GDPR came into force just over three years ago. Since then, new data privacy legislation has been introduced and the UK has left the European Union. But what impact have the events of the last few years had on data privacy legislations? And what do UK SME owners need to be aware of?
We recently had a great conversation with Simon Blanchard of Data Protection Network Associates. He’s a data practitioner, a consultant on data privacy and formerly Head of Data & Online at Bauer Media who has worked with a wide range of B2C & B2B companies.
He talked us through the top things UK business owners need to be aware of when it comes to marketing and data privacy. In this post, we’re going to run through some of the key questions he answered.
What kinds of marketing are now regulated by data privacy laws?
The official wording from the ICO is…
“The communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.”
This includes marketing via email, SMS, social networks and other digital channels. It excludes non-personalised marketing like leaflets through your door or online content that hasn’t been personalised or targeted in any way.
What are the ‘six lawful bases’ for processing personal data for B2B communications?
The six lawful bases are a set of circumstances when it is OK to process personal data for B2B communications purposes.
They are:
- Consent - the person has given you clear and unambiguous permission
- Contract - the communication is necessary to achieve the terms of a contract between the sender and receiver
- Legal obligation - processing the data is required to fulfil a legal obligation or agreement
- Vital interests - this applies to extreme situations like medical emergencies or personal protection
- Public task - this is typically used by public authorities (or private organisations that perform a public service, like a college) who need to perform a task in the public interest
- Legitimate interest - this is the most flexible and widely used in a B2B context, you can find more information on when you can claim legitimate interest below
When can you rely on ‘legitimate interest’?
‘Legitimate interest’ states that businesses can use customer data, provided they do it in a way that the subject would want or expect. But it can be a bit of a grey area.
To be on the safe side, you should always ask for consent for:
- Email or SMS marketing to consumers, sole traders or partnerships
- Cookies for marketing or analysis
You can claim legitimate interest for:
- Email marketing to existing business contacts
- Direct mail marketing for B2B or B2C contacts
- Manual telephone marketing by a real person (not an automated service) provided you screen out any numbers belonging to Telephone Preference Service
- Building a list of prospects via online sources
A few examples of legitimate interest in a B2B context would be:
- Someone hands you a business card with their data on it
- You discovered a new business prospect online (for instance on LinkedIn)
- Notes taken from a meeting (although you must have processes in place to secure that data)
If you do use ‘legitimate interest’ you need to notify contacts and give them the opportunity to opt-out. Simon recommends that you always ask people to opt-out of individual channels rather than all of them at once. Otherwise you’re missing out on the opportunity to contact them by other channels they may be happy with.
How do you assess for legitimate interest?
The assessment for legitimate interest has three parts:- Purpose test - is there a legitimate interest behind the processing? Or put another way, would the subject want or expect their data to be used in this way?
- Necessity test - is the processing necessary for that purpose?
- Balancing test - are your legitimate interests overridden by the individual’s interests, rights or freedoms?
If your processing of their data meets these requirements, you should be OK, provided you also give them a way of opting out or unsubscribing.
How and when should you inform people that you have collected their data?
Transparency is important. Subjects need to know when you’re collecting data and what you intend to do with it.If you’re collecting data directly - for instance, using a form on your website - make sure you:
- Say why you need it
- What you will use it for
- Tell them if it will be shared
If you’re collecting data indirectly - for instance by gathering prospect data on LinkedIn or from a ‘list buying’ service - you need to tell people within the first month of obtaining their data:
- That you have their data
- Where you got it from
- How they can opt out or unsubscribe
- Where they can view your privacy notice
If you don’t need their data anymore, you should delete it.
B2B Lead Generation: Step-by-Step Guide
Get our complete guide to generating, nurturing and converting leads.
What should you have in your privacy notice?
Privacy notices are important. If someone complains about your company or reports you, the first thing the regulators will do is inspect your privacy notice.
A comprehensive, well-written privacy notice that is easily accessible on your website will help you stay out of the spotlight. If you don’t have one, or you have one that’s poorly-written or hard to find, that can cause trouble for you from the outset.
It’s worth regularly reviewing your privacy notice to make sure it’s up to date and includes everything it needs to (there are around 15 key elements). If you’re unsure, the ICO has a template you can refer to.
What should you do with ‘old’ data?
B2B data ages fast. People change jobs more often than they change personal email addresses or home phone numbers.If you have old data that you know longer need or can no longer use, you need to delete it. You may also want to delete data if that customer has stopped engaging with you or visiting your website.
To find out if you have old data in your system, you can run a data cleansing campaign:
- Email contacts that haven’t engaged with you in a while
- Ask them if your records or correct or if they want to keep receiving emails
- If they say no or you get a bounceback, delete them from your database
Regularly cleaning out your contacts in this way also helps you avoid ‘spam traps’, which are fake email addresses that are used to catch spammers in the act. If you regularly email a spam trap, your deliverability rating will fall.
What’s the difference between service messages and marketing messages?
Regulators distinguish between the types of emails companies can send people.
Service messages are administrative or functional. Examples are things like order confirmations or updates to their terms and conditions.
Marketing messages have a commercial goal. Examples are invitations to read content, buy products or upgrade their service.
And you shouldn’t try to pass off marketing messages as service messages. AMEX was recently fined £90,000 for doing exactly this.
What are the latest rules around cookies?
Users need to opt into receiving cookies in the same way as emails - they both fall under GDPR - but the ICO does exclude a number of cookies which are deemed essential because they help the user. These include remembering what’s in their basket or enhancing their cybersecurity.Here are a few questions that will help you check your using cookies properly:
- Do you know what cookies your website is using?
- Are you collecting consent for cookies and other similar tracking technology and letting people know how their data will be used via your privacy policy?
- Do you have a Consent Management Platform to let people select their own cookie preferences?
How will Brexit affect data privacy regulations?
Brexit’s impact on the UK’s data privacy laws is still being ironed out. But there are two key recommendations to be aware of when it comes to Brexit and its impact on EU and UK privacy laws.
The first is to make sure that any hosting providers, SaaS applications, email service providers, plugins, data warehouses or CRM providers are inline with both EU and UK data privacy regulations and that their policies are up to date with the latest rulings.
The second is that you may need an EU representative to manage your EU data, handle complaints and liaise with EU data protection agencies. This representative ought to be named in your privacy agreement.
Want more information on data privacy laws for UK SMEs?
Thanks to Simon for making the time to walk us through the latest data privacy updates for UK SMEs.
If you have questions, you can reach out to him via simon@dpnetwork.org.uk