Tag Archives: marketing

The GDPR and Profiling

Profiling is a very useful tool which marketers have been using for decades to understand their customers better and to target them appropriately.  However, the GDPR does make some changes to how profiling is considered which should be considered carefully before profiling is undertaken.  For the first time, profiling has been included with automated processing decision-making and the same rights apply to the individuals whose information is being profiled. So how does this affect businesses?

Profiling 2018Profiling Benefits

There are obvious benefits both to businesses and consumers in relation to profiling, which is used in a broad number of sectors from healthcare to insurance, retail to publishing, leisure to recruitment.

It is also an extremely useful tool for marketers, providing benefits of increased efficiency, savings in resource, and the financial and reputational benefits of understanding customers and establishing more personal, relevant communications with them.  The customer or individual benefits in turn from receiving fewer communications, and far more relevant messages.

What is profiling?

The GDPR defines profiling as: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”

Profiling can be as simple as segmenting your own customers into groups based on gender, purchase history, and other data that the customer has provided to you during your relationship.  It becomes more complex when additional data is added to the mix, for example, adding to the information your customer has provided you, by applying data from external sources such as social media, or providers of geo-demographic or lifestyle data.

Profiling and the GDPR

As with all processing under the GDPR, those who profile individuals have responsibilities to those individuals.  Profiles must be accurate, relevant, and non-discriminatory.  All 6 GDPR Principles become critical as profiles are evolutionary, and over time, individuals’ profiles will change. So accuracy and retention are critical.  Privacy by design is key.  As is the requirement that individuals must be made aware of such profiling and of their right not to be subject to such decisions.

It’s worth noting that automated decisions can be made with or without profiling.  And the reverse is also true – profiling can take place without making automated decisions.  It’s all a matter of how the data is used.  Where manual decisions are made, Article 22 does not apply.

Consent or Legitimate Interests?

The legal basis under which profiling takes place is a matter for careful consideration.  There has been debate over whether profiling requires the consent of the individual who is being profiled, or whether legitimate interest may apply.

There will be instances where the impact of the profiling will have a legal or significant effect – for example, in financial services (mortgage yes or no), or when marketing to vulnerable customers – for example, gambling products to those in financial difficulty.  Where profiling is considered to have a legal or significant effect, an organisation will need to rely on the legal basis of Consent before profiling and making decisions on the basis of such profiling.

However, in many cases, marketing will not have such an impact, and in those cases, consent will not be required.  Instead it may be possible to rely on Legitimate Interests.  BUT before such a decision is made, a Legitimate Interest Assessment will need to be conducted.  This will need to consider the necessity of the profiling, the balance of benefits to the individuals versus the business, and the measures taken to protect the personal data and profiles involved.

The Legitimate Interest Assessment will not only help you determine whether it is appropriate to conduct the profiling on this basis, it will also provide evidence that the individuals’ rights have been considered, contributing to the business’s need to meet the GDPR’s new principle of Accountability.


Victoria Tuffill  7th March 2018

GDPR Re-Permissioning needs careful planning

Morrisons becomes the latest high-profile company fined for breaking Privacy and Electronic Communications Regulations (PECR)

The ICO, the independent authority responsible for investigating breaches of data protection law, has fined the fourth largest supermarket chain in the UK £10,500 for sending 130,671 of their customers’ unsolicited marketing emails.

These customers had explicitly opted-out of receiving marketing emails related to their Morrisons ‘More’ loyalty card when they signed up to the scheme. In October and November 2016, Morrisons used the email addresses associated with these loyalty cards to promote various deals. This is in contravention of laws defining the misuse of personal information, which stipulate that individuals must give consent to receive personal ‘direct’ marketing via email.

‘Service emails’ versus ‘Marketing emails’

While the emails’ subject heading was ‘Your Account Details,’ the customers were told that by changing the marketing preferences on their loyalty card account, they could receive money off coupons, extra More Points and the company’s latest news.

The subject heading might suggest to the recipient that they are ‘service emails,’ which are defined under the Data Protection Act 1998 (DPA) as any email an organisation has a legal obligation to send, or an email without which an individual would be disadvantaged (for instance, a reminder for a booked train departure). But there is a fine line between a service email and a marketing email: if an email contains any brand promotion or advertising content whatsoever, it is deemed the latter under the DPA. Emails that ask for clarification on marketing preferences are still marketing emails and a misuse of personal contact data.

