On 14^th April, the EU Parliament approved the final text of the General Data Protection Regulation (GDPR) meaning the two main entities (EU Council and Parliament) have reached a final decision and that the legislative process is now complete.

There have been no further amendments to the version of the text since the ‘final’ version that was submitted back in December, meaning the 5 points we outlined in our February update as to the main areas of contention in relation to direct marketing are still intact.

The two-year implementation process will begin once the Official Journal of the EU publishes the regulation, which is likely to be in late May/June, leaving June 2018 as the date by which EU businesses will need to comply with the law.

Although the text has been finalised and agreed, now the process of picking through the GDPR, what it actually means and how it should be put into practice will begin. Since December, there seems to have been various interpretations over some key points, namely whether the issue of consent will require all channels to be ‘opt-in’, as indicated by Sir Stuart Etherington’s comments (or at least, the interpretation of his comments) which imply that ‘unambiguous consent’ means ‘opt-in’.

However, this isn’t the case, as clarified by the DMA recently at Third Sector’s Fundraising Week where John Mitchison, the Head of Preference Services, Compliance and Legal, re-enforced the notion that charities (or any sector) do not need an explicit opt-in for direct mail or telephone marketing purposes as they will remain an ‘opt-out’ permission channel under the premise that data is processed as a Legitimate Business Interest. What will change is how opt-out data is collected in terms of permission statements; where they are situated, the size of their font and the fact they need to be clear and easy for individuals to opt-out (i.e. not buried in a privacy policy or requiring an onerous action to ensure opt-out status).

Over coming weeks and months, there will be a series of seminars and conferences laid on to help businesses and charities decipher the GDPR and what they need to do about it within their own organisation. The DMA has a helpful toolkit on their website which details many of these sessions.

Separately to GDPR, in view of the upheaval within the charity sector as well as other areas that have required clarification, the ICO recently published revised Guidance Notes on Direct Marketing. This version has a greater focus on fundraising activities specifically, with helpful examples. Note, these guidelines do specifically relate to PECR (Privacy and Electronic Communications Regulation) which does not include direct mail as a channel (direct mail doesn’t actually have a specific set of Guidance Notes form the ICO but this is worth noting, as electronic communications often have more stringent guidelines than offline channels).