The Marketing Centre offer their no-nonsense guide to GDPR for UK B2B businesses, including information on email marketing, consent and legitimate interest – plus links to more information.
GDPR stands for General Data Protection Regulation. It’s a new set of data protection laws, intended to standardise data protection practice across Europe, which comes into force on the 25th of May 2018.
Guidelines for data protection and privacy across EU borders have existed since 1980, but they have never been implemented consistently, even after a 1995 directive. Since then, internet usage has become more widespread and technologies such as cloud storage and social media have changed the way data is processed, held and transferred.
If your business processes the personal data of any EU citizen, you must comply with GDPR. ‘Personal data’ means anything that can be used to identify a person, even indirectly: this includes names, photos, contact details, posts on social networks, medical information and IP addresses.
The British government has supported GDPR from the date of proposal, and future UK data protection laws are likely to resemble GDPR in most details. Beyond this, GDPR compliance will provide a baseline against which UK businesses can deal with EU businesses. For both of these reasons, GDPR will remain a priority for British companies even after Brexit.
Download our no-nonsense GDPR guide for B2B businesses here.
The maximum possible fine for non-compliance is 4% of annual global turnover or €20 million – whichever is higher – depending on the transgression. However, the Information Commissioner’s Office (ICO) responsible for data protection in the UK has explained that fines will be a last resort, and that it won’t set large fines early on to ‘make an example’ of businesses.
It’s vital to understand that GDPR works differently for B2C and B2B marketing. The legal difference between these activities is derived from an older piece of EU legislation – Privacy in Electronic Communication Regulations (PECR) – which will remain in force after GDPR is rolled out.
GDPR offers two legal bases for marketing purposes. First, consent, in which a data subject – the individual customer, contact or body – has agreed to specific marketing activities. Second, legitimate interest, in which a business’ day to day operations necessarily includes some degree of marketing to data subjects.
Under PECR, legitimate interest cannot be used to justify B2C marketing. This is because legitimate interest only applies in instances that involve contacting an individual in their capacity as an employee of an organisation, using a corporate email address, phone number or otherwise, and not their personal ‘non-work’ contact.
This guide will examine the challenges created by GDPR. It will look at both consent and legitimate interest as legal bases for B2B marketing, and will offer key steps for building GDPR-compliant processes and systems into your business operations.
Our expert partners in law and IT have observed many businesses coming up short when it comes to GDPR – with some not even compliant with pre-GDPR legislation. A number have substantial blind spots in their data-processing thanks to an incomplete understanding of what ‘personal data’ actually means. Some think GDPR is all about information security, and believe anything about ‘data’ is a matter for their IT director alone.
This shouldn’t reflect badly on SME owners. The will to act on GDPR is there, but businesses lack a clear course of action for doing so. This challenge has been compounded by competing, confusing and self-interested advice from consultants and data processors looking to profit from the rush toward compliance and/or cover up their bad practice in the past.
In particular, the early months of GDPR discourse saw a great deal of confusion around ‘consent’ for marketing. Partly, this is due to the legacy of PECR – legislation which does mandate consent for B2C marketing – and partly down to businesses’ incomplete understanding of GDPR.
GDPR provides six legal bases for data collection, processing and storage. These are consent, contract, legal obligation, vital interest, public task and legitimate interest. Most are matters of necessity, applying to organisations which must process data to carry out their services securely. However, the basis of legitimate interest allows businesses to market directly to other businesses by communicating with their employees.
The concept of double opt-in has also caused some confusion. Double opt-in is the ‘belt and braces’ approach to email marketing signups and applies only to activity justified by consent – not by legitimate interest. Under this model, the potential subscriber fills out and submits an online signup form (opt-in one), and the business sends an automated confirmation email with a link that the subscriber has to click to verify their email (opt-in two.)
GDPR does not require double opt-in for direct marketing. However, double opt-in can prove useful in certain contexts – for example, where a business seeks to build an email list of highest quality, or where it’s concerned about spam subscribers.