Morrisons explained to the ICO that the recipients of these emails had opted-in to marketing related to online groceries, but opted-out of marketing related to their loyalty cards, so emails had been sent for the ostensible purpose of qualifying marketing preferences which also included promotional content. Morrisons could not provide evidence that these customers had consented to receiving this type of email, however, and they were duly fined – although in cases such as this it is often the losses from reputational damage that businesses fear more.

Fines and reputational damage

This comes just three months after the ICO confirmed fines – for almost identical breaches of PECR – of £13,000 and £70,000 for Honda and Exeter-based airline Flybe respectively. Whereas Honda could not prove that 289,790 customers had given consent to direct e-marketing, Flybe disregarded 3.3 million addressees’ explicit wishes to not receive marketing emails.

Even a fine of £70,000 – which can currently be subject to a 20% early payment discount – for sending out emails to existing customers with some roundabout content in them for the sake of promotion, will seem charitable when the General Data Protection Regulation (GDPR) updates the PECR and DPA in 2018. Under the new regulations, misuse of data including illegal marketing risks a fine of up to €20 million or 4% of annual global turnover.

The ICO has acknowledged Honda’s belief that their emails were a means of helping their firm remain compliant with data protection law, and that the authority “recognises that companies will be reviewing how they obtain customer consent for marketing to comply with stronger data protection legislation coming into force in May 2018.”

These three cases are forewarnings of the imminent rise in stakes for not marketing in compliance with data protection law. The GDPR, an EU regulation that will demand British businesses’ compliance irrespective of Brexit, not only massively increases the monetary penalty for non-compliance, but also demands greater accountability to individuals with regard to the use and storage of their personal data.

The regulators recent actions show that companies will not be able cut legal corners under the assumption of ambiguity between general service and implicit promotional emails. And with the GDPR coming into force next year, adherence to data protection regulations is something marketing departments will need to find the time and resources to prepare for.

Harry Smithson, 22/06/17

Data Protection Compliance – who cares?


More than half the UK population cares enough to bother to start using tick boxes and opt-outs.  And then, of course, there is the Information Commissioner’s Office … they certainly care.  There’s been a general uproar over Google’s methods of data collection … over the NHS hard drives containing sensitive patient information being sold on an internet auction site … over PPI telemarketing calls … and so on … we’re all starting to care more and more over who has, who uses, who owns, who controls and who processes our data – and for what purpose.

What is the Data Protection Act anyway?

That’s why we have The Data Protection Act 1998.  It establishes a framework designed to keep yours and my personal data safe.  And it requires anybody who is a “data controller” – regardless of the size of the business – to register with the Information Commissioner’s Office if they are processing personal information.  There are  a very few exemptions.  To date, over 370,000 organisations are registered.

The Data Protection Act has been designed to balance organisations’ need to collect and use personal data for business and for other purposes versus the rights of individuals to privacy of their personal details.  This balancing act is complex and can be hard to understand.

In addition, the evolving complexities of the internet and e-commerce needed further data protection consideration, so the Privacy and Electronic (EC Directive) Regulations were introduced in 2003. And on top of all that, the EU Directive is still under discussion – this will require further data protection steps to be put into place.

Do I have to comply?

The answer is YES.  Regardless of the size of your business, if you are a data controller and processing personal data, it is a legal requirement to be data compliant.  Part of that process is to notify the ICO that you are a controller and the purpose for which you are collecting and using data.  And it is worth noting that all personal data is covered, including business contacts – business to business contacts are not exempt.

The consequences of non-compliance

handcuffs and money computerIt is progressively unlikely that companies can “get away with” non-compliance.  UK individuals are increasingly aware of their rights in relation to data protection, and are ready to complain to the Information Commissioner’s Office (ICO) if they believe (or just suspect) that a business is not using their personal data compliantly, The ICO can impose fines of up to £ 500,000 against those who are in serious, reckless or deliberate breach of the Data Protection Act.

  • Fines and imprisonment – many breaches are criminal offences, and it’s worth noting that Directors may be personally liable for companies in breach and can be prosecuted and imprisoned.  Having the Information Commissioner turn up on your doorstep with a court order and inspection warrant is highly damaging in terms of reputation, time and resource requirements, and fines.  For example, Tetrus Telecomms was fined £300,000 for serious compliance breaches, and a number of county and borough councils have also been fined for a range of breaches including leaving personal data on a train; losing a laptop containing sensitive personal data and so on.  At the time of writing, the Information Commissioner’s Office has issued 36 fines, totalling £4,236,000 – an average of £117,667 per fine.
  • Publicity – any investigations as a result of complaint are likely to result in very high administration costs, and the Information Commissioner will publicise successful prosecutions or upheld complaints.  In this case, all publicity is absolutely not good publicity.
  • Subject access requests – non-compliance can result both in fine and compensation claims
  • Staff – can be held individually responsible for breaches, and if their employer hasn’t given them the necessary training to comply, they may sue their employer
  • Lost revenue – if the marketing permissions have not been correctly provided when collecting data, then that data may not be used.  In addition, if it is deemed that the data has been collected unfairly, it is quite feasible that the company will be required to eliminate all customer and prospect records from databases.  In either event this can be costly – both in terms of original collection costs and lost revenue

To avoid these issues, the first step towards compliance is to understand the eight clearly defined common-sense principles within the legislation.

The Eight Principles of Data Compliance

The Information Commissioner’s Office summarises the principles of data compliance very clearly:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless(a) at least one of the conditions in Schedule 2 is met, and(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

For point 1 above, Schedule 2 examples include:

  • The individual whose personal data is being processed has consented to the processing
  • The processing is necessary in relation to a contract into which the individual has entered or is about to enter
  • The processing is necessary to protect the individual’s “vital interests” – such as medical history for emergency treatment
  • The processing is necessary for administering justice or for exercising statutory, governmental or other public functions)

The term, “sensitive personal data” (in 1(b) above) includes such data as ethnicity, political or religious beliefs, physical or mental health and so on.

How do I comply?

There are a number of considerations in relation to data compliance, including, among the main areas:

  • Notification – the ICO must be notified and accurately advised of the purposes of the personal data you are processing
  • Principles – follow the data protection principles when handling personal information
  • Fairness – the subjects of the data you process must be aware of what you are doing with their personal data
  • Security – this is a vital area, and covers computers, systems and staff.  In summary, it is  vital to

keep personal data secure whether in storage, in use, or legitimately being shared

make sure that data access is restricted only to those who need access to it

be certain than any records or equipment which are destroyed or disposed of do not hold personal information which can subsequently be accessed

    • Policies – data governance is an essential part of data compliance.  Policies and procedures for handling personal data need to be both clear, practical, monitored and enforced.
    • Subject access requests – individuals are perfectly entitled to request a copy of the personal information your organisation holds about them.  You must provide the information requested within 40 days, and may charge a fee of up to £10.  Schools and health authorities operate on a sliding scale up to a maximum of £50.  It is helpful to log and monitor such subject access requests
    • Data processors – when using data processors to process data on your behalf, ensure they are doing so securely and compliantly
    • Training – it is essential that employees and those with access to personal information are fully trained in data compliance.  Employee negligence is a significant factor in terms of data and IT security breaches.  Effective training mitigates the risk of unwitting breaches.
    • Transfer abroad – though sending data to an organisation in the EEA involves the same security and compliance principles as in the UK.  Exporting data to the US requires Safe Harbor or contract to ensure adequate protection for the data subjects.

Keeping your Marketing Compliant

Between them the Data Protection Act 1998 and the Privacy and Electronic (EC Directive) Regulations 2003 are the backbone of compliant marketing use of customer and prospect data – both business-to-business and business-to-consumer, both physical and electronic.

It is increasingly important both to be compliant and to be seen to be compliant in terms of collection and use of personal data, whatever the size of your business.  But it can be a tricky area to navigate.

In our marketing and data consultancy, Tuffill Verner Associates, we have helped businesses navigate data permissions and compliance across B2C and B2B.  With over 30 years experience each, Victoria Tuffill and Michelle Evans are well placed to help marketers stay compliant while still achieving their marketing goals.  We provide clear, tailored practical and creative advice to marketers to solve the difficulties of achieving results while staying within the confines of legal compliance.

If you’d like to chat about your data compliance or governance needs, please call Victoria or Michelle on 01787 277742.

Data … big data? Or back to the Dark Ages

Back in the 80s, there was this thing called “junk mail”.  And it was so called because it involved blanket mailing a mass market with little or no targeting. In other words, the message was irrelevant to a huge proportion of the recipients, so just got thrown in the bin.

