We’ve been offering prospecting as a service for longer than anyone in the UK. It’s all we do. And we love it. We’ve written some answers to common questions below.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
The General Data Protection Regulation (GDPR) was adopted on 27th April 2016 and brings all EU member states under a common framework regulating data protection.
By 25th May 2018, each EU member state must implement a local data protection framework that (as a minimum) complies with the master GDPR framework.
The UK Government has appointed the Information Commissioners Office (ICO) as the official body charged with ensuring national compliance with the GDPR.
It is important to take GDPR compliance seriously, since the penalties for non-compliance are rate-carded as 4% or €20m (whichever is higher).
Most marketing formats have evolved to rely heavily on the use of customer data.
GDPR is a rule set governing the circumstances and manner in which data can be processed legally. It also introduces some scary consequences for falling foul of the law.
GDPR also sets out the framework for which types of data are considered Private and should be treated as such. The GDPR-savvy phrase used to describe private data is Personally Identifiable Information.
Most business are surprised by the amount of Personally Identifiable Information (PII) stored within their systems, often without any specific intent or purpose.
The aim of GDPR is to provide fresh governance on data protection. From that perspective we were already in a good place. From an email outreach perspective, GDPR guidelines oblige us to ensure that marketing emails are directed to prospects who are likely to find the content useful and relevant. So, we ensure that:
- The topic of the email is clearly identified.
- There is a clear way to opt out from future emails.
- Each email comes from a genuine email address.
- Our client’s identity is clear and within the email.
GDPR is lengthy and complex. There are many other things we’ve changed too. You can read about all of them in this Q&A section.
There’s a misconception that you need a B2B prospects consent to email them. That’s because the Privacy and Electronic Communications Regulations (PECR) require consent to email B2C prospects. B2B marketing communications are generally speaking – exempt from PECR consent requirements.
We send millions of emails each year. As GDPR has got closer, we’ve noticed that more prospects mistakenly believe that social prospecting will be illegal after May 25th.
A: It won’t. Providing of course that the regulations’ various guidelines on data protection, relevance, targeting, etc. are followed. It hasn’t been easy. In fact, it has taken many months of blood, sweat and tears for us to say with 100% heart felt confidence that every SoPro campaign is and always will be 100% GDPR compliant.
We can save you time and money with GDPR compliant prospecting
A: If you’ve been running internal prospecting campaigns and you haven’t changed your process to comply with GDPR then we can save you time and money. We’ve done all of the hard work. Our email outreach campaigns are 100% compliant. And we follow every one of the many data processing requirements too.
What we have changed to become GDPR compliant
Yes. The GDPR does not replace PECR – although it has amended the definition of consent. You need to comply with both GDPR and PECR for your business-to-business marketing.
The EU is in the process of replacing the current e-privacy law with a new ePrivacy Regulation (ePR). However, the new ePR is yet to be agreed. The existing PECR rules continue to apply (with the new definition of consent) until the new ePR is finalised.
It is recommended that businesses appoint a data protection officer to oversee adherence to the rules however it is not a legal requirement.
As a minimum you should have a nominated individual able to act as your compliance officer on an immediate basis when needed, that person can be employed directly (I.e. perhaps a CTO or managing director) or employed through a compliance support service.
If you are a business conducting marketing activity to help sell a product or service, then you are the data controller with respect to the data associated with that campaign.
If you are a provider (business entity or freelance) of marketing services, employed to help a business sell a product or service, then the client is the data controller and you are employed as the processor
With respect to data protection laws, B2B marketing campaigns are perfectly legal when conducted in a compliant manner.
To ensure marketing is conducted in accordance with all relevant regulatory frameworks we recommend you conduct an assessment to establish if the product or service, combined with the proposed targeting, meets the various GDPR and PECR rules.
This assessment is called a Legitimate Interest Assessment (LIA).
To determine if your activity is exempt from PECR under the B2B exemption, prior to conducting an LIA, a campaigns “B2C/B2B status” can often be determined by the following two questions:
“Will the product or service being offered benefit the businesses you are targeting, and not the individual?”
To qualify for the PECR B2B exemption, the product or service that you are offering needs to be of benefit to the target business, and when talking to any individual, relevant to their business role only. It can help to consider the following examples:
- If you are targeting companies that sell widgets, to offer marketing services designed to increase their sales of widgets, then there is a clear, sole benefit to the company (this is legal).
- If you are looking to contact business owners in order to help them invest their hard-earned wealth, then despite the links to their professional role, this is aimed at the individual not the company (this is not legal).
“Are the services being provided equally beneficial to whomever may be contacted about them?”
If question one can be answered positively then a further test to the business nature of your offering is to consider the target individuals that you would like to introduce it to. The only consideration here should be job specific – typically department and seniority. Your offer should be equally relevant to whoever fills these role(s) at any given time, and in no way targeting any given individual.
