Postal marketing or direct mail is just one business activity that the General Data Protection Regulation (GDPR) affects, but it is one of the most important. Regulator, the Information Commissioner’s Office (ICO), has all the GDPR details on its website, but understanding it all is no mean feat.
David Segel, managing director of West End Travel, says travel agents don’t know who they can post to, or what exactly they can post. He is “a little bit nervous”, he concedes.
“People who are on my database will have been clients, otherwise I wouldn’t have their name. If I’m not mistaken, by law we have to get their agreement to post to them,” he says.
“We deal with thousands of people. Why on earth should we have to go to everyone and ask: ‘Do you mind if we let you know if we get a special offer to New York on Virgin Atlantic for £50 return?’ Why would they mind? “I think you’ll find that companies like ours are a bit more cautious now.”
David Forder, head of marketing at The Advantage Travel Partnership, says travel agents should understand who the intended recipient is – whether they are an existing customer or not.
Agencies must have explicit consent to contact the intended recipient if the individual is not a customer and has never made an enquiry with them.
“If the recipient is known to the agency, then they ideally should still have received explicit consent to market to them,” Forder says.
However, a business might have “legitimate interest” to post material to them, as long as it is related to the agency’s specific business, and an option for the recipient to easily unsubscribe is included in the mailer.
Farina Azam, partner at TravLaw solicitors, elaborates: “The preamble to GDPR specifically mentions direct marketing as a possible legitimate interest that businesses can rely on.”
Her colleague Luke Golding, senior associate in TravLaw’s commercial department, explains that when it comes to the sending of marketing material by post, the act in itself can be an example of a legitimate interest.
“The logic here likely being that most businesses need to be able to market their goods or services... to thrive or survive, and therefore the sending of such marketing material is a legitimate interest of that business.”
However, Golding adds a caveat: “To sustain an argument that postal marketing is lawful on the basis of legitimate interest, an agency would be well advised to carry out a ‘necessity and balancing test’.”
This would involve:
■ Identifying the legitimate interest.
■ Considering whether the marketing is necessary and being able to demonstrate why.
■ Weighing up the interests of the individual receiving the marketing and whether their interests outweigh the legitimate interest identified by considering the nature of the personal data used, the expectations of the individual who will receive the marketing and the likely impact of the marketing on the individual, if any.
“I think agents will find it much harder to argue that they have a legitimate interest in contacting anyone via post who isn’t a customer or that they don’t have any prior relationship with. I wouldn’t recommend it,” says Azam.
She still recommends ensuring that customers know how they can stop receiving direct mail, and advises giving the customers the chance to opt out at the time of data collection.
It’s worth noting digital marketing has much more stringent regulations under the Privacy & Electronic Communications Regulation (PECR), which, like GDPR, is encompassed in the UK’s 2018 Data Protection Act. “Legitimate interest” would not override these requirements.
Forder and Azam believe firms are being overcautious with postal material. Forder attributes this mainly to a lack of understanding on the part of agents, or a lack of confidence about having either explicit consent or a legitimate interest.
Forder adds: “I also believe some businesses are unsure what exactly constitutes personal identifiable information [the protected data linked to an individual that is covered by the GDPR].
“For example, a door-drop campaign – which is only addressed to a household and not an individual – can be actioned without consent or having a legitimate interest because personal identifiable information isn’t being used,” he says.
The Advantage Travel Partnership advised its members to undertake a data audit to ascertain their responsibilities, and to help determine how much more work they needed to do in order to become fully GDPR-compliant.
One member, Go Travel, is currently ensuring all its “I’s are dotted and its T’s are crossed” and that everyone on its system has given explicit consent.
“We’re sifting through all the information at the moment,” says marketing manager Dave Roberts.
He says GDPR has made the agency think more carefully about who it markets to, although it does much more e-marketing than direct mail.
“It’s making us more specific. We’re ensuring that when we run an offer, it’s actually going to people who are going to be interested, rather than just throwing loads of stuff out to everybody. It’s making us redefine what we’re actually marketing and to who.”
Ian Goodenough, director of The Destination Lounge in Ilfracombe, Devon, another Advantage member, admits to being “pretty terrified” at the prospect of GDPR, but when he looked into it at the end of last year, he discovered that the fear factor dissipated.
“I found out we were doing a lot of practices that were necessary anyway. What we weren’t doing was documenting everything, so I did a couple of online courses, learned a bit more about what was needed, calmed down quite a bit and started putting a spreadsheet together of where all our data was, and found we had it in about 35 different places.
“I used that as my plan for where our data is and how we check that we’re doing it right, and that made it much more manageable.
“If everyone’s running a business properly and ethically, the base practices should be there already and this is just the layer on top to make sure you’re really aware of it. If someone asks you questions, you can tell them: ‘This is how we do it – this is how we secure data and this is why we keep it.’”
So, a final refresher of the rules:
■ If a client is on your existing database and has provided consent to be contacted, then postal marketing is fine.
■ If a client is on your database as an existing client but hasn’t opted in, there can still be a legitimate interest to contact the person, as Golding explains earlier.
■ If neither option is viable, a non-personalised door-drop campaign in which no processing
of individuals’ data has been involved is an alternative marketing route that can be taken.
■ You can argue “legitimate interest” to send postal marketing to existing customers.
■ Give customers an opportunity to opt out at the time of data collection and with each individual posting.
■ Document everything – policies, consents, opt-outs and your processes.