With GDPR fully implemented there could be an immediate regulatory compliance impact on the direct mail sector. How can the sector determine legitimate interest and avoid risks?
GDPR, the EU’s General Data Protection Regulation, has just been fully implemented. Whilst the direct financial penalty of non-compliance is itself substantial (up to £20m or 4% of global turnover, whichever is greater), the reputational damage caused by failing to effectively safeguard personal data is perhaps higher still. For the direct marketing sector (which seeks to develop and execute targeted campaigns) client concerns and reticence over regulatory compliance could have an immediate and material impact on their operations.
Corporate marketing lists are expected to thin as consumers fail to respond to a barrage of consent requests, decide against ‘opting into’ future communications or choose ‘to be forgotten’. This last option is a new right under GDPR, permitting individuals to determine whether their personal data can be stored in an entity’s marketing database. As a result Direct Mail firms will be limited to contacting the list of consumers their clients believe have either given consent or where it deems that the recipient has a ’legitimate interest’ in the communication.
In order to determine ‘legitimate interest’, companies will have to decide whether the individual’s interests override the legitimate interest of the company to carry out its business. Would receiving marketing be an irritation to recipients or would they reasonably expect the business to use their details in this way? There is now a great deal more consideration required to determine, justify and document the application of ‘legitimate interest’ to order to ensure the processing and usage of the data remains lawful.
Given the as-yet-untested implication of the new regulations, businesses are understandably wary of undertaking any direct marketing that could impact on their reputation and their bottom-line. Direct Mail firms are therefore under significant pressure to reassure their clients that their services remain both legally permissible and brand-enhancing. This is despite the UK’s Information Commissioner’s Office confirming that companies will be able to use ‘legitimate interests’ as a lawful basis to hold and process personal data. Companies will not have to obtain explicit consent in order to contact consumers by post.
The risk for Direct Mail firms is their clients may refrain from initiating campaigns until the new regulations are embedded and legal precedents established. Faced with a greatly reduced mailing list, some organisations may take this opportunity to review their broader marketing activities. They might also consider alternative approaches that effectively target their customer base.
Businesses will need to weigh up if the work required to ascertain ‘legitimate interest’ outweighs the potential litigation, financial impact and reputational damage of compliance failure. In the meantime, Direct Mail marketing firms, with high fixed costs of printing and overheads, will need to clearly articulate the value of their services and identify opportunities to reduce costs or raise alternative revenue streams. Lenders will also want to make sure Direct Mailers have contingency strategies in place to ensure they do not breach covenants should ongoing uncertainty surrounding GDPR result in sustained decline in mailing volumes.
© 2020 KPMG LLP, a UK limited liability partnership, and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.