GDPR & Marketing Data

What is the GDPR?

The General Data Protection Regulation (GDPR), and the main provisions of the UK’s new Data Protection Act 2018, came into effect on 25th May 2018. The GDPR requires that all businesses ensure the ways they collect, manage and use any personal data are compliant with new, higher, standards of data protection. The purpose of GDPR is to protect the privacy rights and interests of individuals and it ensures that any business that trades within the EU, processes personal data in a way that respects these rights, with strict penalties for those who breach legislation or their own data processes.

We are GDPR ready!

We can assure you that Selectabase will only supply marketing data lists that are compliant under the EU’s GDPR processing rules. You can trust us to only provide you with the highest quality marketing data, in accordance with the latest GDPR guidance.

Marketing is a significant and important economic activity. Organisations are entitled to market their goods and services, and they have a legitimate interest in seeking to address marketing to the most relevant audiences.

For your convenience our data portal Prospect Download hosts both Experian’s marketable B2C ConsumerView Database, and B2B National Business Database.

Experian’s data partners obtain personal and commercial data compliantly and where appropriate notice has been given for them to pass the information to Experian for use in their products and services. To learn more about Experian, click here.

4 Simple Steps to Marketing Ready Data

  1. All B2B and B2C data are sourced compliantly.
  2. Selectabase processes the data under a legitimate interest of a marketing company.
  3. Selectabase provides marketing data that can be utilised under legitimate interests.
  4. Customers process purchased data in accordance with GDPR.

Selectabase only provides data that can be processed for direct marketing purposes using legitimate interests as the legal basis. This means that business to consumer data (i.e. to individuals) is limited to postal data only and screened against the Mailing Preference Service (MPS). Whereas business to business data for sole traders and true partnerships includes postal and telephone data, and B2B data for corporate entities includes email postal, and telephone data, screened against the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS).

Where applicable we also offer a full end to end solution which does not release the marketing data to our clients. This includes the selection of the data audience, support with the marketing material and fulfilment of the print and post.

By purchasing Selectabase’s marketing data, am I automatically GDPR compliant?

Not automatically, no. You should always remember that the provision of marketing data from Selectabase does not absolve our clients of their own compliance obligations under GDPR, in particular in respect of their own compliance obligations in using purchased marketing lists. To be compliant under the GDPR, purchasers of marketing data (postal address, telephone and email) must also follow specific guidelines from the ICO and PECR (for marketing using electronic means). This includes, but is not limited to, things such as clear and accessible unsubscribe options on all communications and ensuring proper segmentation when delivering communications (e.g. to ensure the data subject would have a legitimate interest in the topic or content of any communication received). You should also ensure that you meet any other relevant legal requirements when sending marketing communications, such as complying with the disclosure requirements of the Electronic Commerce (EC Directive) Regulations 2002. For more information please visit https://ico.org.uk/

See our full list of GDPR Marketing Data FAQ’s below.

Speak to one of our data experts today on 01304 383838 and see how you can benefit from using Selectabase’s GDPR ready data.

All orders are subject to our standard due diligence checks prior to acceptance.

Individuals (and businesses) which may be included within the marketing lists we source from our suppliers can unsubscribe easily via our Data Opt-Out Request page.

Browse our Services or Contact Us for assistance.


GDPR Marketing Data FAQs

Am I allowed to use your data lists for direct marketing purposes under the new GDPR rules?

Yes, provided you comply with your obligations under our terms and conditions, the GDPR and the PECR when you use our data lists. For example, our data lists are sold for direct marketing purposes using legitimate interests as the legal basis for processing.

For further information on using legitimate interests, please see the ICO’s guidance which is available here:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

Marketing is a significant and important economic activity. Organisations are entitled to market their goods and services, and they have a legitimate interest in seeking to address marketing to the most relevant audiences.

Are all of your services compliant with the GDPR?

Yes, all of our services are compliant with the GDPR and we have taken the necessary steps to ensure this is the case (including, for example, carrying out a legitimate interests assessment to determine that we can process personal data for direct marketing purposes and use in connection with our services).

