The General Data Protection Regulation (GDPR) came into effect on May 25th 2018, and it governs how personal data must be processed and stored. Given the nature of the data that we provide in order to support our customer's sales, marketing and strategic activities, we have audited and updated our processes to ensure that the data we provide is compliant.
What is the GDPR?
It is a set of laws concerning how personal data must be processed and stored, with a view to giving individuals greater control over how their data is used. Even after leaving the EU, the UK will continue to adopt the GDPR as part of its domestic legislation.
In addition to the GDPR, electronic marketing communications are also covered by the Privacy and Electronic Communications Regulations (PECR).
How does this impact Glenigan?
In order to ensure continual compliance with all data regulations we have always audited and updated our processes on an ongoing basis. Our processes are secure and compliant with international standards on data security (ISO 27001) and, for the GDPR specifically, our processes have been audited by lawyers at DLA Piper and Ernst & Young.
We are accredited members of the Direct Marketing Association who have assessed our processes to ensure they are up to the standards of their DMA code. We are also registered with the Information Commissioner as a data controller, and we have appointed a dedicated Data Protection Officer to ensure that our business continues to be compliant.
Our data is stored in encrypted form using market-leading technology.
Do Glenigan collect personal data?
Glenigan’s data is drawn from publicly-available, public-sector sources, such as local planning authorities, public tendering websites and expenditure plans, and also from exclusive partner sources such as The Builders Conference. This information is then extensively and continually researched to identify individuals involved in live construction projects. Throughout these processes a large number of contacts are identified and made available to our customers. The vast majority of these contacts are corporate individuals and while this is still categorised under GDPR as personal data it can be used for business-to-business marketing purposes, assuming PECR is adhered to.
PECR states that individuals (whether as private individuals, sole traders or, in certain cases, partnerships) can only be contacted via email or by text message with informed and specific consent. In order to remove any risk for our customers, email addresses and telephone numbers are removed from this data if it is collected. All contacts added to our database are given the opportunity to opt-out of inclusion.
Article 4.1 of the GDPR states: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Does Glenigan need to obtain opt-in consent?
No, for business-to-business use, opt-in consent is not required in order for third-parties to make use of Glenigan data. According to the GDPR guidelines, opt-in consent is only one of six grounds for using data. Opt-in consent is not realistic for data sets such as that offered by Glenigan.
Why isn’t it realistic to obtain consent?
According to the Information Commissioner's Office (ICO), consent requests must be prominent, concise, separate from other terms and conditions, and easy to understand. Crucially, they must include the name of any third-party controllers who will rely on the consent. In our case, this would mean listing the company names of thousands of customers, which cannot realistically be done in a concise manner.
It would also mean re-contacting all of those database contacts every time a new third-party controller (i.e. a new customer) gained access to the database. Simply informing database contacts that their details may be shared with a generic group of data controllers, for example ‘customers’, does not constitute opt-in consent under the GDPR.
Source: Information Commissioner's Office
Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include: the name of your organisation; the name of any third-party controllers who will rely on the consent; why you want the data; what you will do with it; and that individuals can withdraw consent at any time.
How does this impact Glenigan customers?
The GDPR will not stop customers from using or require them to change the way in which they use our services if what was being done before was lawful.
Customers are advised to use legitimate interest as grounds for processing personal data included in the Glenigan system. If legitimate interest is relied upon, the ICO recommends conducting a legitimate interest assessment. It is important that this legitimate interest is not intended/allowed to provide an excuse for disregarding an individual’s privacy rights, which must be fully respected at all times.
In order to eliminate potential areas of risk for our customers, we already suppress data that requires opt-in consent to use for electronic marketing; names private individuals and sole traders.
Our database is updated in real-time over 30,000 times per day and so will always reflect the most up-to-date status of any individual’s consent. Customers are strongly advised to export data for marketing purposes as required from our system to ensure compliance.
Does using Glenigan data ensure customers are GDPR compliant?
No. Customers are responsible for their own data practices and must ensure that they are compliant with all relevant regulations, which could include their own legitimate interest assessment.
Please be aware that this does not constitute legal advice. If you want to know what your legal position is then we suggest that you obtain legal advice as soon as you can.
If you have any queries regarding Glenigan data and the GDPR, please get in touch.