The Marketing Centre offer their no-nonsense guide to GDPR for UK B2B businesses, including information on email marketing, consent and legitimate interest – plus links to more information.
What is GDPR?
GDPR stands for General Data Protection Regulation. It’s a new set of data protection laws, intended to standardise data protection practice across Europe, which comes into force on the 25th of May 2018.
Why is GDPR being implemented?
Guidelines for data protection and privacy across EU borders have existed since 1980, but they have never been implemented consistently, even after a 1995 directive. Since then, internet usage has become more widespread and technologies such as cloud storage and social media have changed the way data is processed, held and transferred.
Who does GDPR affect?
If your business processes the personal data of any EU citizen, you must comply with GDPR. ‘Personal data’ means anything that can be used to identify a person, even indirectly: this includes names, photos, contact details, posts on social networks, medical information and IP addresses.
The British government has supported GDPR from the date of proposal, and future UK data protection laws are likely to resemble GDPR in most details. Beyond this, GDPR compliance will provide a baseline against which UK businesses can deal with EU businesses. For both of these reasons, GDPR will remain a priority for British companies even after Brexit.
Are there fines for non-compliance?
The maximum possible fine for non-compliance is 4% of annual global turnover or €20 million – whichever is higher – depending on the transgression. However, the Information Commissioner’s Office (ICO) responsible for data protection in the UK has explained that fines will be a last resort, and that it won’t set large fines early on to ‘make an example’ of businesses.
What does GDPR mean for B2B marketing?
It’s vital to understand that GDPR works differently for B2C and B2B marketing. The legal difference between these activities is derived from an older piece of EU legislation – Privacy in Electronic Communication Regulations (PECR) – which will remain in force after GDPR is rolled out.
GDPR offers two legal bases for marketing purposes. First, consent, in which a data subject – the individual customer, contact or body – has agreed to specific marketing activities. Second, legitimate interest, in which a business’ day to day operations necessarily includes some degree of marketing to data subjects.
Under PECR, legitimate interest cannot be used to justify B2C marketing. This is because legitimate interest only applies in instances that involve contacting an individual in their capacity as an employee of an organisation, using a corporate email address, phone number or otherwise, and not their personal ‘non-work’ contact.
This guide will examine the challenges created by GDPR. It will look at both consent and legitimate interest as legal bases for B2B marketing, and will offer key steps for building GDPR-compliant processes and systems into your business operations.
The GDPR challenge for B2B businesses
Our expert partners in law and IT have observed many businesses coming up short when it comes to GDPR – with some not even compliant with pre-GDPR legislation. A number have substantial blind spots in their data-processing thanks to an incomplete understanding of what ‘personal data’ actually means. Some think GDPR is all about information security, and believe anything about ‘data’ is a matter for their IT director alone.
This shouldn’t reflect badly on SME owners. The will to act on GDPR is there, but businesses lack a clear course of action for doing so. This challenge has been compounded by competing, confusing and self-interested advice from consultants and data processors looking to profit from the rush toward compliance and/or cover up their bad practice in the past.
In particular, the early months of GDPR discourse saw a great deal of confusion around ‘consent’ for marketing. Partly, this is due to the legacy of PECR – legislation which does mandate consent for B2C marketing – and partly down to businesses’ incomplete understanding of GDPR.
GDPR provides six legal bases for data collection, processing and storage. These are consent, contract, legal obligation, vital interest, public task and legitimate interest. Most are matters of necessity, applying to organisations which must process data to carry out their services securely. However, the basis of legitimate interest allows businesses to market directly to other businesses by communicating with their employees.
The concept of double opt-in has also caused some confusion. Double opt-in is the ‘belt and braces’ approach to email marketing signups and applies only to activity justified by consent – not by legitimate interest. Under this model, the potential subscriber fills out and submits an online signup form (opt-in one), and the business sends an automated confirmation email with a link that the subscriber has to click to verify their email (opt-in two.)
