Since the GDPR (General Data Protection Regulation) came into effect, marketing departments have been hesitant to contact customers for fear that they will run into compliance problems.
GDPR SMS marketing has been a particularly tricky topic, with organisations uncertain of their requirements and how it differs from other forms of advertising.
However, the truth is that text message marketing operates under the same rules as the rest of the GDPR.
That means that marketers are entitled to contact customers only if specific compliance requirements are met.
This blog outlines those requirements and explains how you can achieve compliance.
1. You must have a lawful basis for collecting personal data
Under the GDPR, organisations are only permitted to process personal data if they can demonstrate a legitimate reason for collecting it.
There is a common misconception that that means obtaining individuals’ consent. In reality, organisations can use any one of six lawful bases.
Due to the complexities of getting and keeping people’s consent, you should only rely on it if no other lawful basis applies.
But for most times when you wish to send SMS messages, organisations can use the lawful basis of legitimate interests.
Legitimate interest is the most flexible of the GDPR’s lawful bases for processing personal data.
Theoretically, it applies whenever an organisation uses personal data in a way that the data subject would expect.
‘Interests’ can refer to almost anything, including an organisation or third party’s commercial interests or broader societal benefits.
In general, the condition applies when:
- The processing isn’t required by law, but there’s a clear benefit to it.
- There is little risk of the processing infringing on data subjects’ privacy.
- The data subject should reasonably expect their data to be used in that way.
However, the flexibility of legitimate interests means that organisations must thoroughly justify its applicability in their documentation and explain how people’s personal data will be protected.
That brings us to our next point.
2. Manage personal data in accordance with the GDPR
Whether you’re using personal data for SMS marketing or any other purpose, the same requirements apply regarding its protection.
For a start, employees must receive staff awareness training to learn how to handle personal data.
Meanwhile, organisations must create policies and processes for employees to follow and implement appropriate technological defences.
Organisations must also complete DPIA (data protection impact assessment) whenever they process personal information that could result in a high risk to data subjects’ rights and freedoms.
This is, of course, just the beginning when it comes to securing your organisation.
There are too many potential steps you might take to list here, but you can find more advice on our website or by reading our Beginner’s guide to data breaches and the GDPR.
3. Provide links to your privacy notice
Under the GDPR, organisations must create a privacy notice to make their GDPR compliance practices known to customers.
There are two reasons for doing this.
First, it prevents any confusion about how personal data is being used and ensures a level of trust between the organisation and the individual.
Second, it gives individuals more control when an organisation collects their personal data.
If there’s something they aren’t happy with, they can query it via a DSAR (data subject access request) and ask the organisation to suspend that processing activity.
4. If you must use consent, use opt-in mechanisms
As we noted earlier, the GDPR’s rules surrounding consent make it the least appealing lawful basis.
One major issue is that consent is only lawful if data subjects complete an explicit affirmative action.
In other words, organisations need a mechanism that requires a deliberate action to opt-in instead of pre-ticked boxes.
In addition to this, individuals are free to withdraw consent at any time.
If they do, the organisation must cease any data processing activities related to them and delete their information.
However, there will be circumstances in which consent is your only option.
In those cases, you must ensure that you are using an opt-in mechanism. This might include requiring the data subject to:
- Sign a consent statement on a paper form.
- Click an opt-in button or link online.
- Select from equally prominent yes/no options.
- Choose technical settings or preference dashboard settings.
- Respond to an email requesting consent.
- Answer yes to an explicit oral consent request.
- Volunteer optional information for a specific purpose (such as optional fields in a form).
- Drop a business card into a box.
Consent requests must not rely on silence, inactivity, default settings, taking advantage of inattention, or default bias in any other way.
The GDPR also states that the process for opting out must be straightforward.
For example, this might mean including an opt-out or unsubscribe link on SMS messages or a link to the individual’s account where they can adjust their consent options.
Unlimited GDPR support
Are you looking for more guidance to meet your data protection requirements? With our GDPR Advice Service, you’ll receive unlimited support from our experts.
Whether you’re looking for help addressing a specific problem or want general guidance on your GDPR compliance, our team of dedicated experts are on hand from 9 am–5 pm Monday to Friday.
Led by a team of experienced data protection practitioners, data privacy lawyers and cyber security experts, we deliver an efficient, expert-driven service, including DPO (data protection officer) support, data privacy management, DSAR guidance and other legal services.
