GDPR Compliant Communications with Businesses and External Stakeholders

Marketing + Communications RV 21/06/2019 1

GDPR Compliant Communications with Businesses and External Stakeholders

1 Introduction to the regulations

The General Data Protection Regulations (GDPR), introduced on 25 May 2018, mean that the university must operate a shared, universal approach to how it collects, stores and uses personal data and how it conducts external direct communications in a way that is compliant (this applies to email, SMS, postal mail and telephone calls).

Email communication is a particular focus because they present a high risk under the Privacy and Electronic Communications Regulations (PECR), which form part of GDPR.

All staff who process data and communicate with external stakeholders must understand the difference between:

a. Bulk communications: Multiple, unsolicited, identical messages via any channel, to groupsof organisations or individuals, unrelated to on-going business, e.g. publicising a guestlecture - from now on called ‘bulk communications’

b. Business as usual: One-to-one, or one-to many communications about on-going businesse.g. with people you know personally or you are working with on a project, are referred toas ‘business as usual’ networks

The focus of this guidance document is group a. ‘bulk communications’, due to the weight of risk for the university of non-compliance.

2 Key Risks for the University of Brighton

2.1 Corporate liability All bulk communications sent to groups of contacts from the staff at the University of Brighton are the corporate liability of the university no matter who sends them or for what purpose.

2.2 Legal Bases for Processing All bulk communications must be based on one of the six Legal Bases for Processing, and every member of staff must clearly understand and state the legal basis they are using in their management of data and associated external communications.

There are six lawful bases for processing data (i.e. collecting, managing, communicating) – the most appropriate should be chosen from:

a. CONSENT - the individual has given their explicit consentb. CONTRACTUAL - necessary for the performance of a contract involving the individualc. LEGAL OBLIGATION - necessary for compliance with a legal obligation

d. VITAL INTERERSTS - necessary to protect the vital interest of an individuale. PUBLIC TASK - necessary for the performance of a task carried out in the public interest or in

the exercise of official authorityf. LEGITIMATE INTERESTS - necessary under the legitimate interests of the controller or third

party, unless overridden by the individual’s interests or fundamental rights.

Marketing + Communications RV 21/06/2019 2

Most UK businesses and public authorities are exempt from the ‘consent’ rules, so there is no need to ask them to give their consent. It is not necessary for existing customers to give consent either. It is likely that Legitimate Interest will be the most appropriate basis for communicating with business and external stakeholder audiences, providing the university’s interests are balanced with those of the recipient. There may be occasions when Public Task or Contractual is the most appropriate basis. The new Consent requirement is not necessary for any types of communication with existing commercial customers, or businesses (Ltd, LLP and Plc) and public bodies (hospitals, schools, local authorities etc.) or for non-electronic bulk communications to any group. N.B. There is currently a question mark around sole traders and private partnerships, which may have to be treated as consumers/individuals until further clarification is available from the ICO. More information on the Information Commissioner’s Office (ICO) website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

2.3 Electronic communications When unsolicited direct communications are sent via email, SMS or social media, the Privacy and Electronic Communications Regulations (PECR) part of GDPR particularly applies. This means that the individual must have given specific consent to receive these communications, unless they are an existing customer. Communications to businesses and public bodies are exempt from PECR.

PEC

R d

oes

no

t ap

ply

Type of communication Consent required?

Legitimate Interest required?

Emails/text messages to business contacts No Yes Post/direct mail to business contacts No Yes

Post/direct mail to consumers (private individuals) No Yes

‘Live’ phone calls where there is no TPS/CTPS* registration

No Yes

PEC

R A

pp

lies

Emails/text messages to consumers (private individuals) who are existing customers

No Yes

Emails/text messages to consumers (private individuals) who are not customers

Yes No

Automated or ‘Live’ phone calls to TPS/CPTS registered numbers

Yes No

*Telephone Preference Service / Corporate Telephone Preference Service

3 Consequences of non-compliance Many departments and schools engage in bulk communications to networks of businesses and other external stakeholders, e.g. to offer services for hire, promote courses, attract student placements or jobs, contact alumni or look for commercial partners. GDPR states that we must offer a clear unsubscribe option, and this unsubscribe information/request must be shared between all departments and schools in order to be compliant. We must avoid a situation where department ‘B’ could email a contact who has already unsubscribed from an earlier communication from

Marketing + Communications RV 21/06/2019 3

department ‘A’, who then goes on to complain to the Information Commissioner. This way of operating would expose us to:

• Financial risk Potential for heavy fines of up to Euro 20,000 or 4% of our annual turnover for breaching the regulations.

