Data compliance

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

When communicating with employees of limited companies, LLPs (limited liability partnerships), partnerships in Scotland and government departments (Health, Education, Councils, etc.) the GDPR rules for telephone, direct mail, email and texting are the same:they are required to OPT-OUT if they don’t want to hear from you.

 In other words, the default is ‘they’ve opted in’. You do not need to seek prior permission and you are not obliged to reveal where you obtained their contact information.

 However, when you make contact, you must provide the means for that individual to easily unsubscribe from future communications, and you must make it clear who you are, business-wise. You need to have a robust internal system in place to ensure ALL communications to OPT-OUTERS cease, unless the individual proactively contacts you later to change the opt-out position and/or to request service, support etc.

In contrast to the situation when dealing with corporates, when dealing with sole traders or partnerships, the general position for email and text is that you will need opt-in consent before you can communicate. That is, they must have agreed at some point beforehand to receive your communications – whether by ticking a consent form on your website or through a response card.

  BUT, for telephone and direct mail, you don’t need an opt-in first, though you do need to offer the ability to opt-out from future communications.

To comply with the ‘legitimate interest’ requirement under GDPR, (see below) the content must be about products and/or services that are relevant to the recipient’s job role; it must be easy for the recipient to unsubscribe; and, as stated above, you must identify yourself and your organisation.

“You must have a valid, lawful basis in order to process personal data” – The ICO. The GDPR is meticulous in its requirements for all data to be processed on a lawful basis. It allows six different options, encouraging companies to choose the basis that applies best to their needs in each business area.

The six different lawful bases of processing personal data are:

 1.Consent (where explicit consent is given by the data subject)
 2.Contract (where processing is necessary to fulfil a contractual obligation or as part of entering a contract)
 3.Legal Obligation (where processing is necessary for compliance with a common law or statutory obligation)
 4.Vital interests (where processing is necessary to protect someone’s life)
 5.Public interest (where processing is necessary to perform a specific task in the public interest that is set out in law)
 6.Legitimate interest (where processing is necessary for the purpose of legitimate interest – which includes commercial interests.

 These are aimed to be all-encapsulating, relating to every type of organisation as well as all departments within them.Some are not applicable to B2B marketing. The two main, lawful bases that apply to B2B marketing when processing personal data are ‘Consent’ and ‘Legitimate interest’.Let’s explore each of those further:

Consent is currently the most commonly known and practiced lawful basis used by organisations when processing data, but the new GDPR has rigid rules surrounding consent. If it’s your chosen path, then you will need to intricately check your ongoing systems for consent and refresh them accordingly.

  The most notable change is to the definitive ‘opt-in’ process. This cannot be in any way ambiguous. For example, pre-ticked opt-in boxes are expressly unlawful under the new consent regulations. Opt-in must be a separate, individual and ‘granular’ process, singled out from any other terms and conditions. There must also be a clear right to withdraw.

 Please see the ICO’s page on Consent for further information.

The ICO labels ‘legitimate interest’ as ‘the most flexible’ of all lawful bases of processing data, and it is likely that data processing for most B2B marketing departments will sit comfortably within this basis. In essence, it allows you to process personal data on the grounds that your organisation is working towards the legitimate interest of the individual; this can include commercial interests. As long as the data processing doesn’t infringe on the rights and freedoms of an individual and you can prove the data subject (individual) in question is likely to have a legitimate interest in what you’re marketing, you can collect and process their data.

  For example, if you’re an organisation offering recruitment services, and you collect and process data relating to HR Managers from a range of businesses, the individual s within those businesses are likely to have a legitimate interest in your services, based upon their job function and seniority.This is a good example of how legitimate interest would apply in a B2B marketing scenario.If, however, as an organisation you purchased a large list of Gmail, Yahoo! or Hotmail email addresses without consideration of who was being sent your email marketing communication, and without thought as to the relevance of your email message, then you would be in breach of those individuals’ legitimate interest and therefore likely to be in breach of the GDPR regulation.

 When leveraging legitimate interest as the lawful basis of processing personal data, you must also ensure that the rights and freedoms of the data subject are not compromised. Will your message put that person in danger? Will it land them in trouble? Are they likely to be personally negatively affected by your message? If so, then it is likely that your message will not be compliant with GDPR.Of course, for most B2B marketing it is highly unlikely that a data subject’s rights or freedoms will be compromised. At most they won’t be interested in your message, so it is essential to provide an ‘unsubscribe’ method, as the individual should always have the right to ‘opt out’.

The Privacy and Electronic Communications Regulations (PECR), which sits alongside the Data Protection Act and GDPR, outlines the privacy rights of individuals specific to electronic communications, particularly those of direct marketing. The legislation stipulates that unsolicited marketing messages (i.e. any message that has not been specifically requested) are somewhat restricted for marketing to individuals. In the case of direct marketing to businesses, PECR states that:

  ‘You may email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out, and to screen any new marketing lists against that. In addition, many employees have personal corporate email addresses (e.g. firstname.lastname@org.co.uk), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.’

This rule is also stipulated in GDPR guidelines:

 ‘If you are processing an individual’s personal data to send business to business texts and emails, the right to object at any time to the processing of their personal data for the purposes of direct marketing will apply. This right is absolute and you must stop processing to that individual for these purposes when an objection is received.’

Therefore, with regard to direct marketing specific to businesses, or individuals in a business capacity, it is permitted to send unsolicited messages – provided that the correct measures have been taken to ensure those individuals or businesses have an opportunity to object to such messages and opt-out from any further communications. Mass marketing, with poorly constructed messages of little value to the recipient, is likely to result in objection to such communications, and potentially reports of spam. All marketing messages should be relevant and specific to the needs of recipients. For more information on PECR, please read the following guidance: