Data Compliance

Although the whole subject matter of compliance may be a little ‘dry’, it is important for you to understand where Halo stands when we seek to broker marketing data. A customer’s privacy and the security of their personal data are of vital importance.

If you feel you can work with Halo and the compliance criteria set out below, please get in touch!

What are the minimum data supplier requirements Halo looks for when brokering marketing data?
  • The starting point of any data due diligence is that the data collected must have been done so lawfully and fairly; in accordance with the current Data Protection Act 1998 (DPA), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the regulatory body the Information Commission Office(ICO).
  • All suppliers must complete a Halo compliance questionnaire outlining how they collect personal data for marketing purposes.
  • The supplier must be ICO registered.
  • There needs to be an openness and transparency of the data collection process detailing what legal basis was used for data collection.
  • There needs to be a customer responsive process which deals with customer queries, subject access requests and rights including the removal request of customers from marketing lists.
  • All data lists must be screened for TPS registration and other data suppression methods must be stated.
  • A customer’s privacy and the security of their personal data are of paramount importance. Halo will not work suppliers who show any disregard for data protection and security.
  • Adequate data security procedures must be evidenced by the supplier.
  • Any data file transfer between the data supplier and the end client must be done securely.
  • A relevant data processing agreement needs to be signed by all involved parties.
What is the legal basis used when collecting data for marketing purposes?
  • Consent is the legal basis we use for customers opting in to marketing.(3rd or 1st party)
  • Therefore, consent statements, fair processing notices (FPN) and privacy policies must be provided so Halo can assess what information the customer was provided with at the point of consent.
  • These FPNs must be date relevant in that the FPN date must correspond with the customer’s consent date.
  • The consent statements and privacy policies must be clear to read, easy to understand and accessible.
What type of consent is required?
  • The consent must be ‘opt-in’ consent.
  • This means any consenting customer must have provided a positive, freely given and informed consent to ‘opt in’ to potential marketing contact.
  • The consent must be clear for the customer to understand; it is unambiguous and is a positive expression of choice.
  • Consent must NOT be implied nor given by default.
  • In practice, this may mean a customer ticking an ‘unchecked’ box for an online consent form rather than the customer having to ‘uncheck’ a pre ticked box.
  • The date of consent must be provided as consent degrades over time and is not timeless. Therefore, the consent relating to ‘old’ data will not be deemed valid.
What does openness and transparency mean in terms of the data collection process?
  • Halo needs to know the means and mechanism by which the customer gave consent. For example, was it online or was it via a telemarketing phone call?
  • The source URL is to be provided for online data collection methods so we know the exact origin of data collection.
  • For telemarketing contact, the original data source of the contacted customer must be provided.
  • For telemarketing contact, call records must be provided on request.
  • The data source must always be known, we do not buy ‘anonymised’ data sources
What do you expect the customer to have agreed to when providing consent?
  • The customer must have consented to contact by a 3rd party or specific contact from a named brand.
  • The potential for 3rd party contact must be clearly stated on the consent statement and within the accompanying privacy policy.
  • Phone contact must be stated as a contact preference on the consent form as this is the usual method Halo’s clients use to contact customers.
  • The relevant marketing sectors that are potentially to be promoted by the 3rd party must be stated either on the consent statement or within the privacy policy.
  • A customer must be provided with a clear option to opt out of future marketing and therefore withdraw their consent.
  • An accompanying Privacy Policy must be clearly accessible and easy to understand.
  • Privacy policies must state the following minimum details:
    • The supplier’s contact details
    • The DPO contact details where applicable
    • Potential contact preferences stated(phone, email, post, text)
    • 3rd party data use
    • Marketing preferences stated
    • IP address and cookie policy where appropriate
    • Who the recipients are of the personal data in general or specific terms (sponsors)
    • For how long the data is being stored
    • The categories of personal data that is being collected
    • The purpose of the data use and the processing activities
    • The legitimate interest pursued by the data controller or 3rd party where appropriate
    • The use of automated decision making if applicable
    • The efforts made to ensure the security of the personal data
    • The subject must have their ‘rights’ explained to them including:
      • the subject’s right to withdraw consent at anytime
      • the subject’s right to make a subject access request (free of charge and completed within 30 days in compliance with the GDPR
      • the subject’s right to make a complaint to the ICO and the ability to raise any general data queries
      • the subject’s right to rectification, erasure, restriction and objection
      • the subject’s right to data portability (data transfer)
  • Any details of data transfers overseas and the safeguards undertaken
What are the implications of the GDPR when assessing data suppliers and their data collection process?

Halo already uses strict data collection guidelines when brokering of opt in marketing data. However, there are several areas in which data suppliers will need to make further amendments in order to become fully GDPR compliant from 25thMay18.

  • Bundled v granular: At present a bundled ‘opt in’ is accepted. This means a customer can tick one opt-in box which covers multiple channels of communication, usually phone, post, email and text. Halo expects the GDPR opt-in options to become granular meaning separate opt in boxes by communication channel will be offered to customers. For example, if a customer wants phone contact only, they will tick the phone box leaving the remaining channel boxes blank.
  • Brand listing: The ICO’s GDPR ‘consent’ draft guidelines state that the recipients of personal marketing data must be listed on a FPN. Halo is already asking its suppliers to name the brands on data collection notices Halo brokers its data for.
  • Consent not being a pre-condition of service. Customers must not be forced into opting in for marketing whilst subscribing to a service. They must be given a choice of whether to opt in or not. This could be done for example, by making the granular opt in boxes optional (not compulsory) and / or by providing an option for the customer to bypass any marketing contact through a separate web link.
  • Customer consent withdrawal. Although this is a mandatory requirement now, Halo will continue to audit for the clear provision of an ‘opt out’ mechanism which will allow the customer to opt out of future marketing. It must be as easy for a customer to withdrawal consent as it is to provide it.
  • Privacy Policy Content. Article 13 and 14 of the GDPR outlines what information is expected to be provided to the customer when they consent to marketing. Halo will monitor supplier privacy policies to ensure the fullest content is being provided.
  • Legitimate Interests. Consent is not the only legal basis for collecting personal marketing data. The GDPR states that ‘legitimate interests’ is an alternative and equally valid legal basis which may be used instead of consent. However, this would be for post and phone contact only and not email and text. You will be expected to comply with the GDPR legitimate interest requirements which include carrying out a legitimate interest’s assessment (LIA). This assessment must objectively test the balance between using the customer’s data for direct marketing and whether any such marketing use risks unwanted privacy intrusion whilst undermining the rights and freedoms of a customer. If on assessment the balance is skewed against the customer, legitimate interests must not be used and another legal basis used instead e.g. consent. If you are using legitimate interests for marketing purposes you must also inform the customer of this in a clear statement at the point of data collection whilst providing the customer with a clear opportunity to opt out of direct marketing.