• Reputational risk If the university were to email or postal mail people in silos, without any integration or checks, unsubscribe information would not be shared. Contacts could receive multiple versions of the same thing, or worse still, conflicting messages - the overall impression to our external audience would appear chaotic which would damage our reputation.

4 Managing our risks in practice GDPR compliance for communications with businesses and external stakeholder networks is now addressed through a university-wide approach to rules regarding how we collect, keep and communicate with our contacts (i.e. how we ‘process’ data).

Guidelines for all aspects of compliance are available from the Data Compliance and Records Team. In addition, we now use one central email communications system, incorporating a central unsubscribe function for ‘bulk’ email communications to business and external stakeholder audiences.

Advice and help for aspects of GDPR compliance

4.1 Does GDPR affect my communications? GDPR affects your communications with external stakeholders if you send out:

Marketing + Communications RV 21/06/2019 4

✓ invitations to events ✓ newsletters and updates ✓ special offers and funding ✓ calls for collaborations and partners ✓ any kind of marketing communications

The types of communications listed above (and others like them) are referred to as ‘bulk communications’. There is no specified minimum quantity for ‘bulk communications’ but the significant point is that these are multiple, unsolicited, identical messages via any channel, to groups of organisations or individuals, which are unrelated to on-going business. GDPR dictates how we handle these communications. You may keep details of these external contacts on some kind of list, e.g. spreadsheet or database. The contacts could be people you have met at an event, or people who enquired about services or courses from the university. They could be individuals enquiring for their own personal interest, or people enquiring on behalf of the company they work for. ‘Business as usual’ communications (BAU) are individual conversations with one or more people about on-going business e.g. with people you know personally or people you are working with on a project within, or external to the university. The communications aspects of these relationships are not affected by GDPR, however the collecting and storing of data is regulated in the same way for both categories.

Marketing + Communications RV 21/06/2019 5

4.2 How can I ensure my communications are GDPR compliant? If you want to send un-solicited or ‘bulk’ communications to these contacts, there are further questions that you need to ask yourself. These include:

• What type of contacts you hold – are they business or consumer contacts? See section below

• What information do you hold about these people, and why do you need it?

• How did you get the data, and did the individual consciously opt-in?

• What have you used the information for?

• What you intend to use it for in the future?

• Why do you think it is appropriate to communicate with these contacts?

• Which Legal Basis for Processing do you intend to use? See section 5

4.2.1 Type of contacts One of the most important considerations about the data you hold is whether the contacts are business-to-business or business-to-consumer. In other words, do we have a relationship with them as a representative of an organisation, or as an individual who wants to purchase or find something for their own personal use. This distinction is very significant as it governs which legal basis for processing you can use, (see appendix) and how you need to collect these contacts in order to be able to communicate with them. Businesses and public bodies are exempt from Privacy and Electronic Communications Regulations (PECR), but individual consumers are not. Business contacts A business contact is someone we have had a transaction with in a business-to-business context, or someone who enquired about our services in a business context, on behalf of their organisation. A business context can be defined as a situation where someone is looking to work with the university to achieve business objectives, e.g. their company will take a student on placement or offer to provide a student project. An individual may also offer to guest lecture, and provided that the offer is made through a business and it will be on company time, this could also be considered a business context. Other examples might be:

• an HR manager enquiring about some in-company training

• someone enquiring about a course for an employee, which would be funded by the company

• a business director looking to collaborate with an academic or research team. Business contacts can also be suppliers to the university. Businesses are defined as limited companies, public limited companies and public bodies such as schools and hospitals. There

Marketing + Communications RV 21/06/2019 6

is a lack of clarity around sole traders and private partnerships, but at the moment, should be considered to be consumer contacts. To determine whether a contact can be considered a business contact of the university it should have:

• individual contact name

• name of business

• address of business

• Fit the definition of a business contact (above) You should also know how you collected this information. For example, did the contact attend an event, or make an enquiry? If you only have a person’s name and an email address, and do not have a physical business name and address linked to the contact, then the contact must be considered to be a consumer contact. Consumer contacts A consumer contact is an individual who may have enquired or shown interest in our offer for their own personal use, e.g. someone who might want to come on a course. Other examples might be:

• An alumnus who has signed up to the University of Brighton Alumni Association

• someone who registered for an event in an individual capacity (not representing a business)

Marketing + Communications RV 21/06/2019 7

4.2.2 Deciding a ‘basis for processing’ The new regulations require transparency and fairness. If a contact has unambiguously opted-in (i.e. taken a positive action) to receive marketing messages or other unsolicited messages from the University of Brighton, then yes you can communicate with them under the ‘consent’ basis, including via email and SMS. If they haven’t opted in, there are other legal bases for processing that might be appropriate, including Legitimate Interests, Contractual and Public Task (see appendix for details). If your contacts are clearly business contacts, you may be able to send marketing communications messages including via email and SMS under the Legitimate Interests basis. If they are not business contacts, you may still be able to use legitimate Interest, but will be restricted to hard copy and personal phone call.