GDPR does not require double opt-in for direct marketing. However, double opt-in can prove useful in certain contexts – for example, where a business seeks to build an email list of highest quality, or where it’s concerned about spam subscribers.
Understanding ‘legitimate interest’ as a legal basis for B2B marketing
What does legitimate interest mean?
A legitimate interest is a clearly articulated benefit to a single company, or society more widely, that can be derived from processing personal data. For example, a charity may choose to inform supporters about upcoming events and campaigns via post.
Legitimate interest can be overridden if the data subject – the person whose data is being collected – explicitly opts-out of the business’ activity.
Why is legitimate interest preferable to consent, for B2B marketing?
Although it’s subjective and has to be proven, legitimate interest allows compliant B2B marketing to continue, provided certain new conditions are met. It’s also less restrictive than consent, because legitimate interest allows communication with individuals who have not yet opted in.
The Direct Marketing Association has lobbied extensively to have legitimate interest included as a legal basis for direct marketing, because it more closely matches the operational needs of B2B firms. Businesses expect marketing communications from other businesses which provide goods and services that are relevant to their operations. Individual employees can reasonably expect these communications in the course of their day-to-day working activities. Under legitimate interest, the justification for such activity must be clear, genuine and relate to specific marketing activities (and not offer ‘catch-all’ reasoning).
In this way, businesses that communicate via professional channels (like company phone lines), allow individuals to opt out of contact, and have no blind spots in their data protection policy can continue to implement appropriate B2B marketing activities, citing legitimate interest.
How do I tell if legitimate interest applies to my business?
The DMA suggests a three-step Legitimate Interest Assessment (LIA) for deciding whether legitimate interest applies to a business’ direct B2B marketing activities.
- Identify the potential interest. Who benefits from this activity? It may be you or the intended recipient, so long as there is a business-first purpose to the specific activity.
- Confirm that it’s necessary. There’s a grey area between what’s necessary for business activity and what’s useful. The DMA suggests asking: can you fulfill the interest by other means? If not: it’s necessary.
- Strike a balance. Do the sender’s interests in this activity override the recipient’s rights?
The DMA has provided fuller guidelines and a template for conducting your assessment here.
How do I implement legitimate interest as my legal basis for data collection, processing and storage?
There are four main steps to making sure your legitimate-interest marketing is GDPR-compliant.
- Carry out a full data audit. This includes non-computerised data. Everything that could be used to identify a person is ‘data’ under the terms of GDPR. Ask yourself if it’s necessary for you to hold this data, and if the subject can expect you to use and hold it. For more information, read the DMA data auditing guide.
- Carry out a Legitimate Interest Assessment. Review each marketing activity according to the process above. Is there a benefit, a necessity and a balance between your rights and those of the data subject? You’ll need to record and store these assessments formally; the DMA guidelines on legitimate interest include a template for doing so.
- Update your privacy notice. This must identify the legal basis for your data processing; how you obtain data; how you use it, and why. Keep it readable and accessible. The DMA has provided guidance on writing a compliant privacy notice.
- Check that your data-capture forms are compliant. In particular, they have to include links to your data protection policy, which must be accessible at the point when users opt in or out.
Understanding ‘consent’ as a legal basis for B2B marketing
What does consent mean?
If a data subject has explicitly stated that your business can process, hold and use their data for a particular activity, you have their consent.
To comply with GDPR, consent must be freely given, informed, unambiguous and submitted by a clear affirmative action.
How does GDPR change the requirements for consent?
