However, there are exclusions of the right to erasure. The
general exclusions include where processing is necessary:
We will use all reasonable endeavours to notify any third party
with whom we have shared the data of any actioned erasure
requests.
Where processing has been restricted we may continue to store
Your personal data. However, We will only otherwise process it:
with Your consent or for the establishment, exercise or defence
of legal claims; for the protection of the rights of another
natural or legal person; or for reasons of important public
interest.
We will use all reasonable endeavours to notify any third party
with whom we have shared the data of any restriction placed on
the processing of Your data.
If You make such an objection, we will cease to process the
personal information unless We can demonstrate compelling
legitimate grounds for the processing which override Your
interests, rights and freedoms, or the processing is for the
establishment, exercise or defence of legal claims.
This policy was last updated on 24 May 2018
These terms and conditions apply between you, the User of this Website (including any sub-domains, unless expressly excluded by their own terms and conditions), and Prospect Global Ltd., the owner and operator of this Website. Please read these terms and conditions carefully, as they affect your legal rights. Your agreement to comply with and be bound by these terms and conditions is deemed to occur upon your first use of the Website. If you do not agree to be bound by these terms and conditions, you should stop using the Website immediately.
In these terms and conditions, User or Users means any third party that accesses the Website and is not either (i) employed by Prospect Global Ltd. and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to Prospect Global Ltd. and accessing the Website in connection with the provision of such services.
You must be at least 18 years of age to use this Website. By using the Website and agreeing to these terms and conditions, you represent and warrant that you are at least 18 years of age.
You can contact Prospect Global Ltd. by email on ryan@sopro.io.
This statement sets out the operating procedures SoPro undertakes to ensure GDPR best practice is observed to the greatest extent possible, at all times.
From 25th May 2018, the GDPR brings all EU member states under a common
regulatory framework.
SoPro takes GDPR compliance seriously, and in addition to appointing a
compliance officer to oversee our adherence to the rules, SoPro have engaged 3rd
party legal expertise to audit and advise on best practice.
This investment enables us to assure clients that GDPR best practices are
strictly observed wherever possible, at all times.
SoPro is a service provider, when you engage our services, we work for you, and
when we create data, we create data exclusively for you.
To put this in the language of GDPR and the ICO:
SoPro’s services are designed and offered solely to help businesses promote to
other businesses. I.e. B2B marketing only.
Before launching new client activity, SoPro conducts an in-depth assessment to
establish if the product or service, combined with the proposed targeting, meets
the criteria for GDPR compliant business to business (b2b) marketing. This
assessment is called the Legitimate Interest Assessment (LIA).
Prior to conducting the LIA, suitability can usually be determined by the
following two questions:
At the core of the SoPro process is the identification of target companies.
Whilst the details of this stage can vary, it involves no personal information
at all. Once the list of accounts has been finalised we then determine the
details of the individuals in the target role(s) at the companies. This stage
typically generates Personally Identifiable Information (PII).
Personally Identifiable Information (PII) data held is kept to an absolute
minimum:
GDPR sets out a number of permissible circumstances (or categories) under which
PII can be stored and processed, the most appropriate category in the case of
SoPro is Legitimate Interests.
This link explains the Legitimate Interests basis for storing and processing PII:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
To ensure client activity falls into this category, prior to engaging, we will
carry out a full Legitimate Interests Assessment (LIA) with each new client.
Essentially the LIA is a questionnaire containing a series of questions about
your scenario. There are 3 areas that need to be satisfied for Legitimate
Interests to be used as a basis for processing PII:
If SoPro determines that your planned B2B prospecting activity does not meet the
criteria for Legitimate Interests within the scope of GDPR then we cannot
support the activity within any regions subject to GDPR.
Whilst GDPR controls the storage and processing of personal data in the UK,
sending messages is regulated under the Privacy and Electronic Communications
Regulations (PECR). This is very clear as to the requirements on business
communication:
“You can email or text any corporate body (a company, Scottish partnership,
limited liability partnership or government body). However, it is good practice
– and good business sense – to keep a ‘do not email or text’ list of any
businesses that object or opt out, and screen any new marketing lists against
that.”
https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/
All SoPro employees undergo GDPR, PECR and general compliance training, this
covers the GDPR rule set in detail, the relevance and impact of those rules on
SoPro and our clients, and the steps we take to ensure best practice is observed
at all times. We also make clear the consequences (I.e. penalties) associated
with failure to meet the strict GDPR standards.
SoPro is a UK based company and operates under UK law. Where the service is used
to target countries outside of the UK we are unable to provide guidance or take
responsibility for any additional or differing laws that may be in place.
Whilst SoPro continues to take extensive measures to ensure best practice with
respect to GDPR and PECR across all client activity, clients should take note
that responsibility for compliance vests (in different forms) with all parties.
SoPro cannot be abreast of the constantly evolving regulatory frameworks in all
countries at all times, as such it is important that you, as the client, have
knowledge of your local regulatory climate and ensure your business operates
within the relevant regulatory frameworks.
“We’ve been hearing a lot of weird and wonderful rumours about the incoming GDPR
regulations so we thought a dedicated compliance FAQ would be a useful way to
address the most common questions.