A legitimate interest is a clearly articulated benefit to a single company, or society more widely, that can be derived from processing personal data. For example, a charity may choose to inform supporters about upcoming events and campaigns via post.
Legitimate interest can be overridden if the data subject – the person whose data is being collected – explicitly opts-out of the business’ activity.
Although it’s subjective and has to be proven, legitimate interest allows compliant B2B marketing to continue, provided certain new conditions are met. It’s also less restrictive than consent, because legitimate interest allows communication with individuals who have not yet opted in.
The Direct Marketing Association has lobbied extensively to have legitimate interest included as a legal basis for direct marketing, because it more closely matches the operational needs of B2B firms. Businesses expect marketing communications from other businesses which provide goods and services that are relevant to their operations. Individual employees can reasonably expect these communications in the course of their day-to-day working activities. Under legitimate interest, the justification for such activity must be clear, genuine and relate to specific marketing activities (and not offer ‘catch-all’ reasoning).
In this way, businesses that communicate via professional channels (like company phone lines), allow individuals to opt out of contact, and have no blind spots in their data protection policy can continue to implement appropriate B2B marketing activities, citing legitimate interest.
The DMA suggests a three-step Legitimate Interest Assessment (LIA) for deciding whether legitimate interest applies to a business’ direct B2B marketing activities.
There are four main steps to making sure your legitimate-interest marketing is GDPR-compliant.
If a data subject has explicitly stated that your business can process, hold and use their data for a particular activity, you have their consent.
To comply with GDPR, consent must be freely given, informed, unambiguous and submitted by a clear affirmative action.
|
Before GDPR |
After GDPR |
|
Consent must be informed, specific and freely-given |
Consent must be unambiguous, informed, specific and freely-given |
|
Consent must include an indication of the data subject’s wishes |
Consent must include an indication of the data subject’s wishes, including a statement and evidence of a clear affirmative action to grant their consent |
|
Consent includes evidence by which the data subject signifies their agreement to their personal data being processed |
Consent includes evidence by which the data subject signifies their agreement to their personal data being processed |
These changes in wording indicate that most businesses’ existing practice around consent is not compliant with GDPR. Pre-ticked boxes are not an affirmative action: they are not GDPR-compliant. Implied consent – that is, not choosing to opt-out – is not GDPR-compliant. Silence or inactivity – such as not responding to a contact asking for opt-ins – is not GDPR-compliant. Above all, ambiguous language in privacy policies that implies that consent was not specific or informed is not GDPR-compliant.
B2B businesses should only need to use consent as their legal basis when marketing to sole traders and partnerships. That’s because PECR defines these types of organisations as individuals, not businesses. These data subjects must therefore consent on a personal basis, as with B2C marketing.
One of our proven part-time Marketing Directors, Pete Jakob, has joined forces with Andy Hart (Regional Director for Freeman Clarke and IT security expert) and Trupti Harding-Shah (founder of My Inhouse Lawyer) to discuss and establish best practice in GDPR compliance on two occasions: twelve months before GDPR was due to roll out, and again six months later.
On these occasions, the group mapped out an action plan for GDPR compliance, which included implementing significant changes to businesses’ operations and culture.
First, conduct a data audit that includes:
‘Data’ constitutes everything a business knows about their clients, customers and marketing contacts, including written records, voicemail, CCTV recordings and business cards in desks. This includes personal data that can be used to identify individuals, such as names, addresses, phone numbers, IP addresses and demographic information.
Your audit needn’t take longer than necessary. Keep it focused on compliance, and seek to demonstrate your awareness of the new wider meaning of the term ‘personal data’ under GDPR. For more information on conducting a data audit, read the DMA guidance here.
Next, identify a team member to coordinate your IT, marketing and legal teams. For larger businesses, this will mean appointing a Data Protection Officer (DPO); for smaller firms, we recommend your Financial Officer or Director.
GDPR is designed to make data protection front-of-mind for businesses. This means implementing an employee awareness program to help staff understand why information must be kept safe and how breaches can occur. While data security is often considered in terms of IT and ‘hackers,’ most damaging incidents are caused by human error on the part of staff.
