In this GDPR FAQ mini blog, we discuss whether organisations can continue to use their existing database of contacts.
Our Frequently Given Response:
It depends how the data within the database was initially obtained, and the purposes for which the data was used and will be used in the future.
Even if the data was obtained in accordance with previous legislation such as the Data Protection Act 1998, if it no longer complies with GDPR, it should not be used by the organisation.
The following issues should be considered:
- For what purposes was the data originally obtained and is it still being used for that purpose? If not, consider whether you are able to rely on another ground to process the data (including potentially consent);
- If the data is used for marketing purposes, consider the type of individuals listed on the database: if they are existing customers, individuals with whom you have negotiated or corporate subscribers, please see the eighth and ninth blogs of this mini series for more information about when you can market to those individuals;
- If consent was obtained to use the data for marketing purposes, consider whether that consent was GDPR compliant. See blog number 10 for more information on this. If consent was not GDPR compliant, new, GDPR compliant consent will need to be obtained unless you are able to rely on another ground to send the communications.
Please bear in mind that the Privacy and Electronic Communications Regulations which applies to electronic marketing is due to be replaced with new legislation. This may impact when electronic marketing communications may be sent and when consent may be required.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.