4.2.3 Using Legitimate Interests as a legal basis for processing It is likely that legitimate interests will be a popular choice as a legal basis for processing because it is flexible and could in principle apply to any type of processing for any reasonable purpose, e.g. communications to businesses or existing customers of any kind. In order to assess whether you, as the data controller, have legitimate interest, you will need to complete a Legitimate Interest Assessment (LIA) template. This will dictate the types of messages you are able to send. Legitimate interests is different to the other lawful bases as it is not centred around a particular purpose (e.g. performing a contract with the individual, complying with a legal obligation, protecting vital interests or carrying out a public task), and it is not processing that the individual has specifically agreed to (consent). Because it could apply in a wide range of circumstances, it puts the onus on you to balance your legitimate interests and the necessity of processing the personal data against the interests, rights and freedoms of the individual, taking into account the particular circumstances. This is different to the other lawful bases, which presume that your interests and those of the individual are balanced. The ICO says the key elements of the Legitimate Interests provision can be broken down into a three-part test:

1. Purpose test – is there a legitimate interest behind the processing? 2. Necessity test – is the processing necessary for that purpose? 3. Balancing test – is the legitimate interest overridden by the individual’s interests,

rights or freedoms? These three questions must be answered and documented before an email communication can be accepted for mailing through the central email system. These same questions must be answered for any other kind of bulk communication. See LIA template in the appendix of this document.

Marketing + Communications RV 21/06/2019 8

4.2.4 Using consent as a legal basis for processing If you use consent as your legal basis for processing contacts who are not customers, you MUST have been using a clear and unambiguous opt-in mechanism when collecting your data to prove that this person took a positive action in order to ask to receive communications from you (no pre-ticked boxes). If you don’t have a clear opt-in, you are not allowed to send unsolicited marketing communications to these individuals. And you should ask yourself whether you should be keeping this data at all – refer to guidance on GDPR compliance from the university’s Data Compliance and Records Management team on Staff Central. N.B. You cannot ‘mix’ legitimate interest and ‘opt-in’ you must use either one or the other as your basis for processing, and clearly state this on any communication you send.

Type of contact Basis for processing Question to satisfy Yes/No

Business contact Most likely: Legitimate Interest

Do I have legitimate interest to communicate with these contacts?

Use Legitimate Interest Assessment template to decide

Consumer contact Most likely: Consent

Did they clearly and unambiguously opt-in to communications from the university? And do you have a record of this?

Check your records as to how you came to hold this data

4.3 Checklist for determining whether group or bulk mailing is appropriate Check the process chart below to ensure you have completed the necessary steps.

Marketing + Communications RV 21/06/2019 9

Marketing + Communications RV 21/06/2019 10

5 Next Steps

5.1 Choose your legitimate basis for processing If you consider legitimate interest as your basis for processing, complete the university’s Legitimate Interest Assessment (LIA) form at the end of the appendix to this document. The LIA records your reason for using legitimate interest and should be signed and filed with a record of your processing activity.

5.2 Choose a privacy notice Check the university’s privacy notices, and link to the one that best fits your audience and communication. The link must be included in any email sent through the central email system (currently communigator). https://www.brighton.ac.uk/about-us/statistics-and-legal/privacy/index.aspx

5.3 Schedule your email communication Book your communication into the calendar on the central email system (currently Communigator). See user guide for more information.

Marketing + Communications RV 21/06/2019 11

6 Key takeaways

Where possible (and appropriate to the regulations), keep communications on a personal level to avoid the need for ‘bulk’ emails:

• One-to-one communications from your personal Outlook account• Personal ‘business as usual’ messages to small groups of people you know or work with

If you do need to send ‘bulk’ communications:

• Contact the central Marketing and Communications team detailed below to complete abrief, and for help with using the central email system

• Ensure relevant messages are sent to appropriate recipients - why are you sending thismessage to this person? Why might they be interested?

• De-duplicate contacts to ensure people don’t receive multiple versions of the same thing

• N.B. Any communications from students must be clearly from the individual student, andnot purport to be on behalf of the university

Don’t ignore the rules, or worse still, invent new systems:

• Don’t attempt to add an ‘opt-out’ or ‘unsubscribe’ to your communications – or that willaffect the whole university

7 Contacts for further information

For information specifically regarding communications to businesses and other external stakeholders, contact Robbie Vella or Ciara Gray from the university’s central Marketing and Communications team.

