GDPR in B2B

Did the elephant enter a new room?

Have you heard about these rumours that GDPR may kill the success of newsletters and email campaigns? Against that, a B2B marketing survey of Contentive found out that email marketing has been in focus for ongoing investments in digital marketing and expects further growth. Besides, do 47% of B2B marketers think that email marketing provides – even before Social Media – the second best ROI when it comes to marketing strategies.

So better not give up and stand the competition by reading this article and making your B2B marketing compliant with GDPR.

Not too long ago, in May this year, the General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/EC (DPD). What is clear from that is that stricter rules should ensure and respect an individual’s privacy and consequently its’ personal data. From that, it could be concluded that “personal data” does not equal “business contacts” and thus the GDPR is not a topic for B2B.

We are afraid, however, that we can not confirm this simple reasoning. That might cause already some confusion at this early point of the article. So let’s bring some light into the darkness and clear up any doubts. Before you are going to perform your next B2B marketing outreaches, make sure that your contact lists comply with the GDPR and PECR rules.

Did you know that according to a survey of trustarc from June 2018 only 20% of companies believe that they are compliant with GDPR?

Back to the roots – let’s refresh the basics

GDPR applies when processing of personal data is given. That is starting already from the point you can identify an individual in a direct or indirect manner. Also in case the individual is acting with professional intention,  let’s say f.e. you have an email address which reveals first name and surname.  However, with all this talking about GDPR, PECR is getting forgotten way too often.

Let’s go briefly through some essential facts.

PECR handles on the one hand rules for activities regarding marketing and advertising through electronic means. Many of the determined rules in the PECR protect individuals as well as companies. It is particularly interesting that PECR in comparison to GDPR is also valid when you do not even know the name of the person you are going to contact.

If you think that GDPR replaced PECR, you are on the wrong track. These regulations complement each other and above all show some overlaps in terms of concepts and definitions. So if you are working in B2B marketing, you have to take both into account.

But did you know when GDPR applies, it does not automatically mean that asking for consent is always mandatory? It is just one kind of lawful basis for processing data. So if you are able to justify legitimate interests as your lawful basis and you do not obtain consent under PECR (review this checklist: PECR checklist), you will have the green light to perform your B2B marketing activities.

Legitimate interests in B2B marketing approaches

This more flexible lawful basis of processing allows you to process personal data when your company works in favor of an individual’s legitimate interest. It may sounds now contradictory as the heading indicates legitimate interests in B2B. Nevertheless, you have to take into account that you are contacting a human being and not a computerized machine.

Before you rely on legitimate interests you should consider whether the data processing has a low impact on the individual’s privacy, consent according to PECR is not required and a proof that the processing of personal data is proportionate.

If your contacting causes a big surprise on the individual’s side of the individual, it merely reveals that you apparently lack legitimate interest. To identify whether you have it or not, you should ask yourself the following three questions.

1. Do I have a legitimate interest?

They can be for example commercial, individual or of third parties.

2. Can I show the necessity of processing data?

If the goal can be reached in other ways which are less intrusive, you will be not able to rely on legitimate interest.

3. Do rights of the individual outweigh my legitimate interests?

If data processing is not expectable or is doing any harm, personal rights, interests and freedom of the individual clearly override the legitimate interests.

If you can answer all of them with a “YES”, you are ready to go!

A given example of ICO suggests that in case of a business event where guests leave their business cards to the organizer, it can be assumed that they expect to be contacted in terms of networking activities for example. The organizer acts in their legitimate interest by processing the data of their cards.

Consent

Consent is always given out of free will. In addition, it includes individuals’ right to an ongoing choice and control over your use of their data. It starts with a positive action opt-in, which is easy to understand and also user-friendly. Moreover, it has to be separated from the general terms and conditions and needs a visible and at all time possible opt-out option. For more information, please follow this link.

Consent is not necessary when you can rely on legitimate interest or another lawful basis.

Electronic marketing messages which are sent to corporate subscribers do not have to follow the rules on consent. Your simple identification and the supply of your contact details are adequate to reach out to companies, Scottish partnerships, other corporate bodies eg limited liability partnerships, and government bodies – excepting sole traders and some partnerships.

B2B Marketing approaches via email and texts

Without a problem you can send marketing texts or emails to any corporate body – even to a government body. However, you have to distinguish here between a corporate body’s email address (info@companyname.com) and a personal corporate email address of an employee (firstname.lastname@companyname.com). What applies in the latter case? Yes, you may have to respect GDPR again, unless you have a legitimate interest.

Don’t forget that behind your business contact stands an individual; thus you are processing his personal data. This, in turn, implies that these individuals have rights which among other things include the right to be informed about the data processing.

Without clear permission, which means a specific consent to receive marketing messages (opt-in-box) you are not allowed to send them to sole traders and some kind of partnerships. Though, in case they have received similar content from you on previous occasions and have not exercised their opt-out option you are allowed to contact them.

But how do existing contacts, in general, need to be treated? While an explicit consent permits further contacting, a purchased mailing list or contacts which were automatically opted-in due to pre-checked boxes, forces you to obtain genuine consent again.

Key insight: with legitimate interest as a lawful basis you do not need consent for B2B marketing mails and texts

For the future

If your company is serving B2C and B2B customers, be sure to separate these contacts. You can start by adjusting your subscription forms on the website. Include fields for the company name and also the size in order to sort out sole traders. In addition, provide an opt-in tick box which makes clear what the subscriber agrees to.

Our advice regarding consent: better safe than sorry!

Key insight of this article is, when you can ensure legitimate interests of your B2B contact, you do not need consent before contacting. However, document everything in case your company gets investigated. The same you have to do for all consent given. Whenever someone objects to your approach or uses the opt-out option, the deletion of all personal information is mandatory, and a “not-to-call-list” does no longer serve.

Would you like to start your own B2B email marketing campaign and be sure you are GDPR compliant? Contact us for a first advice.