Take for example an individual’s work email, say firstname.lastname@example.org. From this one email address we have a name, a company name and can reasonably assume that the individual is based in Ireland.
So ask yourself does this seem to make the individual identifiable? We’re going to assume you answered yes to this and if not, well you’ve got a lot of reading to do!
Throughout this article we are going to attempt to debunk some of the most common GDPR misconceptions that we regularly come across in a B2B setting.
If there’s anything we’ve missed or that you’d like more clarity on just pop us a mail at email@example.com. Oh and just to clarify that email isn’t personally identifiable and as such won’t fall under GDPR!
“Do I need consent to contact B2B customers?”
As with any type of marketing communications consent is not always required as it isn’t the only legal basis for processing. There are in fact 7 legal basis under which data can be processed;
- Contractual Necessity
- Legal Obligation
- Vital Interests
- Public Interests
- Legitimate Interests
It is up to you to determine the best legal basis for each processing activity and document why exactly it was chosen. Consent may be the best basis for your electronic marketing initiatives as you will need to ensure that these comply with the Privacy and Electronic Communications Regulations (PECR).
Another legal basis and possibly one of the most talked about when it comes to B2B is that of Legitimate Interests. This particular basis can be used in situations in which you can prove that you are using individual’s data in a way that they can reasonably expect. Legitimate Interest is the most flexible basis for processing, but you can’t expect that it will be the most appropriate. This can be used in situations where you are seeking to inform existing clients/customers of services/ products which you provide, that you can reasonably assume would be relevant to them. Take for example if you place an advertisement in a business publication. In this instance the publication could contact you with upcoming advertising opportunities under legitimate interests seeing as you have previously advertised with them it is not unreasonable to assume that you may have an interest in doing so again or that they may have an interest in you doing so again.
“Can I contact potential leads over the phone or by email?”
Seeing that the GDPR is solely concerned with data which is considered to be personally identifiable, it would be reasonable to assume that you can contact any corporate body where the email does not identify a specific individual. As mentioned previously, firstname.lastname@example.org is personally identifiable whereas email@example.com is not and therefore only the latter can be contacted without the need to determine a legal basis for doing so.
However, it is important to note that the GDPR is not the only law that governs data protection within Europe. The e-Privacy Directive or PECR contains supplemental rules governing consent requirements for e-marketing. PECR states that “It is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services”. It distinguishes between B2B and B2C communications sent via “electronic communication services”. It states that for B2C marketing, the data subject must have given consent to receive communication, but for B2B, there is greater flexibility allowing you to email corporate bodies but the individual employee should be given the opportunity to opt out.
Much of the direct marketing that businesses send today is sent lawfully on the basis of opt-out, not opt-in (i.e. consent). In these instances, there is therefore no legal requirement for these businesses to seek fresh consents under the GDPR because their marketing was never based on consent (opt-in) in the first place.
“Does the GDPR mean we have to get fresh consents from our entire marketing database?”
To answer this question, we need to look at the way in which consent was initially obtained. Under GDPR consent must be freely given, unambiguous, specific and informed. It requires a positive action to opt in, must be unbundled from other terms and conditions, concise and easy to understand, and easy to opt-out from.
So, if you have collected consent pre-GDPR in a method that is complaint with current regulation/ best practice you will be covered i.e. if you have used explicit opt-ins and avoided the use of pre-ticked boxes, or bundling consent with T&C’s, all practices which we have long advised our clients against, you are good.
However, if you haven’t followed the above guidelines and have used tactics which go against best practice to populate marketing lists then you are going to need to either clear those lists, determine a different legal basis for processing said data or deploy a repermissioning campaign.