GDPR & Marketing Data

What is the GDPR?

The General Data Protection Regulation (GDPR) comes into effect from 25th May 2018, and requires all businesses to ensure the ways they collect, manage and use any personal data is compliant. The purpose of GDPR is to protect the privacy rights and interests of individuals and will replace any current data protection laws across the EU, including the UK Data Protection Act (1998). GDPR ensures any business that trades within the EU, processes personal data in the same way, with strict penalties for those who breach legislation or their own data processes.

We are GDPR ready!

We can assure you that Selectabase will only supply marketing data lists that are compliant under the EU’s GDPR processing rules. You can trust us to only provide you with the highest quality marketing data, in accordance with the latest GDPR guidance.

Marketing is a significant and important economic activity. Organisations are entitled to market their goods and services, and they have a legitimate interest in seeking to address marketing to the most relevant audiences.

Our data portal Prospect Download hosts both UK businesses and consumers.

4 Simple Steps to Marketing Ready Data

  1. Our data sources collect data under GDPR to pass onto third parties
  2. Once Selectabase hold this data we process the data under legitimate interests
  3. Selectabase provide marketing data to our clients that they can use under legitimate interests
  4. Our clients process purchased data in accordance with GDPR

Selectabase only provides data that can be processed for direct marketing purposes using legitimate interests as the legal basis. This means that B2C data (individuals) is limited to postal data only, whereas B2B data for individuals (sole traders and true partnerships) includes post and telephone data, B2B data for corporate entities includes post, telephone email data.

Where applicable we also offer a full end to end solution which does not release the marketing data to our clients. This includes the selection of the data audience, support with the marketing material and fulfilment of the print and post.

By purchasing Selectabase’s marketing data, am I automatically GDPR compliant?

You should always remember that the provision of marketing data from Selectabase does not absolve our clients of their obligations under GDPR. To be compliant under the GDPR, purchasers of marketing data (postal address, telephone and email) must also follow specific guidelines from the ICO and PECR (for marketing using electronic means). This includes, but is not limited to, things such as clear and accessible unsubscribe options on all communications and ensuring proper segmentation when delivering communications (e.g. to ensure the data subject would have a legitimate interest in the topic or content of any communication received).
For more information please visit https://ico.org.uk/

See our full list of GDPR Marketing Data FAQ’s below.

Speak to one of our data experts today on 01304 383838 and see how you can benefit from using Selectabase’s GDPR ready data.

All orders are subject to our standard due diligence checks prior to acceptance.

Individuals (and businesses) which may be included within the marketing lists we source from our suppliers can unsubscribe easily via our Data Opt-Out Request page.

Browse our Services or Contact Us for assistance.


GDPR Marketing Data FAQs

Am I allowed to use your data lists for direct marketing purposes under the new GDPR rules?

Yes, provided you comply with your obligations under our terms and conditions, the GDPR and the PECR when you use our data lists. For example, our data lists are sold for direct marketing purposes using legitimate interests as the legal basis for processing.

For further information on using legitimate interests, please see the ICO’s guidance which is available here:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

Marketing is a significant and important economic activity. Organisations are entitled to market their goods and services, and they have a legitimate interest in seeking to address marketing to the most relevant audiences.

Are all of your services compliant with the GDPR?

Yes, all of our services are compliant with the GDPR and we have taken the necessary steps to ensure this is the case (including, for example, carrying out a legitimate interests assessment to determine that we can process personal data for direct marketing purposes and use in connection with our services).

Are all of your services compliant with the PECR which sits alongside the GDPR?

Yes, all of our services comply with the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR):

Postal mail: not subject to PECR.
Email marketing: we only use B2B data (i.e. corporate data) not B2C data (consumers and sole traders) which does not require consent to market to under PECR.
Live telephone marketing: all phone numbers are screened against the Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS), as appropriate.

We do not provide any services where consent is required as the legal basis for processing under GDPR or PECR.

What legal ground are you using to process personal data and explain your justification?

We rely on legitimate interests under Article 6(1)(f) of the GDPR to process personal data in connection with our services. We have chosen legitimate interests as our legal basis for processing as we believe that it is the most appropriate for our activities based on the GDPR and recent guidance from the Information Commissioner’s Office (ICO) and the Direct Marketing Association (DMA).

We have considered different legal bases, including consent, and determined that legitimate interests is the most appropriate for the processing of personal data in connection with our services. Amongst other considerations, we believe that where there are a large number of organisations which may process personal data for direct marketing purposes, naming those organisations individually is impractical and less useful to individuals than identifying categories of organisations. We therefore consider legitimate interests to be a fairer and more appropriate legal basis for processing than consent, whilst offering individuals a similar degree of control over their personal data as consent does.

Consumer data for postal marketing.
Has consent been obtained from the individuals to process their personal data for direct marketing?

No, as we are relying on legitimate interests to process their personal data for such purposes, not consent. We have ensured that all of the requirements for legitimate interests to be used as the legal basis for processing have been met.

The consumer database is a combination of the Edited Electoral Roll, including updates from the monthly rolling register, partnerships with other data owners and other compliant data sources. These data sources are legally processing data under the GDPR to pass the (data subjects) ‘individuals’ data to Selectabase.

