The General Data Protection Regulation (GDPR) came into effect on May 25th 2018 and it governs how data about individuals must be processed and stored.
As a data provider since 1973, we take our responsibilities under the GDPR extremely seriously and have worked with industry experts to ensure that our processes and practices are compliant, and that our customers can make use of our data in confidence. Here, we're delighted to share our approach with you.
What is the GDPR?
It is a set of laws concerning how personal data must be processed and stored, with a view to giving individuals greater control over how their data is used. Even after leaving the EU, the UK will continue to adopt the GDPR as part of its domestic legislation. The GDPR ensures that data is treated with respect, kept secure, used fairly, responsibly and in a transparent way.
How does Glenigan collect and manage personal data?
Glenigan draws contact data from publicly-available, public-sector sources, such as local planning authorities, public tendering websites and expenditure plans.
This information is then extensively and continually researched to identify individuals involved in live construction projects. The vast majority of these contacts are corporate individuals. Whilst this is still categorised under GDPR as personal data, it can be used within the current legislative framework for business-to-business sales and marketing purposes, assuming the Privacy and Electronic Communications Regulations (PECR) are also adhered to.
Contacts can opt-out of inclusion at any stage and our database is updated in real-time, over 30,000 times a day, to ensure that it always shows an individual's most up-to-date status.
Have Glenigan’s GDPR processes been independently audited and verified?
Our processes have been audited for GDPR by lawyers at DLA Piper and Ernst & Young. We are accredited members of the Direct Marketing Association who have assessed our processes to ensure they are up to the standards of their DMA code. We are also registered with the Information Commissioner as a data controller, and we have appointed a dedicated Data Protection Officer to ensure that our business continues to be compliant.
Are Glenigan allowed to collect and process personal data?
Yes. Our data is provided to customers based on the legitimate interest of enhancing marketing efficiencies for buyers and sellers within construction and related markets. Legitimate interest is one of the six lawful grounds for processing data under the GDPR. Our legitimate interest in collecting this type of data has been audited and fully documented.
Does Glenigan need consent to share this data with clients via its database?
No. In a business-to-business context, opt-in consent is not required for Glenigan to share this data with its third-party customers. In any event, in the circumstances of Glenigan’s business, properly informed opt-in consent is not realistic or practical.
Why isn’t it realistic or practical to obtain consent?
As outlined under the GDPR, consent requests must include the name of any third-party controllers (ie. Glenigan customers) who will rely on the consent.
Information Commissioner's Office (ICO): "Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include: the name of your organisation; the name of any third-party controllers who will rely on the consent; why you want the data; what you will do with it; and that individuals can withdraw consent at any time."
In our case, this would mean listing the company names of thousands of companies, which cannot realistically be done in a concise and easy to understand manner. Simply informing database contacts that their details may be shared with a generic group of third- parties, for example ‘our customers’, does not constitute opt-in consent.
We would also need to re-contact all of those contacts every time a new third-party controller (i.e. a new Glenigan customer) gained access to the database to ensure their consent remained in place, which is impractical and unrealistic.
By using legitimate interest as a ground for processing, Glenigan customers can be assured that they are not at risk of relying on consent that is not legally robust in the eyes of the ICO, and that they will have access to the largest possible database of industry contacts with no data being withheld due to lack of consent.
Are Glenigan customers also GDPR compliant because your data is?
No. Under the GDPR, once data has been exported from our system, our customer becomes the data controller and therefore must ensure that their collection, use, storage and retention of data complies with the GDPR. This is the case no matter where customers source sales and marketing data from.
We encourage all customers to take independent advice to understand what can and cannot be done with data sourced from database providers such as Glenigan. This could include the completion of a legitimate interest assessment, through which customers can demonstrate their GDPR compliance if required.
In addition to the GDPR, customers must also consider electronic marketing communications are also covered by PECR.
Frequently asked questions
What is legitimate interest?
Legitimate interest is one of the grounds for processing data as specified by the GDPR. The ICO states that, “It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing”. For business-to-business purposes, where customers are utilising Glenigan data to identify companies and individuals that are likely to have a need for their products and services, this is appropriate.
What is a legitimate interest assessment?
A legitimate interest assessment (LIA) is a risk-assessment based on our customer’s specific context and circumstances for processing data.
What is PECR?
The Privacy and Electronic Communications Regulations (PECR) are a set of rules that sit alongside the GDPR and give people specific privacy rights in relation to electronic communications. PECR sets out different rules for marketing to companies and marketing to private individuals (ie. not business contacts). In general, the rules on marketing to companies are not as strict. PECR states that private individuals can only be contacted via email or by text message with informed and specific consent. Accordingly, in order to safeguard our customers, email addresses and telephone numbers are removed from this data if it is collected.
Can I make sales calls to contacts using the data?
Yes, as long as you have identified grounds for doing so under the GDPR via a legitimate interest assessment and you comply with the Telephone Preference Service (TPS).
Can I email/mail contacts using the data?
Yes, as long as you have identified grounds for doing so under the GDPR via a legitimate interest assessment and you comply with PECR.
If a contact unsubscribes from our marketing do they also unsubscribe from Glenigan?
No, customers' mailing lists are their own responsibility and are separate databases from that of Glenigan’s.
How do I know that someone that has unsubscribed from our marketing won’t be supplied by Glenigan again in the future?
It’s highly likely that contacts who have unsubscribed from customers' marketing will remain in the Glenigan database; therefore it’s vital that customers maintain their own suppression lists internally.
How do you deal with requests to be removed from your database?
How do I know if someone has opted-out of your database?
Any requests from contacts to be removed from the Glenigan database will be actioned promptly, therefore it’s imperative that customers refer back to our website for the most recently updated information.
How long can I keep data for before I’m in contravention of the GDPR rules?
The GDPR specifies that personal data must not be held for longer than you need it. Customers should consider what this means to them as a data controller, and be able to justify it. As above, customers should be aware that if they retain and use out-of-date data for marketing purposes, they may contact individuals who have opted-out of inclusion which could lead to a complaint.
How secure is Glenigan data?
Our processes are secure and in line with industry best practise. All data is stored in encrypted form using market-leading technology.
Information Commissioner's Office
Guide to Privacy and Electronic Communications Regulations
Right to be informed
Legitimate interest assessment template
Telephone Preference Service
What is TPS?
If you have any queries regarding Glenigan data and the GDPR, please get in touch.