The Legal Basis For Processing Data
Under GDPR, there are actually six legal bases for processing data. They are:
- Consent. If you ask an individual for the right to process their data, and they say yes, then you have that right.
- Contract. If it’s necessary to process data on an individual as per a contract you have with them, then you have the right to do so.
- Legal Obligation. If it’s necessary to process data on an individual in order to comply with the law, then you have the right to do so.
- Vital Interest. If processing data is necessary to protect a person’s life, then you have the right to do so.
- Public Task. If it’s in the public interest for you to process a person’s data, and you have a basis in law to do so, then you have that right.
- Legitimate Interest. If the processing is necessary for your legitimate interests, or the interests of a third party, then you have the right to do so- unless there’s a reason to protect that particular person’s data- then you have the right to do so.
Now, you don’t have to tick all six of these boxes in order to have a legal right to process somebody’s data. In order to legally process somebody’s data, you need to tick just one of the six. If you buy a paid-for email list, you can’t say that you gained a data subject’s consent, even if they originally allowed for third party contact. That’s because according to GDPR and the ICO, explicit consent requires that the data subject know exactly who’s handling their data. In the case of paid-for email lists, they don’t.
But… You do have the right to contact individuals on that list under the legal basis of legitimate interest. Not to get too technical, but Regulation (EU) 2016/679 of The European Parliament and of The Council states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”- so you’re covered.
Crucial: Is The Email Data GDPR Compliant?
So, you can still buy email lists, and you can still use them, but you have to make sure that the data in them is GDPR compliant. That’s all down to how your supplier actually acquires that data for you. Do you know for a fact that they ask for a customer’s consent before selling that data on? A great place to start is by doing a little bit of research for yourself before you purchase any data. In order to make sure that your data broker is compliant, check that…
- Their privacy policy is clear and easily accessible.
- They explain to each data subject what their data may be used for.
- They offer the chance for a data subject to withdraw their consent.
If they tick those boxes, then that’s a sign that they’re aware of GDPR and what it entails. If not, then it might be time you talked to them about how they get their data. Any data broker worth their salt will be happy to explain exactly how they ask for a data subject’s consent, and the legal basis they have to sell it to you. Ultimately, it’s in everybody’s interest: there’s no point in buying poor quality, non-compliant data, because the data subjects don’t want to hear from you!
What Do I Do Now With Email Data?
So, what next?
- First, make sure that your data broker is genuinely GDPR compliant. Do a little bit of your own research into their policies, and if you’re unsure whether they’re compliant or not, contact them to talk with them about it.
- Next, something that you can do on your end: test the data that you’re getting from your supplier. Is it reliable? Do you have low conversion rates? If so, then this is a sign that you’re being sold low quality and maybe even non-compliant data.
- If you’re not happy with your data broker, shop around. There are still plenty of them around (which, in it’s own way, is proof enough that GDPR doesn’t mean that you can’t use paid-for email lists!) Do some research into the average industry figures that you should expect from paid-for data, and try and find a broker that can hit that target for you.
Last, but definitely most important, is to make sure that your own house is in order. Is your business GDPR compliant? Can you comply with subject access requests (i.e. can you tell a customer what data you have on them, and where you got it from)? Do you delete data if a data subject asks you to? Do you delete any data you don’t need for the function of your business? If not, it’s about time you did!