Who’s Afraid of GDPR?

Samantha Magee

2 May 2018

Samantha Magee

The application of Legitimate Interest in B2B marketing.

Data Privacy and Protection is not new

Drafted in 1950 and implemented in 1953, the European Convention on Human Rights provides for “rights to privacy of family life, home and correspondence” (article 8).

The 6 core principles listed under Article 5 of the Convention were included in EU Directive 1995, which then was updated in 2003 by the regulation of electronic communication practices, becoming the Privacy and Electronic Communication Regulation (PECR) in the UK.

This means that, as B2B marketers, you are likely very familiar and comfortable dealing with privacy and protection issues, as they have been part of our European communications and exchange culture for more than 60 years.

The regulators are trying to keep up with technology

Technology and the digitization of our lives has increased exponentially the amount of personal data we generate, and sky-rocketed the ability for organisations to collect, compile and use that data. The GDPR is essentially a prescription for how those organisations should clearly chart, map and evaluate the personal data they acquire, process and control.

Indeed, “automated processing” of data is specifically mentioned in Article 22, which reads:

“The data subject shall have the right not to be subject to a decision based solely on automated processing (…) The data subject has the right to obtain human intervention on the part of the controller”

In a B2C environment, for example, the idea that an algorithm alone might determine an individual’s ability to access insurance and credit is squarely in the sights of this Article 22. That an individual has the right to speak to a person, and to be assured that empathy and human understanding are part of the decision-making process, is essential. The power of Artificial Intelligence, to reduce issues of human bias and other shortcomings, does not replace the importance and benefit of empathy – which remains a uniquely human skill.

So why are B2B marketing and sales professionals nervous about the GDPR?

Everyone will have their own ideas on this, but most of the questions raised by our clients fall into 3 main groupings:

  1. It is broad-reaching – the GDPR is one of very few pieces of EU legislation that goes into law in all member states at the same time, without requiring each member state to ratify it in their respective parliaments.
  2. It is backed up with the potential for very significant fines – up to €20 million or 4% of the company’s global annual turnover
  3. And there are many elements of the regulation that will be open to interpretation. For example, during the recently televised testimony of Mark Zuckerberg, CEO of Facebook, was asked “if I delete my Facebook account, would all my data be deleted too?”. The answer was a simple “Yes”. Does that mean that anywhere a name appeared an empty space will be left? What about when friends tag each other on pictures? Will all the images that are connected to a name be also deleted? A simple “Yes” might sound satisfactory and reassuring, but will it guarantee GDPR compliance?

And how does this most recent legislation affect B2B Marketing?

Rhetorik’s business is founded upon the collection and exchange of data for B2B technology marketers. GDPR is an opportunity to influence and promote best practice, by sharing with clients and their marketing teams the policies that Rhetorik have implemented and updated through the years.

When thinking about the impact of the GDPR on B2B marketing, it might be helpful to consider 3 or more distinct segments:

Business Suspects: you do not have previously established relations with these organisations, but they form part of your potential market

Business Prospects: you have had recent, direct sales or marketing contact with these organisations

Business Clients:  these organisations currently are receiving services/products from you.

The GDPR applies to all these segments, but nowhere does it say that direct marketing efforts should stop. On the contrary, Recital 47 of the regulation states:

And “legitimate interest” together with “consent” are both listed in Article 6 as potentially providing a legal basis for processing personal data within the GDPR.

Article 6(f) reads:

Processing shall be lawful (…) if it (…) is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

So how does this apply to Rhetorik?

The information here refers specifically to Rhetorik’s understanding of the GDPR, how it differs from the DPA and other legislation, and how it applies to its own business. The interpretation focuses on B2B marketing, and specifically on the relationships between technology vendors and buyers, including decision makers, recommenders and influencers.

Data Minimization – The personal data processed by Rhetorik is carefully reviewed and minimized, comprising only information that would appear on a standard business card. The only automated processing that occurs is to map an individual’s unique Job Title to a Job Function, which in turn is linked to technology purchasing behaviours and influence.

