EPISODE 4: The legal battle to make data-driven prospection GDPR compliant

27 Apr 2018

There are two legal grounds to process personal data for direct marketing purposes in compliance with GDPR 

How can companies or organizations, wanting to process data for direct marketing purposes, justify their activities? GDPR offers them two legal grounds:

  1. By obtaining the consent of the data subject. GDPR specifies that the privacy clause asking for this consent has to be transparent, informative and specific, using clear and plain language.
  2. ‘When the processing of the data is necessary for the purposes of legitimate interests by the data controller or a third party.’ Direct marketing is considered by GDPR as a ‘legitimate interest’. 

How does GDPR impact data-driven prospection

What happens when consumers or b-to-b contacts give their consent, allowing their data to be used by third parties for direct marketing activities? GDPR specifies that consent clauses have to be specific. In this perspective ‘data used by third parties’ sounds a bit vague. That’s why third parties using these data for prospection need to be able to rely on the second legal ground to be GDPR compliant: ‘legitimate interests’ (of course for the use of email address, only the consent will be possible). 

Bisnode is well aware that the ‘legitimate interests’-ground needs to be balanced carefully against the individual’s interests, rights and freedoms. That is why Bisnode involved external legal experts to develop correct and trustworthy procedures. This resulted in a 3-step approach to adequately meet the rightful expectations of all data subjects.

Bisnode’s 3-step approach to reassure data subjects 

1. Full transparency. According to the GDPR, Bisnode informs data subjects of the uses of their data in the most transparent way possible. We invite you to visit our dedicated website to discover how we give people the most complete information possible . This site explains in clear and easy to understand terms how Bisnode collects and uses personal data with respect for GDPR. It also specifies all the rights of the data subject and how to use them. Bisnode urges all its data source partners and all its clients to refer to this privacy clause, including a clear mention and link to this GDPR rights platform. 

2. data subject rights. Bisnode offers data subjects a user friendly process to exercise their GDPR rights. These rights – and how to exercise them - are explained here 

3. Data Protection Impact Assessment. This methodology aims at respecting the fair balance between the interests of companies and the rights of the data subjects. Bisnode follows the methdology developed by the French Privacy Commission to prepare its own DPIA. It’s still work in progress, and the conclusions  will be communicated in due time on the Bisnode website. 

Two levers to convince the Belgian Privacy Commission 

Bisnode’s 3-step approach to protect data subjects goes beyond the requirements of GDPR. With these well-prepared and fully documented measures we will present a strong case to the Belgian Privacy Commission. 

Bisnode also supports the lobbying activities of our various business federations: ACC Belgium, BAM, UBA... They have developed and published a position paper to defend the fair business interests of our industry in view of GDPR. Direct Marketing is a vital driver of our economy. To safeguard our future, we need to find a fair balance between the individual consent and the legitimate interests of our business. We are convinced that GDPR leaves room for data-driven targeting and prospection. That’s why we believe the Belgian Privacy Commission needs to adopt both GDPR grounds for private data processing: both ‘data subject consent’ and ‘legitimate interests’. 

Here you can download the position paper

How to step up your IT security for GDPR? 

That's the subject of episode 5.

Looks complicated? Glad to help you!

Looks complicated? Glad to help you!

Don’t worry: whenever in doubt about a GDPR data issue, do not hesitate to contact your Bisnode consultant. Getting GDPR ready? Been there! Done that! We’re ready to help and get you on your way.

Subscribe to our newsletter