It is important to note that while we have checked our sources and are confident in our interpretation, this article does not constitute legal advice.
We’re increasingly being asked, “Will I still be able to send SMS to customers after the GDPR legislation comes into effect?” And, “Do I need to get my customers to explicitly opt-in to receiving text messages from me?”
The short answer is, yes, you can continue to text your customers, and no, you don’t necessarily need to re-request their permission to do so, but it’s essential that you familiarise yourself with the basics of the GDPR to ensure that you are compliant.
We’ve compiled a helpful guide to GDPR that may answer further questions and concerns you have regarding customer communications and staying compliant.
The basics of GDPR
The General Data Protection Regulation, or GDPR, came into effect on 25th May 2018 and replaced the previous legislation for data protection in every EU country – including the UK.
We’re concerned here with a specific requirement of GDPR: you must have a lawful basis in order to process personal data.
What is meant by ‘processing personal data’?
“Processing… means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data… it is difficult to think of anything an organisation might do with data that will not be processing.” (Source: ICO)
Your customer database and any SMS (or emails) that you send to the individuals within the database would be considered ‘processing’.
What is a lawful basis?
It is effectively the justification you have for processing data. There are six available lawful bases for processing, none of which is ‘better’ or more important than the others.
The one getting all of the airtime is gaining consent, but – and this is a key takeaway – where your existing customers are concerned, it’s probably not the most appropriate.
Do you have to gain consent to communicate with your customers after GDPR?
Not necessarily. The two lawful bases for communication which we think most private companies’ data processing activity will fall under are consent and legitimate interests.
Legitimate interests is the most flexible lawful basis for processing, covering you for using people’s data in “ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.” (Source: ICO)
Every act of processing – for example, sending an email newsletter to an existing customer – needs to stack up against three questions:
1. Do you have a legitimate interest for sending this message? This can include your own need to cross-sell other products / services or promote wider use of an already purchased item, for example
2. Do you need to send the message in order to achieve those interests? If you could reasonably achieve the same result through other, less intrusive means (such as unprompted visits to your website), legitimate interests do not apply
3. Have you balanced the act of sending the message against the individual’s interests, rights and freedoms? This comes back to the early statement about reasonable expectations on their part.
These three steps make up the Legitimate Interests Assessment (LIA), which you should complete ahead of the GDPR coming into effect. There is a detailed explanation and a template for completing the LIA from the Data Protection Network here.
What do you need to know about the ePrivacy Regulation?
Just as GDPR replaced the DPA, the intention was to replace the current Privacy and Electronic Communications Regulations (PECR) with a new ePrivacy Regulation at the same time.
Both the PECR and ePrivacy Regulation focus on rules around electronic communications – email, SMS, automated voice etc.
However, the implementation of the ePrivacy Regulation will not take place until at least 2021, and so for now, you should abide by the requirements of PECR.
An excellent post by the Data Protection Network provides a reminder of the existing requirements, but for the purposes of this article, the second key takeaway is that you can continue to use a soft opt-in to send email and texts.
A soft opt-in applies when you have obtained an individual’s details as part of the sales process, where you’re only marketing your own products / services, and you provide an opt-out in every marketing communication.
Unless you are in the public sector (for which another lawful basis applies), it is likely that your existing customer communications will be able to continue without interruption using legitimate interests, providing you have assessed and documented it as your lawful basis of processing.
You will, however, need to take a different approach to any prospect lists or lapsed customers – in these circumstances we would suggest that consent is the most appropriate lawful basis. Here’s our guide to gaining consent.