No. Consent is one lawful basis for processing personal data, but there are alternatives. In particular, you may be able to rely on ‘legitimate interests’ to justify your business-to-business marketing.
B2B marketing communications are generally speaking – exempt from PECR consent requirements.
B2C scenarios will generally require consent to comply with the Privacy and Electronic Communications Regulations (PECR).
Here is a link to the ICO’s Guide to PECR for more on when you need consent for electronic marketing: https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/
GDPR heavily regulates the storage and processing of Personally Identifiable Information (PII).
You should map your business systems to determine the data fields you store, and categorise these in terms of their GDPR status.
Generally speaking company information is not considered PII and can be stored and processed freely, as needed. This means you do not need to obtain consent to store a database of target companies.
Personally Identifiable Information may include fields such as prospect name, email, phone number, job titles and social profile URLs.
GDPR sets out a number of permissible circumstances under which PII can be processed, the most appropriate category in the case of B2B Marketing is Legitimate Interests.
This link explains the Legitimate Interests basis for processing PII: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
To ensure client activity falls into this category, prior to engaging, you should carry out a full Legitimate Interests Assessment (LIA) for any marketing campaing you intend to run.
Essentially the LIA is a questionnaire containing a series of questions about your scenario. There are 3 areas that need to be satisfied for Legitimate Interests to be used as a basis for processing PII:
Area 1: Identify a legitimate interest
The legitimate interest can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The data processing is generally in your interests – whether it be to increase market share, increase brand awareness, or engage business leaders.
Area2: Show that the processing is necessary to achieve it
Can the same result be achieved differently? Core to the SoPro service is the efficiency and constant drive to be the most cost-effective sales channel which we believe cannot be replicated using other methods.
Area 3: Balance it against the individual’s interests, rights and freedoms.
Would the individual expect their data to be used in this way? Would an individual who lists publicly their role within a company expect to be contacted about services that may help that company or their department within the company?
No data processing may replace or infringe the individuals interests or cause unjustified harm.
If you determine that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR you may not be able to conduct the activity within any regions subject to GDPR.
Managing Opting Out & Exclusion Lists
All recipients must be able to opt out easily to prevent further email communication being received. This is typically handled with an “unsubscribe” link.
Managing Subject Access Requests
All individuals have the right to request a copy of all data you hold on them.
When you receive a SAR you must have a clockwork process to supply all personally identifiable data that you hold in connection with a data subject.
Managing Right to be Forgotten Requests
All individuals have the right to have their data removed (to be ‘forgotten’). You must have a reliable, repeatable process to remove all personally identifiable data that you hold in connection with a data subject.
Whilst GDPR controls the storage and processing of personal data in the UK, sending messages is regulated under the Privacy and Electronic Communications Regulations (PECR). This is very clear as to the requirements on business to business communication:
“You can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that.”
Great question – the ICOs DM checklist is a great set of guidelines, here it is:
You should ensure all employees undergo GDPR, PECR and general compliance training, covering the GDPR rule set in detail and the relevance and impact of those rules on your business. This training should set out the steps you take to ensure best practice is observed at all times and make clear the consequences associated with failure to meet the strict standards.
No passwords are stored in clear text, and access to any information is secured with appropriate security measures.
Where marketing activity is conducted to target countries outside of the UK, and in many cases, outside of the EU, these campaigns are generally not subject to the same data privacy laws.
Naturally, we cannot be abreast of the constantly evolving regulatory frameworks in all countries at all times, as such it is important that you have knowledge of your local regulatory climate and ensure your business operates within the relevant regulatory frameworks.
We have collated the most useful links available to UK businesses researching the GDPR framework, key areas, timelines, scope and likely impact on B2B marketing.
Please note the new GDPR rules are implemented at an EU Government (multinational) level. Each state is separately responsible for developing it own appropriate rule set ensuring, as a minimum, compliance with the EUs GDPR framework.
The UK Government has appointed the Information Commissioners Office (ICO) as the official body charged with ensuring national compliance with the GDPR. In light of this the ICO has released several handy guides.
Here are the most useful links from the key official bodies, including the UKs ICO, the UK Government, the European Legislation archives and the UKs Direct Marketing Association (DMA).
We suggest you put the kettle on:
- GDPR final text (English)
- ICO Guide to GDPR compliance – 12 Steps to take now (PDF)
- GDPR Checklist 1 (UK ICO) – Data Controllers
- GDPR Checklist 2 (UK ICO) – Data Processors
- PECR text (UK Gov)
- PECR B2B Exemption – (ico.org)
- UK Direct Marketing Association (DMA) – 7 key points for B2B Marketers
- Direct Marketing Guidance – FULL VERSION (UK ICO)
- Direct Marketing Checklist – TLDR VERSION OF ABOVE LINK (UK ICO)