Consent must be informed, specific and freely-given
Consent must be unambiguous, informed, specific and freely-given
Consent must include an indication of the data subject’s wishes
Consent must include an indication of the data subject’s wishes, including a statement and evidence of a clear affirmative action to grant their consent
Consent includes evidence by which the data subject signifies their agreement to their personal data being processed
Consent includes evidence by which the data subject signifies their agreement to their personal data being processed
These changes in wording indicate that most businesses’ existing practice around consent is not compliant with GDPR. Pre-ticked boxes are not an affirmative action: they are not GDPR-compliant. Implied consent – that is, not choosing to opt-out – is not GDPR-compliant. Silence or inactivity – such as not responding to a contact asking for opt-ins – is not GDPR-compliant. Above all, ambiguous language in privacy policies that implies that consent was not specific or informed is not GDPR-compliant.
When should my business use consent as a legal basis for B2B marketing?
B2B businesses should only need to use consent as their legal basis when marketing to sole traders and partnerships. That’s because PECR defines these types of organisations as individuals, not businesses. These data subjects must therefore consent on a personal basis, as with B2C marketing.
Building GDPR-compliant processes and systems into your business
One of our proven part-time Marketing Directors, Pete Jakob, has joined forces with Andy Hart (Regional Director for Freeman Clarke and IT security expert) and Trupti Harding-Shah (founder of My Inhouse Lawyer) to discuss and establish best practice in GDPR compliance on two occasions: twelve months before GDPR was due to roll out, and again six months later.
On these occasions, the group mapped out an action plan for GDPR compliance, which included implementing significant changes to businesses’ operations and culture.
1. Audit your data
First, conduct a data audit that includes:
- Which data you hold;
- Where you store it;
- Who can access it, and
- What you’re using it for.
‘Data’ constitutes everything a business knows about their clients, customers and marketing contacts, including written records, voicemail, CCTV recordings and business cards in desks. This includes personal data that can be used to identify individuals, such as names, addresses, phone numbers, IP addresses and demographic information.
Your audit needn’t take longer than necessary. Keep it focused on compliance, and seek to demonstrate your awareness of the new wider meaning of the term ‘personal data’ under GDPR. For more information on conducting a data audit, read the DMA guidance here.
2. Train your staff
Next, identify a team member to coordinate your IT, marketing and legal teams. For larger businesses, this will mean appointing a Data Protection Officer (DPO); for smaller firms, we recommend your Financial Officer or Director.
GDPR is designed to make data protection front-of-mind for businesses. This means implementing an employee awareness program to help staff understand why information must be kept safe and how breaches can occur. While data security is often considered in terms of IT and ‘hackers,’ most damaging incidents are caused by human error on the part of staff.
Team members should therefore be taught how to respond to a breach. First, by informing the DPO, who will then assess the incident and identify those affected. If the breach poses harm to a data subject, then the DPO should report the incident to the IPO within 72 hours. In this case, a business that has done everything correctly but still suffered a breach is unlikely to be fined by the ICO.
3. Review your systems
Under GDPR, most businesses will need to implement basic controls to secure data that’s at rest or in transit.
Data should be deleted when it’s out of date, no longer useful or unnecessary to keep. High-risk computerised data must also be encrypted or anonymised so that it can’t be used to directly identify an individual. Files that have been deleted but backed-up on remote servers must also be audited.
Under GDPR, data subjects can request access to the data that organisations hold on them. Many businesses will need to review their storage practices accordingly. Often, IT teams struggle to identify all the data they hold across independent systems. GDPR will therefore encourage organisations to adopt efficient, centralised storage systems that connect to multiple operational systems as possible.
Once your audit is complete – and if consent is your chosen basis – contact your customers, clients and subscribers to show them how you’ve updated your policy to comply with GDPR, including how they can manage their own communication preferences. And remember: some contacts will unsubscribe because yours is the fifth ‘opt-in’ message they’ve received on a given day.
Under GDPR, privacy notices must be easy to find and easy to understand. Yours should explain why your business is collecting data, how it will use it, and how long you’ll be keeping it for. You should also offer users a clear, unambiguous and affirmative way to opt out.