Business data for postal and telephone marketing use, specifically to the sole traders and some partnerships (classed as individuals), or named contact at the companies contained within the database.
Has consent been obtained from these individuals to process their personal data?

No, as we are relying on legitimate interests to process their personal data for such purposes, not consent. We have ensured that all of the requirements for legitimate interests to be used as the legal basis for processing have been met.

The business database is a comprehensive collation of UK company data, with over 5million records that combine business data from over 10 different sources. These data sources are legally processing data under the GDPR to pass the (data subjects) ‘individuals’ data to Selectabase.

Business data for email marketing use, specifically to a named individual email address (e.g. forename.surname@companyname) within the database.
Has consent been obtained from these individuals to process their personal data for direct marketing?

No, as we are relying on legitimate interests to process their personal data for such purposes, not consent. We have ensured that all of the requirements for legitimate interests to be used as the legal basis for processing have been met.

Business data for postal, telephone or email marketing (to the generic email addresses e.g. info@companyname) use to incorporated companies within the database.
What are the rules for direct marketing to this audience under GDPR?

GDPR governs the processing of personal data while the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) govern direct marketing by electronic means.

For postal marketing to corporate entities, where only the name of the company is included (i.e. and not the name of an individual), this will generally not constitute personal data (unless, for example, an individual’s name forms part of the company name) and therefore the GDPR will not apply. PECR will also not apply as it is not marketing by electronic means. Where an individual’s name is included, this will constitute personal data under GDPR and you will require a legal basis for processing that data under GDPR. Where you purchase postal marketing data from Selectabase, your legal basis for processing will be legitimate interests.

For telephone marketing to corporate entities, phone numbers must be screened against CTPS. Corporate phone numbers are unlikely to constitute personal data under GDPR but may do so (for example, if a mobile phone number is used as a corporate phone number), and you therefore require a legal basis for processing that data under GDPR. Where you purchase telephone marketing data from Selectabase, your legal basis for processing will be legitimate interests.

For email marketing to corporate entities, generic email addresses (such as info@companyname.com, admin@companyname.com) will generally not constitute personal data unless you can identify an individual from that data (for example, if you know that the company only has one individual working for it e.g. one director/employee). Such email addresses will therefore (generally) fall outside the scope of both GDPR and PECR.

For personal corporate email addresses (such as joe.bloggs@companyname.com), these will constitute personal data under GDPR but do not require consent to market to under PECR (i.e. legitimate interests can be used). Where you purchase corporate email data from Selectabase, your legal basis for processing will be legitimate interests. You must also ensure that you include an unsubscribe or opt-out where you send an email to a personal corporate email address. As a matter of best practice and to avoid any risk of a generic corporate email address (e.g. an info@company.com) address being considered personal data, you should include an unsubscribe or opt-out on all marketing emails you send (including to corporates).

You can find out more about the requirements for these forms of marketing from the ICO’s direct marketing guidance and checklist which are available via the following links:

• Direct marketing guidance: https://ico.org.uk/media/1555/direct-marketing-guidance.pdf
• Direct marketing checklist: https://ico.org.uk/media/for-organisations/documents/1551/direct-marketing-checklist.pdf

Please note that in addition to GDPR and PECR, there are other laws and regulations which apply to marketing communications, including those sent by email (such as the Electronic Commerce (EC Directive) Regulations 2002).

Where consent has been obtained, did they opt-in or opt-out to the processing of their personal data by third parties for direct marketing, and at the collection points did it list organisations by name, by description, or was the consent for disclosure to any third party?

Where consent was obtained prior to 25th May 2018, individuals will have either opted in or had the chance to opt-out to the processing of their personal data for direct marketing purposes. Third parties will have been identified by category/description.

From 25th May onwards (at the latest), all personal data previously processed on the basis of consent will be processed on the basis of legitimate interests.

Will lists purchased before 25th May 2018 be GDPR compliant or will we have to buy new lists?

The answer will depend on the data you have purchased and what type of direct marketing you are carrying out.

For example, if you are conducting email marketing to B2C recipients (consumers, sole traders and unincorporated partnerships, for example) you will be unable to use those lists after 25 May as the data will not meet the GDPR requirements for consent (in particular that any third parties relying on consent, such as your organisation, are specifically named).

For other data, for example postal mail or telephone data, you may need to change the legal basis for processing to legitimate interests and satisfy the relevant requirements for doing so (including, for example, informing individuals that you have changed the legal basis on which you are processing their personal data).

We would therefore suggest that the safest and easiest option is to purchase a new list.

Useful links

Guide to the GDPR
ICO
PECR
The DMA Code
FCA Guidance

Browse our Services or Contact Us for assistance


GDPR Documentation Help

We have partnered with Herbert & Ball LLP, a leading data protection consultancy, to provide you with template documentation to help get you GDPR-compliant at an affordable price.
Get £15 off their GDPR documentation by entering the following discount code at checkout: selectabase

You can see their GDPR documentation compliance package here:
https://gdprprivacypolicy.org/compliance-pack/

If you just need template documentation for your website (terms of use, privacy policy and cookies policy), click here: https://gdprprivacypolicy.org/buy/


Browse our Services or Contact Us for assistance.