis for prospecting. If you are communicating with existing customers, or customers who have recently left, say within the last year, the legal basis of 'contract' may also be valid.
The key thing to know is that you must have a legal basis for sending direct mail, so you must choose one and the data subjects need to know what it is. The legal bases all have additional requirements which also need to be satisfied, such as a necessity test.
GDPR has changed the way data protection issues will be tested. The Regulation is clear the data controller is responsible for demonstrating they have complied with the law. This means the ICO, the UK regulator, does not need to show you have acted illegally, they only have issue fines. The burden of proof is now on you, you have to prove you are 'in no way responsible'.
This doesn't just apply to the ICO either. GDPR makes space for material and non-material damage claims by data subjects, and it also provides for class actions. All of which will be tried on the same basis; you need to show you are innocent!
If you are using 'legitimate interest' as the basis for direct mail, you must screen agajnst the MPS list. Until now this has been good practice, but not required. Legitimate interest requires you perform a balancing testwhich ensures the rights and freedoms of the data subject do not outweight your legitimate interests, but this will be impossible to prove if you have not screened against MPS. A data subject only need feel upset by your mail, and now you must prove you have done nothing wrong!
The ICO may issue fines on this basis, but data subjects can start actions themselves, or even class actions, and it will be impossible to prove you have behaved reasonably if they can show their number is listed on a suppression register.
If you cannot bring your existing data to a suitable place, you will need to delete it. Having done so you will possibly need to source more. You will need to pay much more attention to the data supplier. If they have not gained their data in a compliant way, then it cannot be compliant for you to use it.
GDPR makes it plain that you are also responsible for any issues, even if they are caused by a supplier, and you are only off the hook if you can show you are in no way responsible. Do your due diligence, and don't accept implausible explanations, always sanity check what they claim, you owe it to yourself, and the data subjects.