I think we might be able to put your mind to rest on most of the GDPR fears, it is
certainly not as bad as many are making out. For example the idea of only being able
to contact info@… addresses is totally untrue. But it is not the worst we’ve heard…
by any stretch.
You can definitely contact name@company.com. Yes it is personal data but GDPR
clarifies that processing personally identifiable data is fine on several grounds,
including for marketing purposes, under the Legitimate Interests basis.
Consent to send email is also not required for UK B2B marketing communications, that
is legislated under the UKs PECR B2B exemption. (NB. Totally different for B2C
scenarios, but that is nothing new).
The other GDPR compliance points are a bit more labour intensive to manage such as
data storage, data security, additional policies and implementing the processes to
handle Right to be Forgotten and Subject Access requests when they come in. Plus the
usual unsubscribe and opt out lists. Oh… and staff training requirements.
Compliance is actually one of the common reasons many companies use SoPro to handle
the whole shebang. Setting up a compliant prospecting channel internally is complex,
expensive and slow. For larger firms the cost of managing compliance alone can
easily outweigh the entire cost of a SoPro campaign.
We might not be solicitors/legal experts (and I should clarify this post definitely
doesn’t constitute legal advice), but you are in safe hands with SoPro, and we are
more than happy to jump on a call with your compliance team if useful.”
The General Data Protection Regulation (GDPR) was adopted on 27th April 2016 and brings all EU member states under a common framework regulating data protection.
By 25th May 2018, each EU member state must implement a local data protection framework that (as a minimum) complies with the master GDPR framework.
The UK Government has appointed the Information Commissioners Office (ICO) as the official body charged with ensuring national compliance with the GDPR.
It is important to take GDPR compliance seriously, since the penalties for non-compliance are rate-carded as 4% or €20m (whichever is higher).
Most marketing formats have evolved to rely heavily on the use of customer data.
GDPR is a rule set governing the circumstances and manner in which data can be processed legally. It also introduces some scary consequences for falling foul of the law.
GDPR also sets out the framework for which types of data are considered Private and should be treated as such. The GDPR-savvy phrase used to describe private data is Personally Identifiable Information.
Most business are surprised by the amount of Personally Identifiable Information (PII) stored within their systems, often without any specific intent or purpose.
The aim of GDPR is to provide fresh governance on data protection. From that perspective we were already in a good place. From an email outreach perspective, GDPR guidelines oblige us to ensure that marketing emails are directed to prospects who are likely to find the content useful and relevant. So, we ensure that:
GDPR is lengthy and complex. There are many other things we’ve changed too. You can read about all of them in this Q&A section.
There’s a misconception that you need a B2B prospects consent to email them. That’s because the Privacy and Electronic Communications Regulations (PECR) require consent to email B2C prospects. B2B marketing communications are generally speaking – exempt from PECR consent requirements.
We send millions of emails each year. As GDPR has got closer, we’ve noticed that more prospects mistakenly believe that social prospecting will be illegal after May 25th.
A: It won’t. Providing of course that the regulations’ various guidelines on data protection, relevance, targeting, etc. are followed. It hasn’t been easy. In fact, it has taken many months of blood, sweat and tears for us to say with 100% heart felt confidence that every SoPro campaign is and always will be 100% GDPR compliant.
We can save you time and money with GDPR compliant prospecting
A: If you’ve been running internal prospecting campaigns and you haven’t changed your process to comply with GDPR then we can save you time and money. We’ve done all of the hard work. Our email outreach campaigns are 100% compliant. And we follow every one of the many data processing requirements too.
What we have changed to become GDPR compliant
A: With a long history of social prospecting and hundreds of companies, there are hundreds of operational changes that we’ve had to make. We’ve read the regulations, received legal advice and training, nominates a Data Protection Officer who has led our GDPR mission, adapted our terms of Service and Privacy Policy, improved our database functionality and worked with our suppliers and clients in order to ensure every aspect of our operation is 100% GDPR compliant.
No.
Yes. The GDPR does not replace PECR – although it has amended the definition of consent. You need to comply with both GDPR and PECR for your business-to-business marketing.
The EU is in the process of replacing the current e-privacy law with a new ePrivacy Regulation (ePR). However, the new ePR is yet to be agreed. The existing PECR rules continue to apply (with the new definition of consent) until the new ePR is finalised.
It is recommended that businesses appoint a data protection officer to oversee adherence to the rules however it is not a legal requirement.
As a minimum you should have a nominated individual able to act as your compliance officer on an immediate basis when needed, that person can be employed directly (I.e. perhaps a CTO or managing director) or employed through a compliance support service.
If you are a business conducting marketing activity to help sell a product or service, then you are the data controller with respect to the data associated with that campaign.
If you are a provider (business entity or freelance) of marketing services, employed to help a business sell a product or service, then the client is the data controller and you are employed as the processor
With respect to data protection laws, B2B marketing campaigns are perfectly legal when conducted in a compliant manner.
To ensure marketing is conducted in accordance with all relevant regulatory frameworks we recommend you conduct an assessment to establish if the product or service, combined with the proposed targeting, meets the various GDPR and PECR rules.