Robbie Vella - Marketing Manager, Enterprise, r.vella@brighton.ac.uk 07580 405744 Ciara Gray - Marketing and Communications Officer (Research, Enterprise and Social Partnerships) c.gray3@brighton.ac.uk 07966 272 436

For information regarding communications to alumni, friends of the university and donors, contact Meredith Brooklyn Alumni and Public Affairs Officer, M.Brooklyn@brighton.ac.uk +441273644628

For information regarding all aspects of GDPR, contact Rachel Page, Head of Data Compliance and Records Management R.J.Page@brighton.ac.uk 01273642404

Marketing + Communications RV 21/06/2019 12

8 APPENDIX

8.1 References

This guidance is based on the Chartered Institute of Marketing’s interpretation of the General Data Protection Regulations, as set out by the Information Commissioner’s Office, and the latest advice from the Direct Marketing Association (DMA).

It also references advice from the Data Protection Network which is a collaboration between industry, the Direct Marketing Association (DMA) and the Incorporated Society of British Advertisers.

The General Data Protection Regulation (GDPR) builds on the principles of the Data Protection Act of 1998, and the Privacy and Electronic Communications Regulations 2003. The GDPR became law from 25 May 2018.

8.2 Key excerpts from GDPR

8.2.1 Data principles

Under the GDPR, the data protection principles set out the main responsibilities for organisations.

Article 5 of the GDPR requires that personal data shall be: a) processed lawfully, fairly and in a transparent manner in relation to individualsb) collected for specified, explicit and legitimate purposes and not further processed in a

manner that is incompatible with those purposes; further processing for archivingpurposes in the public interest, scientific or historical research purposes or statisticalpurposes shall not be considered to be incompatible with the initial purposes

c) adequate, relevant and limited to what is necessary in relation to the purposes for whichthey are processed

d) accurate and, where necessary, kept up to date; every reasonable step must be taken toensure that personal data that are inaccurate, having regard to the purposes for whichthey are processed, are erased or rectified without delay

e) kept in a form which permits identification of data subjects for no longer than isnecessary for the purposes for which the personal data are processed; personal datamay be stored for longer periods insofar as the personal data will be processed solely forarchiving purposes in the public interest, scientific or historical research purposes orstatistical purposes subject to implementation of the appropriate technical andorganisational measures required by the GDPR in order to safeguard the rights andfreedoms of individuals

f) processed in a manner that ensures appropriate security of the personal data, includingprotection against unauthorised or unlawful processing and against accidental loss,destruction or damage, using appropriate technical or organisational measures.

Marketing + Communications RV 21/06/2019 13

8.2.2 Lawful bases for processing Controllers must have a lawful basis for processing personal data, under the GDPR and these are set out in Article 6.1.

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.

The six lawful bases for processing data are: a) CONSENT – the individual has given their consent to the processing of their personal

datab) CONTRACTUAL – processing of personal data is necessary for the performance of a

contract to which the individual is a party or for the controller to take pre-contractualsteps at the request of the individual

c) LEGAL OBLIGATION – processing of personal data is necessary for compliance with alegal obligation to which the controller is subject

d) VITAL INTERERSTS – processing of personal data is necessary to protect the vital interestof the individual or of another individual

e) PUBLIC TASK – processing of personal data is necessary for the performance of a taskcarried out in the public interest or in the exercise of official authority

f) LEGITIMATE INTERESTS – processing is necessary under the legitimate interests of thecontroller or third party, unless these interests are overridden by the individual’sinterests or fundamental rights.

When deciding whether you have a legitimate interest, there is a process to go through in order to decide whether an organisation can proceed.

The data processing must be necessary, you must have a clear legitimate interest and you’ll need to balance your organisation’s interests with people’s rights.

The last step is completed by carrying out a balancing test, where privacy risks to individuals are flagged up and then appropriate mitigation measures can be taken. For example, data retention periods might be a means of lowering the risk for individuals. An opt-out must always be offered too.

SOURCE: Data Protection Network

For more information see the Information Commissioner’s Office website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

And the Direct Marketing Association: https://dma.org.uk/article/10-things-b2b-marketers-need-to-know-about-the-gdpr-and-data-protection

Marketing + Communications RV 21/06/2019 14

8.2.3 Why is the distinction between business and consumer contacts important?

There is a distinction in law between a legal person [who is acting on behalf of a legal entity ie a company], and a natural person. Communications with the legal person are considered to be business-to-business. Communications with the natural person are considered business-to-consumer.

