GDPR – 10 things B2B Marketers need to know
What resources do you use to explain, to those worried about GDPR, about the continuing opportunities for B2B direct marketing in the UK and the EU?
Over the past year or more, you’ve probably read numerous blogs, articles, white papers and opinions, all purporting to shine a light on the General Data Protection Regulations (GDPR), explaining, interpreting and simplifying it for readers.
However, far from achieving these worthy aims, many of them have been inaccurate, incomplete, sometimes incomprehensible, and rarely written with any obvious authority.
What is needed is a resource for B2B marketers, a collection of essential quotes, interpretations, explanations and opinions from those organizations and individuals that do have authority – the information commissioners themselves, their organizations and a select few others – all linked back to the original source.
Here are some of my favorites. What are yours?
Legal Basis for Processing
First up is whether to use legitimate interest or consent as our legal basis for processing personal data:
1. All legal grounds are equal and the decision to select either consent or legitimate interests for marketing activity should be made on what is best for your customers and your organisation, so long as your intentions remain transparent.
2. Consent can give people genuine choice but is only required when no other lawful basis exists or when PECR requires it. Legitimate interests is an equally valid ground for marketing activity and provides marketers with more flexibility to connect with customers.
Source: Direct Marketing Association (DMA) with an Introduction by Elizabeth Denham, UK Information Commissioner, ICO – pdf
So if legitimate interests and consent are equally valid, when can we use legitimate interest:
3. Are there cases when legitimate interests is likely to apply?
The GDPR highlights some processing activities where the legitimate interests basis is likely to apply:
– direct marketing
4. Can we use legitimate interests for our business to business contacts?
Yes, it is likely that much of this type of processing will be lawful on the basis of legitimate interests
Source: Information Commissioners Office, Guide to the General Data Protection Regulation
5. When can I not send electronic mail to Business Contacts (Customers and non Customers)?
You may not use electronic mail to send a marketing message to a business contact address/number if the subscriber has notified you that they do not consent to the receipt of such communications (opted out).
Opt-out means that you can market an individual provided you have previously given them the option not to receive such marketing and they have not availed of this option.
Source: Data Protection Commission (Ireland)
And for those that think Consent is a safer option:
Source: Giovanni Buttarelli, European Data Protection Supervisor, EDPS (EU’s independent data protection authority, as quoted on TechCrunch)
Which brings us on to the sensitive topic of fines:
7. “You will know by now that I prefer the carrot. Education, engagement, encouragement all come before enforcement.
Source: Elizabeth Denham, Information Commisioner, ICO
8. “I have said many times that we are a pragmatic regulator and that hefty fines will be reserved for those who wilfully or persistently flout the law. The more serious, high-impact, deliberate, wilful or repeated breaches can expect the most robust response”
Third Party Data
What about sourcing data from third parties:
9. Can data received from a third party be used for marketing?
Before acquiring a contact list or a database with contact details of individuals from another organisation, that organisation must be able to demonstrate that the data was obtained in compliance with the General Data Protection Regulation and that it may use it for advertising purposes …. Such lists are processed on grounds of legitimate interests and individuals will have a right to object to such processing.
Source: European Commission
GDPR Full Text
Last but not least, the full text of the GDPR itself (in English) – it can be helpful to refer to for fact checking.
10. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Source: EUR-Lex (Access to European Law)