Team members should therefore be taught how to respond to a breach. First, by informing the DPO, who will then assess the incident and identify those affected. If the breach poses harm to a data subject, then the DPO should report the incident to the IPO within 72 hours. In this case, a business that has done everything correctly but still suffered a breach is unlikely to be fined by the ICO.
Under GDPR, most businesses will need to implement basic controls to secure data that’s at rest or in transit.
Data should be deleted when it’s out of date, no longer useful or unnecessary to keep. High-risk computerised data must also be encrypted or anonymised so that it can’t be used to directly identify an individual. Files that have been deleted but backed-up on remote servers must also be audited.
Under GDPR, data subjects can request access to the data that organisations hold on them. Many businesses will need to review their storage practices accordingly. Often, IT teams struggle to identify all the data they hold across independent systems. GDPR will therefore encourage organisations to adopt efficient, centralised storage systems that connect to multiple operational systems as possible.
Once your audit is complete – and if consent is your chosen basis – contact your customers, clients and subscribers to show them how you’ve updated your policy to comply with GDPR, including how they can manage their own communication preferences. And remember: some contacts will unsubscribe because yours is the fifth ‘opt-in’ message they’ve received on a given day.
Under GDPR, privacy notices must be easy to find and easy to understand. Yours should explain why your business is collecting data, how it will use it, and how long you’ll be keeping it for. You should also offer users a clear, unambiguous and affirmative way to opt out.
This may require you to update your website. For B2C marketing, you’ll need to request explicit consent for data-collection, as outlined in our section on ‘Understanding Consent’ above. If your business has a B2B focus, you’ll need to explain your procedures and controls so that subjects know how to request their data. We’ve covered this in our section on ‘Understanding legitimate interest’ above.
For B2B purposes – and with legitimate interest as the legal basis for direct marketing activity – data acquisition is mostly a matter of communicating relevant information through the right channels and making sure recipients have an option to opt out.
For B2C purposes – and remember, this includes direct marketing to sole traders and partnerships – businesses must demonstrate direct, explicit consent to each marketing activity. That means no more competitions – “tick this box, give us access to your data, and maybe win an iPad” – and no more withholding content behind a data gate – “to read this blog post, you’ll need to sign up to our mailing list.”
Businesses are now responsible for working with GDPR-compliant data suppliers. Having purchased a mailing list, organisations must ensure that everyone on the list has consented to be contacted, and have records confirming this fact. For B2C businesses, contacts must have opted in to receive communications from your company – and not the more generic ‘trusted third party’.
If you need further guidance on any of these steps, consult our collection of independent GDPR guides. These checklists were produced by the ICO and the DMA: bodies with no profit motive around GDPR and a significant role to play in making the legislation a success.
From the 25th May 2018, the way businesses collect, process and store data for marketing purposes – or any purposes – will change. If your business processes the personal data of any EU citizen – anything that can be used to identify the person, even indirectly – you must comply with the new GDPR regulations.
The shift shouldn’t inspire fear in businesses – instead, a sense of opportunity to do better marketing. What’s more, the Information Commissioner’s Office – the body responsible for overseeing GDPR compliance in the UK – has explained that punitive fines will be a last resort. The majority of data protection cases lead to recommendations and investigation, ensuring that best practice is being implemented within organisations.
GDPR provides six legal bases on which companies can process personal data. Of these, legitimate interest and consent are of most interest to marketers. The majority of B2B marketing actions can continue on the basis of legitimate interest, provided that a Legitimate Interest Assessment has been carried out and recorded, and that individual recipients have the opportunity to exert their rights and opt out.
There are twelve basic steps to GDPR compliance, as outlined by the ICO:
If you’re feeling ready to take on the marketing challenge, complete the DMA-accredited IDM Award in GDPR – a certification that proves you’re on course to compliance. If you need a new inbound marketing strategy, take our Marketing 360 Assessment to find out where you stand. And for more news on GDPR, and the B2B marketing sector as a whole, sign up for our newsletter.