GDPR Questions Answered: Do We Need Consent to Hold Information in a Database?

Written by

Now just a few weeks remain before the deadline for the General Data Protection Regulation (GDPR), so data protection advisor Jon Baines is here to answer your questions.

Today, Jon was asked:
Q: “If our database holds names, email addresses, telephone numbers addresses and job roles of people involved in the classical music industry, of which most of the information is available on their websites, do we have to have specific consent to hold this information, which we use to contact them in terms of business and to occasionally send out a newsletter (twice a year) from which they can unsubscribe? There are a few thousand names involved so it would be good to know whether we need to contact them or not!”

A: “I wish my answer could be a simple one, but, regrettably, the law here is rather complex. However, I will try to explain.

“Unfortunately, what we don’t have here are details on how the business gathered this personal data, and whether the marketing they wish to send is by email (I’ve assumed it is). The author says the information gathered appears publicly on websites, so it might be inferred that the business has ‘scraped’ the details from those sites. If that’s the case, then there may be some problems. 
“As a general rule people should be aware (or be made aware) that their personal data is being gathered and collated, even if it’s publicly accessible. Furthermore, sending marketing in electronic form to individual recipients (which I think most of the musicians here would be) requires explicit consent from the recipient (or, in some circumstances, and subject to various qualifications, a prior customer relationship). Sending email marketing, therefore, without consent, would almost certainly be a breach of the law.
“If, contrary to what I’ve inferred, the business got the musicians’ details direct from the musicians themselves, then the question as to whether they can send them email marketing is a bit different. If the business has their prior explicit consent to receive marketing emails, then they can continue to do so. Or if they got the musicians’ details during the sale (or negotiations for sale) of a product or service, they can send them marketing emails, provided that at all stages they have offered, and continue to offer, the option to opt out of receiving them.

“The irony here is that the law in question is not the GDPR but the Privacy and Electronic Communications (EC Directive) Regulations 2003, which often get overlooked. Over recent years the Information Commissioner has issued plenty of fines for breaches of this 2003 law.

“Generally, the firms getting those fines have sent very high volumes of unlawful electronic marketing, and the Commissioner has not tended to target SMEs. Nonetheless, even if the risk to a small business of big fines may be relatively low, they do need to be aware of the other risks, particularly of legal claims by individuals, and reputational harm.”

What’s hot on Infosecurity Magazine?