Then we discovered targeting, analysis, insight and profiling.  And the direct mail messages become more appropriate, relevant, cost effective, and considerably less irritating to the consumer.  A classic case of less was more.

I remember the day that “personalised laser text” became available, and we were able to send out mailings with personally addressed letters which referenced the prospect’s other interests.  Letters that said (something along the lines of)

Dear Mrs Bloggs,

Because of your interest in the world’s wild places, we wanted to introduce you to our our brand new books which demonstrate the extraordinary and dramatic nature of our own planet earth … from volcanoes to earthquakes …. 

The letter, including that simple piece of “personal” text, was enclosed into a small envelope with a miniscule brochure and mailed out.  It achieved over three times the response of the standard pre-printed control direct mail letter which was mailed in large envelope with enormous, heavy, expensive brochure

But now the European Union is proposing to take us back to the Dark Ages and the days of blanket mailings.  Their new proposed legislation is currently in progress, and will impact every level of prospect marketing.

It’s quite clear that the increasing use of new technology makes revisions to current data law essential, particularly given consumer concern over privacy which has not helped by our own government’s appallingly cavalier behaviour and carelessness with our personal data.  (Some of the breaches committed by government departments would have, if committed by the data industry, have caused severe punitive measures.  Somehow when it’s the government which gets it wrong, the whole thing just quietly gets swept under the carpet. Rant over…)

However, in addition to technological and social media impact, the traditional media channels will suffer significant difficulties.

A brief summary of the key areas is listed below:

  1. Explicit consent to be granted by the recipient prior to any direct marketing – either by word or by action.  In practice this means that where consent is required, organisations must ask for permission to process data.  Without such explicit permission, marketing prospects will not be allowed to receive mailings or cold telemarketing calls.  Current legislation allows such mailings and / or calls to be made unless the prospect has actively opted out.
  2. The customer has the “right to be forgotten” – ie they can insist that their details are emoved from a database in their entirety.  This is entirely impractical.  Once deleted, when or if that customer appears again on the database (if, for example, rented from a third party list, or in the event that the customer makes another purchase), the customer’s request for deletion will have vanished.  So in practice, the “right to be forgotten” should trigger the inclusion of that customer into a ”suppression” or “do not mail” file so that there is no inappropriate future contact.
  3. Profiling or segmentation may not take place without consent.  This will have serious impact on those data businesses which hold shared transactional data from multiple companies, or geo-demographic data, or indeed simply work with marketing profiling models.
  4. List broking is likely to require significant changes to comply with new legislation.
  5. The definition of personal data has been extended to include, potentially, IP addresses and some cookies.  Quite apart from the fact that an IP address or cookie may be used by a number of individuals, this will make it much more difficult for businesses to analyse and profile web activity.  The impact on digital marketing will be significant and, arguably (given that there will be no ability to provide relevant, targeted marketing) counter-productive.
  6. Cost:  DMA (UK) Ltd research shows that complying with the proposed regulation could cost companies an average of £76,000 each. It estimates a total loss to UK industry of up to £47 billion in lost sales.  These costs come, in part, from:
  • Companies with 250 or more employees will need to appoint a data protection officer
  • Under current legislation, subject access requests can be charged at £10 each.  Under the proposed new legislation, this charge is to be eliminated. This is likely to result in increased numbers of requests.  In addition to the lost revenue from existing volumes of which is likely to increase the number of requests, frivolous and serious.
  • Every organisation that suffers a data security breach would have to notify Information commissioner within 24 hours
  • Right to compensation from the controller or the processor in the event of processing activity causing damage to a person
  • Increased fines / sanctions to be imposed

On the face of it, the picture looks pretty bleak.  But there’s no need to despair just yet – there is time to provide our views on required adjustment, amendment and refinement  before these proposals are ratified and become law in the UK.

But for that to happen, businesses need to act now.  There is a fantastically detailed amount of excellent information to be found at the DMA (UK) Ltd.     So have a look and check to see how the current proposals are likely to affect your business and your marketing.

Then we need to write to our MEPs – and the DMA has made this easy by providing this link which has all the vital information, including who your MEPs are.   We need to ask them to fight for the fair interests of business.

We’re all for sharing knowledge and information and enjoy a healthy debate, so if you have any questions, views, tips or knowledge, please  just “reply” below. Victoria Tuffill – victoria@tuffillverner.co.uk   01787 277742 or  07967 148398.   Feel free to visit our website.  And yes, we’re on Linked In, and Twitter