Since the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) came into effect in 2018, marketing strategies have undergone a significant transformation, with a definite shift toward inbound methodologies. Attracting engagement from customers, rather than pursuing prospects directly has become the modern standard. Outdated tactics such as buying prospect lists, cold calling, and sending unsolicited emails have been replaced by a focus on creating valuable, engaging content, and tailored experiences.
Lead generationA marketing process of attracting potential customers and generating interest in a business’s products or services. is essential to the growth of a commercial business. However, it’s vitally important to ensure marketing processes comply with data protection laws, especially when processing the personal dataInformation which relates to an identified or identifiable natural person. of EU and UK residents.
Here, we explore what you need to know about GDPR compliance and other relevant data protection legislation. Whether you’re using a third-party lead generation company or undertaking in-house activities, we cover the key areas you need to consider to ensure your marketing activities comply with these regulations.
For the purposes of our discussion, we consider the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). and the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. under the same umbrella, focussing on the common aspects for businesses operating in both or either the EU and the UK.
There are specific differences and nuances in the legislations that are not covered here and may be applicable to your organisation. For further advice, please speak to your data protection officer.
The General Data Protection Regulation (GDPR) provides the legal framework for the collection, processing, and storage of personal data of EU residents (with the UK GDPR applying to UK residents).
An important aspect of the GDPR is the necessityThe purpose of the personal data processing activity must not be able to be achieved by a less intrusive method. for businesses and organisations to establish an appropriate lawful basisIn the event of processing personal data, an appropriate rationale in order to process personal data. for processing personal data. This means that before collecting any personal data, you must first identify and document the lawful basis for doing so.
There are six lawful bases under the GDPR:
ConsentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. – where an individual has given consent for their personal data to be processed
Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. – where the processing of an individual’s personal data is necessary for the legitimate interests of a business or organisation, unless there is a good reason to protect the individual’s personal data, which then overrides those legitimate interests
Contract – where the processing is necessary for the performance of a contract a business or organisation has with an individual
Legal Obligation – where the processing is necessary for a business or organisation to comply with the law
Vital Interests – where the processing is necessary to protect someone’s life
Public Task – where the processing is necessary for the performance of a task in the public interest or for official functions, and the task or function has a clear basis in the law
After determining a lawful basis, you must document it and ensure the information is clearly stated in your privacy policy and privacy noticeA clear, open and honest explanation of how an organisation processes personal data..
It is important to choose the most appropriate lawful basis, as it is difficult to change later without good reason. The lawful bases commonly used for processing personal data for marketing and lead generation purposes are consent and legitimate interests. For certain types of marketing activities, consent is the only appropriate lawful basis to use. A data protection officer (DPO) can provide guidance on the most suitable lawful basis for your personal data processing.
In addition to the GDPR, businesses undertaking digital marketing and lead generation activities must also comply with regulations governing electronic communications, cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences. and tracking technologies.
The EU’s ePrivacy Directive, often referred to as the ‘cookie law’, covers key areas related to electronic communications and privacy, including consent for cookies and marketing communications.
At the time of writing, the European Council is in the final stages of negotiating the ePrivacy RegulationA proposed regulation, currently under development, which will replace the ePrivacy Directive., which is a proposed replacement of the ePrivacy Directive. This new regulation aims to expand the scope of the Directive to include technologies such as instant messaging apps, Voice Over Internet Protocol (VoIP) platforms, and machine-to-machine communications such as the Internet of ThingsThe concept of connecting everyday devices to the internet and to each other for the purposes of collecting, receiving and sending data about their use..
Regarding website cookies, the proposed ePrivacy Regulation seeks to eliminate ambiguity and lack of transparency in their use. Essentially, the aim is to bring about change in how businesses handle cookies and other tracking technologies, with a focus on user consent and transparency.
The UK’s Privacy and Electronic Communications RegulationsPECR is the UK implementation of the ePrivacy Directive (Directive 2002/58/EC) providing certain rules on marketing, cookies, communication services security and customer privacy (in relation to traffic/location data, billing, line identification and caller directories). (PECR) sets out the rules and requirements for electronic communications and privacy within the UK. The legislation is the UK’s implementation of the EU’s ePrivacy Directive and it sits alongside the UK GDPR.
The ePrivacy Directive and PECR have specific standards that apply when processing the personal data of individuals in the EU and UK through electronic communications and other marketing tactics.
You must:
Consent is a fundamental aspect of data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data.. The GDPR defines consent as:
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. – Article 4(11)
In certain situations, or for specific processing activities, consent is the only lawful basis that can be used.
Consent is also mandated by the ePrivacy Directive and PECR, where the use of cookies, tracking pixels, web beacons, and other similar technologies are used to collect personal data for online advertising and targeting.
Consider this example: How CompanyX reaches potential customers
CompanyX wants to connect with website visitors who have not yet made a purchase. A tracking pixelA hidden 1px by 1px square image created by a line of code that is embedded into an email message or a website. from a social media provider is integrated onto their website. The pixel tracks users after they have left the site, allowing CompanyX to display targeted ads for their products when that user visits other websites.
This strategy falls under ePrivacy and PECR and requires consent. Both ePrivacy and PECR use the definition of consent found within the GDPR (above).
Under the GDPR, organisations must obtain explicit consentA clear and unambiguous expressed statement of consent. This can be provided in writing, by filling out online forms using electronic signatures, or even via oral statements (so long as the conditions for valid consent have been met). from customers before collecting their personal data. Lead generation tactics such pre-ticked boxes, implied consent, or bundling consent in with other actions are no longer allowed.