8.2.4 Data Controller and Data Processor Definitions From the ICO website:

“Data Controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed

“Data Processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

“Processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including— a) organisation, adaptation or alteration of the information or data,b) retrieval, consultation or use of the information or data,c) disclosure of the information or data by transmission,dissemination or otherwise making available,d) alignment, combination, blocking, erasure or destruction of the information or data

Marketing + Communications RV 21/06/2019 15

University of Brighton Legitimate Interests Assessment (LIA)

Because it could apply in a wide range of circumstances, the Legitimate Interests basis puts the onus on you to balance your legitimate interests and the necessity of processing personal data, against the interests, rights and freedoms of the individual, taking into account the particular circumstances.

The ICO says the key elements of Legitimate Interests provision can be broken down into a three-part test: 1. Purpose test – is there a legitimate interest behind the processing?2. Necessity test – is the processing necessary for that purpose?3. Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?

This Legitimate Interests Assessment (LIA) template is designed to help you to decide whether or not the legitimate interests basis is likely to apply to your processing of this data (i.e. how you are going to use it). These questions must be considered, and the answers documented (where relevant – just answer the ones that are appropriate) before an email communication can be accepted for mailing through the central email system. Also see: legitimate interests guidance from the Information Commissioner’s Office (ICO).

Part 1: Purpose test

You need to assess whether there is a legitimate interest behind the processing.

• Why do you want to process the data?

• Do any third parties benefit from the processing?

• What would the impact be if you couldn’t go ahead with the processing?

• Are you complying with industry guidelines or codes of practice? (See GDPR compliant

communications with businesses and external stakeholders)

• Are there any other ethical issues with the processing?

Marketing + Communications RV 21/06/2019 16

Marketing + Communications RV 21/06/2019 17

Part 2: Necessity test

Next, assess whether the processing is necessary for the purpose you have identified.

• Will this processing actually help you achieve your purpose?

• Is the processing proportionate to that purpose?

• Can you achieve the same purpose without the processing?

• Can you achieve the same outcome by processing less data, or by processing the data in

another more obvious or less intrusive way?

Marketing + Communications RV 21/06/2019 18

Part 3: Balancing test

Finally, consider the impact on individuals’ interests and rights and freedoms, and assess whether this overrides your legitimate interests. First, read the Data Protection Impact Assessment DPIA screening checklist. If you hit any of the triggers on that checklist you need to conduct a DPIA instead to assess risks in more detail.

Nature of the personal data

• Is it special category data or criminal offence data?

• Is it data which people are likely to consider particularly ‘private’?

• Are you processing children’s data or data relating to other vulnerable people?

• Is the data about people in their personal or professional capacity?

Reasonable expectations

• Do you have an existing relationship with the individual? If so, what’s the nature of the

relationship?

• How did you collect the data? Did you collect it directly from the individual? What did

you tell them at the time?

• If you obtained the data from a third party, what did they tell the individuals about

reuse by third parties for other purposes and does this cover you?

• How long ago did you collect the data? If it was after 25 May 2018, was a Privacy Impact

Assessment carried out? If not, please complete this form:

https://www.brighton.ac.uk/about-us/statistics-and-legal/privacy/index.aspx

• Do you have any evidence about expectations – e.g. from market research, focus groups

or other forms of consultation?

• Are there any other factors in the particular circumstances that mean the individuals

would or would not expect the processing? Would they expect to hear from you? Why

should they want to hear from you?

Marketing + Communications RV 21/06/2019 19

Likely impact

• What are the possible impacts of the processing on people?

• Are some people likely to object to the processing or find it intrusive?

• Can you adopt any safeguards to minimise the impact? E.g. remove anyone you don’t

think will be particularly interested in your communications.

Confirm that you will offer all individuals:

• A privacy notice which is applicable to your communication –

chose the most appropriate here:

https://www.brighton.ac.uk/about-us/statistics-and-

legal/privacy/index.aspx

• A link to the University of Brighton preference centre housed

within the Communigator email system, which also offers an

opt-out

Yes / No

Yes / No

Marketing + Communications RV 21/06/2019 20

Making the decision

This is where you use your answers to Parts 1, 2 and 3 to decide whether or not you can apply the legitimate interests basis.

Can you rely on legitimate interests for this processing?

Yes / No

Do you have any comments to justify your answer? (optional)

LIA completed by Date

What’s next? Keep a record of this LIA, and keep it under review. Do a Data Protection Impact Assessment (DPIA) if necessary. Include details of your purposes and lawful basis for processing in your privacy information, including an outline of your legitimate interests.