This assessment is called a Legitimate Interest Assessment (LIA).
To determine if your activity is exempt from PECR under the B2B exemption, prior to conducting an LIA, a campaigns “B2C/B2B status” can often be determined by the following two questions:
“Will the product or service being offered benefit the businesses you are targeting, and not the individual?”
To qualify for the PECR B2B exemption, the product or service that you are offering needs to be of benefit to the target business, and when talking to any individual, relevant to their business role only. It can help to consider the following examples:
“Are the services being provided equally beneficial to whomever may be contacted about them?”
If question one can be answered positively then a further test to the business nature of your offering is to consider the target individuals that you would like to introduce it to. The only consideration here should be job specific – typically department and seniority. Your offer should be equally relevant to whoever fills these role(s) at any given time, and in no way targeting any given individual.
No. Consent is one lawful basis for processing personal data, but there are alternatives. In particular, you may be able to rely on ‘legitimate interests’ to justify your business-to-business marketing.
B2B marketing communications are generally speaking – exempt from PECR consent requirements.
B2C scenarios will generally require consent to comply with the Privacy and Electronic Communications Regulations (PECR).
Here is a link to the ICO’s Guide to PECR for more on when you need consent for electronic marketing: https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/
GDPR heavily regulates the storage and processing of Personally Identifiable Information (PII).
You should map your business systems to determine the data fields you store, and categorise these in terms of their GDPR status.
Generally speaking company information is not considered PII and can be stored and processed freely, as needed. This means you do not need to obtain consent to store a database of target companies.
Personally Identifiable Information may include fields such as prospect name, email, phone number, job titles and social profile URLs.
GDPR sets out a number of permissible circumstances under which PII can be processed, the most appropriate category in the case of B2B Marketing is Legitimate Interests.
This link explains the Legitimate Interests basis for processing PII: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
To ensure client activity falls into this category, prior to engaging, you should carry out a full Legitimate Interests Assessment (LIA) for any marketing campaing you intend to run.
Essentially the LIA is a questionnaire containing a series of questions about your scenario. There are 3 areas that need to be satisfied for Legitimate Interests to be used as a basis for processing PII:
Area 1: Identify a legitimate interest
The legitimate interest can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The data processing is generally in your interests – whether it be to increase market share, increase brand awareness, or engage business leaders.
Area2: Show that the processing is necessary to achieve it
Can the same result be achieved differently? Core to the SoPro service is the efficiency and constant drive to be the most cost-effective sales channel which we believe cannot be replicated using other methods.
Area 3: Balance it against the individual’s interests, rights and freedoms.
Would the individual expect their data to be used in this way? Would an individual who lists publicly their role within a company expect to be contacted about services that may help that company or their department within the company?
No data processing may replace or infringe the individuals interests or cause unjustified harm.
If you determine that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR you may not be able to conduct the activity within any regions subject to GDPR.
Any marketing messages should contain a link to a privacy policy explaining exactly what the user’s rights, as well as the type of data that is held about them and by who.
(If needed SoPro can provide a template privacy policy or review your existing one to ensure it meets the required standard.)
All recipients must be able to opt out easily to prevent further email communication being received. This is typically handled with an “unsubscribe” link.
All individuals have the right to request a copy of all data you hold on them.
When you receive a SAR you must have a clockwork process to supply all personally identifiable data that you hold in connection with a data subject.
All individuals have the right to have their data removed (to be ‘forgotten’). You must have a reliable, repeatable process to remove all personally identifiable data that you hold in connection with a data subject.
Whilst GDPR controls the storage and processing of personal data in the UK, sending messages is regulated under the Privacy and Electronic Communications Regulations (PECR). This is very clear as to the requirements on business to business communication:
“You can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that.”
Great question – the ICOs DM checklist is a great set of guidelines, here it is:
https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/
You should ensure all employees undergo GDPR, PECR and general compliance training, covering the GDPR rule set in detail and the relevance and impact of those rules on your business. This training should set out the steps you take to ensure best practice is observed at all times and make clear the consequences associated with failure to meet the strict standards.
No passwords are stored in clear text, and access to any information is secured with appropriate security measures.
Where marketing activity is conducted to target countries outside of the UK, and in many cases, outside of the EU, these campaigns are generally not subject to the same data privacy laws.
Naturally, we cannot be abreast of the constantly evolving regulatory frameworks in all countries at all times, as such it is important that you have knowledge of your local regulatory climate and ensure your business operates within the relevant regulatory frameworks.
We have collated the most useful links available to UK businesses researching the GDPR framework, key areas, timelines, scope and likely impact on B2B marketing.
Please note the new GDPR rules are implemented at an EU Government (multinational) level. Each state is separately responsible for developing it own appropriate rule set ensuring, as a minimum, compliance with the EUs GDPR framework.
The UK Government has appointed the Information Commissioners Office (ICO) as the official body charged with ensuring national compliance with the GDPR. In light of this the ICO has released several handy guides.
Here are the most useful links from the key official bodies, including the UKs ICO, the UK Government, the European Legislation archives and the UKs Direct Marketing Association (DMA).
We suggest you put the kettle on: