The General Data Protection Regulation (GDPR) comes into force in May this year, replacing the existing Data Protection Act 1998. It governs the use of personal data and will affect out of home food businesses in a number of ways, including in relation to their marketing campaigns. While it’s unlikely to be relevant to indirect marketing (such as television spots, flyers and print ads), direct marketing (such as sending special offers by e-mail, text or post) will inevitably use personal data, and so will come within the scope of the new rules (which are generally a lot tougher than before).
If your marketing breaches the new rules, the maximum penalties under GDPR will be significantly higher (rising from £500,000 to €20m (approximately £17.5m) or 4% of worldwide turnover), so it’s worth making absolutely sure your campaign is compliant. While the GDPR is European Union law, the UK government has already produced a draft domestic version, so businesses shouldn’t dismiss GDPR on the basis of Brexit.
Current law already requires businesses to have an individual’s consent before sending marketing e-mails or texts. The GDPR raises the bar for the standard of that consent, though, and you will need to ensure the consent complies with GDPR requirements, even for historic data. It will be harder to claim that a general consent will stretch to cover marketing from third parties, so you should check any bought-in lists are compliant.
If you’ve obtained the individual’s details in the course of selling them a product, then you can send them texts and e-mails for similar products (or services) without opt-in consent. However, you must have given them an opportunity to easily opt out of that marketing at the point when you collected their details, and in every message you send after that. This is known as the ‘soft opt-in’ and will continue under the GDPR.
Whichever route you take, you should ensure you have a record of the consent or soft opt-in to show you are entitled to market to the individual. Consent will not generally be required for electronic marketing sent to companies, but marketers must still respect any request by individual employees to not send electronic marketing to their personal corporate e-mail addresses.
Postal marketing is subject to a different standard. As with electronic marketing, any requests to be taken off a mailing list must be complied with, and you’re advised to clean any mailing lists against the Mailing Preference System. Although GDPR consent will not generally be required to send postal marketing to existing customers, any bought-in lists should still be scrutinised to ensure the appropriate level of consent has been obtained from individuals.
The bottom line
Any direct marketing campaign needs to be carefully considered to ensure you have the appropriate consent or other basis to send out marketing materials to your audience (remember, asking for permission to send marketing material is itself a marketing message). It’s also worth considering whether any of your online advertising is done on a targeted basis, as this is likely to involve the use of personal data.