Are all of your services compliant with the PECR which sits alongside the GDPR?

Yes, all of our services comply with the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR):

Postal mail: not subject to PECR.
Email marketing: we only use B2B data (i.e. corporate data) not B2C data (consumers and sole traders) which does not require consent to market to under PECR.
Live telephone marketing: all phone numbers are screened against the Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS), as appropriate.

We do not provide any services where consent is required as the legal basis for processing under GDPR or PECR.

What legal ground are you using to process personal data and explain your justification?

We rely on legitimate interests under Article 6(1)(f) of the GDPR to process personal data in connection with our services. We have chosen legitimate interests as our legal basis for processing as we believe that it is the most appropriate for our activities based on the GDPR and recent guidance from the Information Commissioner’s Office (ICO) and the Direct Marketing Association (DMA).

We have considered different legal bases, including consent, and determined that legitimate interests is the most appropriate for the processing of personal data in connection with our services. Amongst other considerations, we believe that where there are a large number of organisations which may process personal data for direct marketing purposes, naming those organisations individually is impractical and less useful to individuals than identifying categories of organisations. We therefore consider legitimate interests to be a fairer and more appropriate legal basis for processing than consent, whilst offering individuals a similar degree of control over their personal data.

We have conducted and documented a full legitimate interests assessment (LIA). Listed below are some of the key factors that are included and played a role in us determining that we can process personal data for use in our direct marketing services:

  • Transparency. Transparency with data subjects is critical when using legitimate interests. We ensure that from the point when the data is collected right through to use of that personal data by our customers that individuals are clear about the purpose for which their data will be used, who will use it and that they have the chance to object to that processing when the personal data is originally collected and subsequently.
  • ICO and DMA guidance followed. We ensure that we follow ICO and DMA guidance on the use of legitimate interests for direct marketing purposes, including the requirement that we only use personal data for direct marketing purposes where consent under the Privacy and Electronic Communications Regulations 2003 (PECR) is not required.
  • Additional safeguards. We have put in a broad range of safeguards to ensure that any risk or potential harm to data subjects is mitigated, including security, due diligence and contractual measures to ensure that personal data is not misused.

Consumer data for postal marketing.
Has consent been obtained from the individuals to process their personal data for direct marketing?

Experian’s data partners obtain personal and commercial data compliantly and, where appropriate, notice has been given for them to pass the information to Experian for use in their products and services. Selectabase utilise Experian data services. More details about Experian’s consumer information can be found here.

Selectabase process the data under a legitimate interest of a marketing company. We have ensured that all of the requirements for legitimate interests to be used as the legal basis for processing have been met.

This postal marketing data can be utilised by our clients under legitimate interests.

For your convenience postal marketing B2C data can be ordered and downloaded from Prospect Download.

Business data for postal and telephone marketing use, specifically to the sole traders and some partnerships (classed as individuals), or named contact at the companies contained within the database.
Has consent been obtained from these individuals to process their personal data?

Experian’s data partners obtain personal and commercial data compliantly and, where appropriate, notice has been given for them to pass the information to Experian for use in their products and services. Selectabase utilise Experian data services. More details about Experian’s business information can be found here.

Selectabase process the data under a legitimate interest of a marketing company. We have ensured that all of the requirements for legitimate interests to be used as the legal basis for processing have been met.

This postal and telephone marketing data can be utilised by our clients under legitimate interests.

For your convenience postal and telephone marketing B2B data can be ordered and downloaded from Prospect Download.

Business data for postal, telephone or email marketing (to generic and personal email addresses e.g. info@companyname or john.smith@companyname) use to incorporated companies within the database.
What are the rules for direct marketing to this audience under GDPR?

GDPR governs the processing of personal data while the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) govern direct marketing by electronic means.

For postal marketing to corporate entities, where only the name of the company is included (i.e. and not the name of an individual), this will generally not constitute personal data (unless, for example, an individual’s name forms part of the company name) and therefore the GDPR will not apply. PECR will also not apply as it is not marketing by electronic means. Where an individual’s name is included, this will constitute personal data under GDPR and you will require a legal basis for processing that data under GDPR. Where you purchase postal marketing data from Selectabase, your legal basis for processing will be legitimate interests.

For telephone marketing to corporate entities, phone numbers must be screened against CTPS. Corporate phone numbers are unlikely to constitute personal data under GDPR but may do so (for example, if a mobile phone number is used as a corporate phone number), and you therefore require a legal basis for processing that data under GDPR. Where you purchase telephone marketing data from Selectabase, your legal basis for processing will be legitimate interests.

For email marketing to corporate entities, generic email addresses (such as info@companyname.com, admin@companyname.com) will generally not constitute personal data unless you can identify an individual from that data (for example, if you know that the company only has one individual working for it e.g. one director/employee). Such email addresses will therefore (generally) fall outside the scope of both GDPR and PECR.

For personal corporate email addresses (such as joe.bloggs@companyname.com), these will constitute personal data under GDPR but do not require consent to market to under PECR (i.e. legitimate interests can be used). Where you purchase corporate email data from Selectabase, your legal basis for processing will be legitimate interests. You must also ensure that you include an unsubscribe or opt-out where you send an email to a personal corporate email address. As a matter of best practice and to avoid any risk of a generic corporate email address (e.g. an info@company.com) address being considered personal data, you should include an unsubscribe or opt-out on all marketing emails you send (including to corporates).

You can find out more about the requirements for these forms of marketing from the ICO’s direct marketing guidance and checklist which are available via the following links:

• Direct marketing guidance: https://ico.org.uk/media/1555/direct-marketing-guidance.pdf
• Direct marketing checklist: https://ico.org.uk/media/for-organisations/documents/1551/direct-marketing-checklist.pdf

Please note that in addition to GDPR and PECR, there are other laws and regulations which apply to marketing communications, including those sent by email (such as the Electronic Commerce (EC Directive) Regulations 2002).

For your convenience B2B email marketing data can be ordered and downloaded from Prospect Download.

Where consent has been obtained, did they opt-in or opt-out to the processing of their personal data by third parties for direct marketing, and at the collection points did it list organisations by name, by description, or was the consent for disclosure to any third party?

Where consent was obtained prior to 25th May 2018, individuals will have either opted in or had the chance to opt-out to the processing of their personal data for direct marketing purposes. Third parties will have been identified by category/description.

From 25th May onwards (at the latest), all personal data previously processed on the basis of consent will be processed on the basis of legitimate interests.

Will lists purchased before 25th May 2018 be GDPR compliant or will we have to buy new lists?

The answer will depend on the data you have purchased and what type of direct marketing you are carrying out.

For example, if you are conducting email marketing to B2C recipients (consumers, sole traders and unincorporated partnerships, for example) you will be unable to use those lists after 25 May as the data will not meet the GDPR requirements for consent (in particular that any third parties relying on consent, such as your organisation, are specifically named).

For other data, for example postal mail or telephone data, you may need to change the legal basis for processing to legitimate interests and satisfy the relevant requirements for doing so (including, for example, informing individuals that you have changed the legal basis on which you are processing their personal data).

We would therefore suggest that the safest and easiest option is to purchase a new list.

Useful links

Guide to the GDPR
ICO
PECR
The DMA Code
FCA Guidance

Browse our Services or Contact Us for assistance


GDPR Documentation Help

We have partnered with Herbert & Ball LLP, a leading data protection consultancy, to provide you with template documentation to help get you GDPR-compliant at an affordable price.
Get £15 off their GDPR documentation by entering the following discount code at checkout: selectabase

You can see their GDPR documentation compliance package here:
https://gdprprivacypolicy.org/compliance-pack/

If you just need template documentation for your website (terms of use, privacy policy and cookies policy), click here: https://gdprprivacypolicy.org/buy/


Browse our Services or Contact Us for assistance.