This may require you to update your website. For B2C marketing, you’ll need to request explicit consent for data-collection, as outlined in our section on ‘Understanding Consent’ above. If your business has a B2B focus, you’ll need to explain your procedures and controls so that subjects know how to request their data. We’ve covered this in our section on ‘Understanding legitimate interest’ above.
5. Reconsider how you acquire data
For B2B purposes – and with legitimate interest as the legal basis for direct marketing activity – data acquisition is mostly a matter of communicating relevant information through the right channels and making sure recipients have an option to opt out.
For B2C purposes – and remember, this includes direct marketing to sole traders and partnerships – businesses must demonstrate direct, explicit consent to each marketing activity. That means no more competitions – “tick this box, give us access to your data, and maybe win an iPad” – and no more withholding content behind a data gate – “to read this blog post, you’ll need to sign up to our mailing list.”
Businesses are now responsible for working with GDPR-compliant data suppliers. Having purchased a mailing list, organisations must ensure that everyone on the list has consented to be contacted, and have records confirming this fact. For B2C businesses, contacts must have opted in to receive communications from your company – and not the more generic ‘trusted third party’.
If you need further guidance on any of these steps, consult our collection of independent GDPR guides. These checklists were produced by the ICO and the DMA: bodies with no profit motive around GDPR and a significant role to play in making the legislation a success.
From the 25th May 2018, the way businesses collect, process and store data for marketing purposes – or any purposes – will change. If your business processes the personal data of any EU citizen – anything that can be used to identify the person, even indirectly – you must comply with the new GDPR regulations.
The shift shouldn’t inspire fear in businesses – instead, a sense of opportunity to do better marketing. What’s more, the Information Commissioner’s Office – the body responsible for overseeing GDPR compliance in the UK – has explained that punitive fines will be a last resort. The majority of data protection cases lead to recommendations and investigation, ensuring that best practice is being implemented within organisations.
GDPR provides six legal bases on which companies can process personal data. Of these, legitimate interest and consent are of most interest to marketers. The majority of B2B marketing actions can continue on the basis of legitimate interest, provided that a Legitimate Interest Assessment has been carried out and recorded, and that individual recipients have the opportunity to exert their rights and opt out.
There are twelve basic steps to GDPR compliance, as outlined by the ICO:
- Build awareness. Ensure decision makers are aware of GDPR and the likely impact of the regulation.
- Review your data. Conduct an information audit to document the personal data you hold, its origin and who the information is shared with.
- Publish privacy information. Review and update privacy notices to be GDPR-compliant.
- Ensure individual rights. Review your processes to check they guarantee individuals’ rights to request and delete your organisation holds on them.
- Subject access requests. Plan how you will handle requests for personal data, making sure you can hit the necessary timelines and encrypt, anonymise and secure data.
- Identify your lawful basis for processing data. This decision should be documented and outlined in your updated privacy notice.
- Review consent. Assess how you seek, record and manage consent, making revisions where necessary.
- Consider individuals’ ages. Consider implementing systems to verify data subjects’ ages, obtaining parental or guardian consent to process data belonging to children.
- Prepare for breaches. Create processes for detecting, reporting and investigating data breaches.
- Data Protection by Design and Data Protection Impact Assessments. Study the ICO’s code of practice on Privacy Impact Assessments and latest guidance from the Article 29 Working Party. Consider how to implement them in your organisation.
- Data Protection Officers. Delegate control of and responsibility for data protection compliance and consider whether you should formally designate a Data Protection Officer.
- Review your international status. Organisations operating in more than one EU member state – including those who perform ‘cross-border processing’ – should identify their lead data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). Use Article 29 Working Party guidelines for support, here.
If you’re feeling ready to take on the marketing challenge, complete the DMA-accredited IDM Award in GDPR – a certification that proves you’re on course to compliance. If you need a new inbound marketing strategy, take our Marketing 360 healthcheck to find out where you stand. And for more news on GDPR, and the B2B marketing sector as a whole, sign up for our newsletter.