Impact – To establish that legitimate interest could be a lawful basis for the processing of Business Card Information of technology buyers, decision makers and influencers, Rhetorik has completed a Legitimate Interest Assessment (LIA) and weighed the impact our research, validation process, and collaboration with 3rd parties would have on the data subject (Business Card Owner). Article 35 of GDPR provides clear information on how an Impact Assessment can be conducted and templates are easy available.

Reasonable Expectations – Recital 47 states: “…the legitimate interests of a controller … or of a third party, may provide a legal basis for processing, provided that the interests … of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller …”

Technology purchasing by organisations has greatly changed in the past 20 years, with many more job functions involved in the decision-making process, and many more individuals who might have a reasonable expectation to be marketed to by technology vendors. For example, today an HR Director would be classified as a decision maker in the purchasing process of HR-related technology, while 20 years ago they would have been considered an influencer – the decision would have been made only by someone with the technical knowledge of client-server architecture and how it supported business applications.

Notification – Rhetorik notifies all Corporate Business Card owners, who are listed as technology decision makers, recommenders and influencers, and those individuals are given multiple channels to communicate with Rhetorik, to have a copy of their Business Card Information, to make updates, to define if all or part of the Business Card is to be listed in the Legal Entity and to ask to be removed from sharing with 3rd parties.

And what does this mean for B2B technology marketers?

Everything here should be taken simply as our own interpretation of the legislation, and you should certainly get your own legal advice before deciding on a course of action. Having said that, let’s return to those three customer segments and consider what you might be able to do with each of them:

Business Suspects: they form part of your potential market because they are a decision maker, recommender or influencer for your technology. As such, you have a legitimate interest in processing their personal data, and they are likely to have a reasonable expectation to receive marketing from you. You will likely need to notify them of your interest and ensure they can access, update or ask to delete the personal data you process.

Business Prospects: you have had recent, direct sales or marketing contact with these organisations, so they will have a reasonable expectation to receive further relevant marketing from you. If they have opted in to receiving your communications, you might want to ensure their consent meets the more rigorous requirements in the GDPR, and ensure they can access, update or ask to delete the personal data you process.

Business Clients:  Again there will be a legitimate interest in processing their personal data, and they will have a reasonable expectation to receive relevant communications related to their current relationship with you. However, you must take care that the personal data you process is not excessive, and ensure they can access, update or ask to delete the personal data you process.

Who’s afraid of GDPR?

To conclude, and thinking about the children’s tale of the 3 little pigs and the big bad wolf – Is your data warehouse made of straw, wood or bricks?

For organisations that have largely disregarded previous legislation and compliance needs, or may have lost control of the channels and sources of data, their data warehouse might be made of straw and compliance towards GDPR might require significant data and process changes.

Organisations who have applied clear policies in the past, and whose business is not personal data, might consider their direct marketing data warehouse to be more sturdily build of wood. Capturing of personal data in a CRM by sales and marketing teams requires monitoring, and additional policy and process upgrades may be required to ensure GDPR compliance.

Those organisations that have kept privacy and protection policies up to date, and have applied best practice each time a new piece of personal data has been added to the data warehouse, might be living in a house made of bricks. For them, the road to GDPR compliance is an opportunity to have a good spring clean and ensure that any old, unnecessary data are removed and data retention logs are kept up to date.

In short, the GDPR coming into force on 25 May is not another Y2K-type single moment in time. Rather it is an on-going requirement, and failing to comply may have consequences, which the ICO and its equivalent organisations around Europe will look to enforce.

Rhetorik is however confident that the legislators and the public bodies that will implement GDPR and data privacy regulations have no intention to damage beyond repair an industry whose core focus, when best practice is applied, is to enable commerce, the exchange of knowledge about products, and to facilitate educated purchasing decisions.

By having a careful consideration of the Business card owners that are eligible to receive a relevant marketing message, B2B marketers will see an increase in ROI and open/click rates and be able to predict campaign conversion rates more easily.