Here is a breakdown of the factors required for obtaining consent under the GDPR:
Freely given: Consent must be given voluntarily, without coercion or manipulation. It should be a genuine choice for the individual, not forced.
Specific: Consent must be tied to the exact purpose. Individuals should be informed what their personal data will be used for, and their agreement limited to that specific use. When processing has multiple purposes, consent must be obtained for all of them.
Informed: Individuals must be given information about the processing of their personal data before giving consent. This includes knowing what data will be collected, who is collecting it, why, how long it will be kept, and any other relevant details.
Unambiguous: Consent should be clear and easy to understand.
Indication of wishes: Consent must be given through an affirmative action, including written, electronic and oral statements. For example, a tick box on a website, or a written consent form. Pre-ticked boxes or inactivity do not constitute consent.
Withdrawable: Individuals who change their mind have the right to withdraw their consent at any time. The withdrawal processA series of actions or steps taken in order to achieve a particular end. must be as easy as giving consent.
In line with the GDPR’s accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. principle, which states that organisations must take responsibility for what they do with personal data, there is a requirement to evidence the process of obtaining consent.
This means that in addition to securing permission from an individual to process their data, you also need to keep records and evidence the process.
Let’s look at the critical aspects of consent management a little closer and the details you should document:
Who consented: The name of the individual, or other identifier (e.g. online username, session ID).
When they consented: A dated document or online records with a timestamp. For oral consent, a note with the time and date of the conversation.
What they were told at the time: A master copy of a document or data capture form containing their consent statement and a copy of the privacy notice or other privacy information, including version numbers and dates which match the date consent was given. For oral consent, your records should include a copy of the script used at that time.
How they consented: A copy of the relevant document or data capture form. For online consent, your records should include the data submitted and a timestamp to link it to the relevant data capture form. For oral consent, the whole conversation does not need to be recorded, only a note of the time the conversation took place.
Whether they have withdrawn consent: If so, when.
Review and refresh the consent process if anything changes. It is recommended that you consider updating consent every two years.
The GDPR states that the processing of personal data for direct marketing purposes may be considered a valid reason or legitimate interest (GDPR Recital 47). However, as marketing is generally in the interests of the business, the validity of using legitimate interests as a lawful basis for processing data must be carefully considered, balancing any possible consequences for the individual.
A Legitimate Interests AssessmentAn assessment that used to demonstrate whether not processing is necessary in the legitimate interests and does not prejudice the data subject’s interests, rights and freedoms. (LIA) is a useful tool that can be used to identify and consider this lawful basis as a possible justification for processing personal data under the GDPR.
An LIA is comprised of the following three-part tests:
Using legitimate interests as a lawful basis will only be permissible if it does not affect the fundamental rights and freedoms of individuals, which always take precedence. This means that while using legitimate interests as a lawful basis, the focus is not on preventing every negative outcome or consequence but ensuring that any potential negative consequences are not excessive or out of proportion compared to the intended benefits or purposes. It’s about maintaining balance.
Consider this example: How CompanyX delivers personalised ads
When PersonA became a customer of CompanyX a year ago, they provided their email address for communication purposes. During the first communication, CompanyX informed PersonA of two key points: (i) their email address would be used to advertise similar CompanyX products on social media, and (ii) they had the right to object to this processing at any time.
CompanyX then added PersonA’s email address to its customer database and shared it with a social media provider. This collaboration allowed CompanyX to match its list of customer email addresses with those held by the social media provider. As a result, CompanyX gained the ability to precisely target and market similar products to PersonA via their social media feed.
This strategy falls under the GDPR and can rely on the lawful basis of legitimate interests.
Lead generation companies use a variety of marketing strategies to provide qualified leads that can potentially be turned into customers.
However, it is important to note that your data processing responsibilities remain and must be upheld, regardless of the use of a third-party service.
The GDPR makes a distinction between organisations and third parties by using the terms ‘data controller’ and ‘data processor’.
Data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data.: This is a person or organisation that decides how and why personal data is collected and used. Controllers have overall control over the data, therefore, the highest level of compliance responsibility.
Data processorA third party processing personal data on behalf of a data controller.: This is a person or organisation that handles personal data on behalf of the controller. Processors are responsible for ensuring the data processing is in line with the instructions of the controller, in addition to other legal obligations, including notifying the controller in the event of a data breach.
As a controller, it is important that you conduct due diligence on any third-party company you plan on using. You need to confirm the third-party’s compliance with the GDPR and any other relevant data protection laws, such as the ePrivacy Directive and PECR, as detailed above.
It is vital that you ensure the outsourced lead generation company has sufficient technical and organisational measures in place to protect the personal data they are processing on your behalf.
For more detailed information about conducting due diligence on your data processorsThird parties processing personal data on behalf of a data controller., read vendor due diligence and GDPR compliance with 5 practical steps
Lead generation is an important aspect of business growth, but it must be conducted in line with the relevant data protection laws. For the personal data of EU and UK residents, these include the EU GDPR, UK GDPR, ePrivacy Directive, and PECR.
Before undertaking a lead generation strategy, it is essential that the correct measures are in place, including assigning the most appropriate lawful basis and ensuring the obligations and responsibilities as a data controller are understood and implemented.
By understanding and adhering to the relevant regulations, organisations can prevent any future non-compliance issues as well as strengthening customer trust, confidence and engagement.
Confident customers lead to increased loyalty, which translates into becoming a more successful and sustainable business.
Visit The DPO Centre to find out how an outsourced data protection service can support you in maximising marketing ROI whilst staying compliant with EU and UK data protection laws.
Alternatively, you can get in touch by filling in the form below.
For more news and insights about data protection follow The DPO Centre on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible