Data Protection

Engaged recipients lists and the GDPR (for UK and International school clients)

There are rules that you must adhere to when processing a list of engaged recipients data in line with the GDPR. Once you take receipt of the data you become a data controller of that data and assume your own responsibilities under the GDPR, including ensuring you have a legal basis for processing that data. You'll probably rely on legitimate interest and, if so, will need to ensure that you've the following in place:

  1. You've completed a legitimate interest assessment and balancing test to satisfy that your legitimate interests don't override the freedoms, rights, and interests of the teachers/school staff. 
  2. Provide relevant information in your Privacy Policy about the data you hold and how you process it. You'll need to link to your privacy policy in every email you send your engaged recipients.
  3. Ensure that your unsubscribe process is absolutely robust - you must honour a data subject's request to be removed.

Have the teachers provided consent?

Before 25th May 2018 it is was not necessary to gain consent from teachers to pass their names and work emails out to third parties. This is because they are considered corporate subscribers and, although under the GDPR, their names and work emails are considered personal data, there are different rules surrounding how they may be marketed to (which is governed by a different piece of legislation called PECR). Pertinently, until 25th May 2018, you didn't need to serve an end user at a corporate subscriber notice that you have their at work personal data and so that negated the need for you to obtain their consent. Legally it was just not necessary. There's a good article by the ICO that defines corporate subscribers here: https://ico.org.uk/media/1555/direct-marketing-guidance.pdf (point 142 on page 44).

However, things changed from 25th May 2018 and to coincide with the enforcement of the GDPR, Sprint launched a new Preference Centre (which you can read about in our GDPR whitepaper here). Every teacher in our database has access to this Preference Centre via a data collection and fair processing notice they have each been sent, and also via links in the footers of every further email we send them. It's within this Preference Centre that they can manage their own preferences, digest and review their data collection and fair processing notice, update their data, and also opt-out of having their data passed out to our education partners (who are also listed, along with their business contact details). Therefore Sprint are able to pass out the names and work emails to named third parties of those teachers that allow it and so if you are in receipt of a list of engaged recipients from Sprint that you received after 25th May 2018 you can feel comfortable that it won't contain the details of those teachers who have asked us to not pass them out.

Who is the Data Controller?

Once you take receipt of the data from us you become a Data Controller of that data and assume your own responsibilities under the GDPR. It states that if you process personal data (processing means storing and using that data, e.g. in a marketing campaign) in order to do it legally, you have to process it under one of six legal grounds. The ground available to you to process this teacher at work data is ‘legitimate interest’.

Do I have a Legitimate Interest?

Legitimate Interest is defined as:

"... processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data…” (Article 6 1(f) of the GDPR)
“… The processing of personal data for direct marketing purposes may be regarded as carried out for legitimate interest.” (Recital 47 of the GDPR)
In order to rely on legitimate interest as your legal basis for processing you need to:

> Complete a Legitimate Interests Assessment (LIA) and balancing test to satisfy that your legitimate interests don't override the freedoms, rights and interests of the teachers.

> Provide  relevant information in your Privacy Policy about the data you hold and how you process it. You'll need to link to your privacy policy in every further communication you send to your leads.

> Ensure that your unsubscribe process is absolutely robust - you must absolutely honour a data subject's request to be unsubscribed or removed.

Sprint can provide you with a detailed Legitimate Interests Assessment template that is specifically tailored to organisations who sell to the education sector which you can edit and use but other than that we don’t offer any services relating to your Privacy Policy. Instead, you should visit one of the several legal template websites that will sell you a standard Privacy Policy which you can download and edit, or seek your own legal counsel to advise you.