TPC 2018 Wrap-Up: GDPR, Legitimate Interest, and the Spirit of the Law


#1

If ever there was a reflection of the greatest anxieties in the ticketing industry in 2018, it was the TPC talk on GDPR (General Data Protection Regulation, if you’ve been under a rock for the last year). Before a packed-out room, Michael Nabarro of Spektrix and Katy Raines of Indigo talked about approaches to data collection as the deadline for compliance approaches.

Consent and “legitimate interest”

Nabarro and Raines examined the definition of consent in GDPR legislation. Consent must be granular, unambiguously indicated, recorded, and auditable. It must be possible to withdraw consent, and organisations must make the process of withdrawing consent clear and accessible. Even if current procedures comply with the Data Protection Act, they may need to be reviewed and updated.

The presenters then talked through how “legitimate interest” can modify consent. If the data controller has an existing relationship with the customer and there’s a reasonable expectation that regular communication would take place, it could be argued that legitimate interest exists. Guidelines state that this could apply to direct marketing.

Legitimate interest does need to be carefully assessed. The ICO has published an assessment template, and the presenters recommended that each organisation fill one out, sign and date it, and record when it’s been approved by a senior manager.

When could you argue for legitimate interest?

Many organisations are concerned about overwhelming customers with requests for consent. They worry that adding extra forms and tick-boxes could harm audience relationships, increase administrative costs, and lose them revenue.

Organisations who choose to classify their direct marketing, personalised content, fundraising prospects and wealth tagging as legitimate interests need to make sure that their privacy policy is available, easy to find, clear, and accessibly worded. There needs to be a clear way to opt out or object, and a system for managing objections.

There are restrictions on how public bodies can use legitimate interest, and all organisations need to obtain firm consent to use data in tele-matching and sharing with third parties. The RSPCA’s non-consensual sharing of data, failure to disclose wealth screening and unauthorised use of tele-matching was held up as an example of “worst practice”.

Consent for email and phone marketing

In accordance with PECR (Privacy and Electronic Communications Regulations), organisations need to obtain specific consent for email, phone and online marketing, and existing customers need to be given a clear way to opt out at any time. Explicit consent is particularly crucial in the case of fundraising; a soft opt-in is not enough, and customers should not be contacted if they subscribe to the TPS.

PECR has changed ahead of GDPR, and life gets complicated where linked organisations are used to bundling their marketing: each individual organisation needs to receive consent, even where they are viewed as essentially the same entity.

Raines used Birmingham Symphony Hall and CBSO as a working example. Their options are to request specific consent in the case of email, or to make it clear that their data collection contract applies to both parties. She recommended consulting a lawyer to vet your proposals – a suggestion that was later questioned.

Where can I get advice?

At the end of the talk, moderator Roger Tomlinson had this to add: the ICO has published detailed guidance for GDPR compliance online, and its representatives are available to answer follow-up questions from marketers and venues. A lawyer may be able to help you set out the wording of your privacy policy and data requests in a way that covers most bases.

However, getting a lawyer in to develop your privacy policy could land you in hot water if they decide to prioritise “wiggle room” over active, good-faith compliance. The ICO has been very clear that it expects compliance with the spirit of the new laws as well as the letter. The best and safest approach is to prioritise keeping to their guidelines as closely as possible.

How has Monad prepared for GDPR?

Fairness and transparency has always been a priority for us during the development of our systems for capturing marketing consent. Here’s what we’ve improved ahead of GDPR:

• Recording the exact time and channel where consent was obtained.
• Locking the questions and prompts responded to by customers, providing an accurate record of how requests for consent were worded.
• Developing a feature that allows users to upgrade and replace existing wording.
• Including consent actions in the Customer History view.
• Improving granularity of consent by allowing consent questions to be linked to promoters, making that question visible only to those who have purchased tickets from that promoter.

You can read the Ticketing Institute’s summary of our structures here.

It’s important to note that we are neither lawyers or representatives of the ICO. We can signpost you to comprehensive official sources of information about GDPR compliance, but we can’t (and shouldn’t) give specific advice. For that, the ICO should be your first port of call.