The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. Whilst many may not have been aware of it until recently – it was actually first adopted in April 2016 – it’s difficult to miss it now with countless articles in your inbox and on your LinkedIn feed.
There’s a lot to take in, with a lot of focus on the threat of huge fines. This has meant a lot of conversation, speculation, confusion and concern as people try to understand what it means to them, what they need to do about it and how it will impact their business. Our role is to support agencies with business development, marketing and data, so we have been taking this very seriously for some time now and looking at what this means to agency (B2B) new business.
To help make sense of it, we have been carefully monitoring updates from the likes of the ICO (who will be responsible for enforcing GDPR in UK) and the DMA (who have been lobbying for businesses to retain their ability to market themselves to other businesses) and recommend that you do the same. We also consulted Lecturer in Law at the University of Hertfordshire, Henry Pearce, to help understand the implications of GDPR legislation and look at practical recommendations.
This article helps summarise some useful insights we’ve gained along the way:
It’s not all about big fines
GDPR replaces the Data Protection Act and is similar in many ways, so if you are already compliant with the DPA you are off to a good start. GDPR requires that personal data (any data that can be used to identify an individual) be processed lawfully, fairly and in a transparent manner and used for specific, explicit and legitimate purposes. The data should be adequate, relevant and limited to what is necessary for the specified purpose, accurate and up-to-date and processed in a secure manner.
Accountability is a cornerstone of GDPR; which puts increased importance on how you manage data across your business. You must be able to show how they comply with its principles and be able to demonstrate that you have effective policies and procedures in place. Here is a guide from the ICO detailing 12 steps to help prepare your business.
Yes you’ve probably read about the potential fines (up to €20 million) but it’s important to keep a sense of perspective. This open article from Elizabeth Denham, Information Commissioner at the ICO, writes that focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.
How does this new piece of legislation apply to B2B marketing?
The Direct Marketing Association issued the following advice in relation to B2B:
“When dealing with employees of corporates, that is limited companies, LLPs, partnerships in Scotland and government departments, the rules for telephone and direct mail are the same, opt-out. When emailing or texting, you do not need the prior consent/opt-in from the individual. You can therefore send them a marketing email/text as long as you provide an easy way to opt out of future communications from you.
For any B2B marketing communications, regardless of channel, the content must be about products and/or services that are relevant to the recipients job role. This situation will not change under GDPR. These rules for email and text messages come under the Privacy & Electronic Communications Regulations (PECR) and this will not be affected by the implementation of GDPR.
What is important to remember when emailing or texting corporate employees is that where personal data is used for marketing, for example a work email address, they have the right to prevent their personal data being processed for direct marketing, which is why you must provide a way to opt out of future communications.”
Whilst most of the obligations under the DPA apply to firms carrying out B2B marketing related activities, there is currently one notable exception to this. At present, the Privacy and Electronic Communications Regulations (PECR), mentioned above, specify that B2B email marketing and similar activities would not have to obtain the express opt-in consent of any individuals whose personal data were involved in said activities to satisfy the individual consent ground for legitimising the processing of personal data under the DPA. Therefore, in the context of B2B marketing activities involving personal data, if individuals are given the option to opt-out this is sufficient to establish consent.
According to the DMA, under the current rules B2B marketers are subject to fewer regulatory requirements than B2C marketers. This is because Privacy and Electronic Communications Regulations (PECR) focuses on protections for consumers. Marketing to corporate employees via electronic channels does not require consent under PECR. These differences have led to confusion in the B2B marketing industry as to how they’ll be affected by GDPR.
They also provide the following useful summary:
10 things B2B marketers need to know about the GDPR:
- The GDPR applies if an organisation is processing personal data
- B2B marketers use personal data and therefore the GDPR will apply to them too
- Corporate email addresses and other contact details are personal data
- In fact the GDPR definition of personal data is broad and includes cookies and IP addresses
- The GDPR does NOT state that organisations need to obtain an opt-in consent for their marketing
- The GDPR lays out 6 legal grounds for processing personal data. All are equally valid.
- B2B marketers will be able to make use of the legitimate interest legal ground for their marketing activity in most instances.
- Legitimate interest is a subjective legal ground so an organisation must justify their activity and consider the privacy risks for data subjects
- Consent is black and white. It is a yes or a no. However, it is a robust standard which may be hard to achieve. If it is, the ICO have said legitimate interest might be the better choice.
- GDPR is the overarching framework but there are specific rules for the marketing sector from PECR, which is being revised and will become the ePrivacy Regulation in the future
Click here to read more from the DMA.
Possible changes to the ePrivacy Regulation
Concern was raised in late 2016 when a leaked version of the Commissioners proposals stated B2B marketing via electronic channels would also require a prior opt-in consent. This would mean any marketer wanting to email corporate employees would require opt-in consent, a huge change and challenge for the sector. However, the DMA announced in January with great relief that ePrivacy fears for B2B were averted and the EU Commissioner for the Digital Economy and Society, Andrus Ansip, had advised that the final version of the Commission text would soften many of the clauses that could have had a significant negative impact on B2B marketers.
The ePrivacy Regulation is still being debated by the EU Parliament and Council so there is a long way to go and nothing is set in stone. In a recent meeting with a leading MEP, Marju Lauristan, responsible for the ePrivacy Regulation, DMA Group CEO, Chris Combemale, raised this very point and explained the potential damage to industry. Marju agreed that the Parliament’s intention wasn’t to unnecessarily restrict B2B marketing.
This continues to be discussed and on 5 December 2017, the European Council released a consolidated version of the ePrivacy Regulation which summarises the work done so far in the European Council as a basis for its future work. The consolidated version also outlines that further internal discussions will be necessary with regards to articles 6, 7 and 8 on a number of elements, namely:
- as to whether, and to what extent the grounds for processing proposed by the commission need to be completed by additional grounds;
- in relation to certain grounds permitted under GDPR, keeping in mind the specific nature of the electronic communications data; and
- on the issue of the protection of the end users terminal equipment and the need to find a balance between ensuring proper privacy protection without undermining legitimate business models.
This suggests that it is still about finding the right balance between protecting privacy, whilst not unnecessarily restricting business. The final proposal to the ePrivacy Regulation is expected in the summer, as currently stated by the German government. However, it may not be until mid / late 2019 that this comes into force.
Do you have a genuine and legitimate reason for contacting someone?
The 39-page document published by the ICO – Information Commissioner’s Office offers guidance around GDPR Consent. Within it there is this statement regarding ‘legitimate interests’: “Legitimate interests: if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.
The concept of a “legitimate interest” is expansive, and it has been established by EU courts and regulators that it is wide enough to encompass activities such as marketing and other business development-related endeavours.
To justify that a legitimate interest applies, businesses will need to:
- Put a clear focus on who they are targeting and why. Ensure that your messaging is well targeted and directly relevant to the person you are communicating with.
- Refine what you already know, taking into account best practices when building strategies to communicate with prospects .
- Build a plan for robust data management (CRM) system in order to track engagement and honour ‘opt outs’ and make sure their database is up to date.
This is all best practice we have always recommended as part of an insight driven and well managed contact programme. By doing this you are not only putting yourself in the best position to comply with the GDPR legislation, but to encourage ‘opt ins’ and engagement with your campaigns and content – and more likely to build long lasting relationships with potential clients.
Please get in contact if you would like further help understanding GDPR and how to prepare for this.
Please note that this article is written from Upfront’s point of view and understanding of GDPR and changes to PECR (which is still in draft as of the publication date of this article). The information herein does not replace qualified legal advice, and should not be takin as such. Please consult with legal experts if you would like further clarification.