SoPro knows compliance

Lots of rumours…

“We’ve been hearing a lot of weird and wonderful rumours about the incoming GDPR regulations so we thought a dedicated compliance FAQ would be a useful way to address the most common questions.

I think we might be able to put your mind to rest on most of the GDPR fears, it is certainly not as bad as many are making out.  For example the idea of only being able to contact info@… addresses is totally untrue.  But it is not the worst we’ve heard… by any stretch.

You can definitely contact name@company.com.  Yes it is personal data but GDPR clarifies that processing personally identifiable data is fine on several grounds, including for marketing purposes, under the Legitimate Interests basis.

Consent to send email is also not required for UK B2B marketing communications, that is legislated under the UKs PECR B2B exemption.  (NB. Totally different for B2C scenarios, but that is nothing new).

The other GDPR compliance points are a bit more labour intensive to manage such as data storage, data security, additional policies and implementing the processes to handle Right to be Forgotten and Subject Access requests when they come in.  Plus the usual unsubscribe and opt out lists.  Oh… and staff training requirements.

Compliance is actually one of the common reasons many companies use SoPro to handle the whole shebang.  Setting up a compliant prospecting channel internally is complex, expensive and slow. For larger firms the cost of managing compliance alone can easily outweigh the entire cost of a SoPro campaign.

We might not be solicitors/legal experts (and I should clarify this post definitely doesn’t constiture legal advice), but you are in safe hands with SoPro, and we are more than happy to jump on a call with your compliance team if useful.”

– Ryan Welmans

B2B Prospecting and GDPR Compliance – FAQ

question-mark-sopro-faq
What is GDPR?

The General Data Protection Regulation (GDPR) was adopted on 27th April 2016 and brings all EU member states under a common framework regulating data protection.

By 25th May 2018, each EU member state must implement a local data protection framework that (as a minimum) complies with the master GDPR framework.

The UK Government has appointed the Information Commissioners Office (ICO) as the official body charged with ensuring national compliance with the GDPR.

It is important to take GDPR compliance seriously, since the penalties for non-compliance are rate-carded as 4% or €20m (whichever is higher).

How does GDPR affect Marketing?

Most marketing formats have evolved to rely heavily on the use of customer data.

GDPR is a rule set governing the circumstances and manner in which data can be processed legally. It also introduces some scary consequences for falling foul of the law.

GDPR also sets out the framework for which types of data are considered Private and should be treated as such.  The GDPR-savvy phrase used to describe private data is Personally Identifiable Information.

Most business are surprised by the amount of Personally Identifiable Information (PII) stored within their systems, often without any specific intent or purpose.

Can I do nothing and hope it goes away?

No.

Does PECR still apply?

Yes. The GDPR does not replace PECR – although it has amended the definition of consent. You need to comply with both GDPR and PECR for your business-to-business marketing.

The EU is in the process of replacing the current e-privacy law with a new ePrivacy Regulation (ePR). However, the new ePR is yet to be agreed. The existing PECR rules continue to apply (with the new definition of consent) until the new ePR is finalised.

Holy Sh*t. Do we need to appoint a data protection officer?

It is recommended that businesses appoint a data protection officer to oversee adherence to the rules however it is not a legal requirement.

As a minimum you should have a nominated individual able to act as your compliance officer on an immediate basis when needed, that person can be employed directly (I.e. perhaps a CTO or managing director) or employed through a compliance support service.

Am I the data controller or the data processor?

If you are a business conducting marketing activity to help sell a product or service, then you are the data controller with respect to the data associated with that campaign.

If you are a provider (business entity or freelance) of marketing services, employed to help a business sell a product or service, then the client is the data controller and you are employed as the processor

Is it legal to conduct B2B marketing activity?

With respect to data protection laws, B2B marketing campaigns are perfectly legal when conducted in a compliant manner.

To ensure marketing is conducted in accordance with all relevant regulatory frameworks we recommend you conduct an assessment to establish if the product or service, combined with the proposed targeting, meets the various GDPR and PECR rules.

This assessment is called a Legitimate Interest Assessment (LIA).

To determine if your activity is exempt from PECR under the B2B exemption, prior to conducting an LIA, a campaigns “B2C/B2B status” can often be determined by the following two questions:

“Will the product or service being offered benefit the businesses you are targeting, and not the individual?”

To qualify for the PECR B2B exemption, the product or service that you are offering needs to be of benefit to the target business, and when talking to any individual, relevant to their business role only.  It can help to consider the following examples:

  • If you are targeting companies that sell widgets, to offer marketing services designed to increase their sales of widgets, then there is a clear, sole benefit to the company (this is legal).
  • If you are looking to contact business owners in order to help them invest their hard-earned wealth, then despite the links to their professional role, this is aimed at the individual not the company (this is not legal).

“Are the services being provided equally beneficial to whomever may be contacted about them?”

If question one can be answered positively then a further test to the business nature of your offering is to consider the target individuals that you would like to introduce it to.  The only consideration here should be job specific – typically department and seniority.  Your offer should be equally relevant to whoever fills these role(s) at any given time, and in no way targeting any given individual.

Does the GDPR mean we need consent for marketing?

No. Consent is one lawful basis for processing personal data, but there are alternatives. In particular, you may be able to rely on ‘legitimate interests’ to justify your business-to-business marketing.

B2B marketing communications are generally speaking – exempt from PECR consent requirements.

B2C scenarios will generally require consent to comply with the Privacy and Electronic Communications Regulations (PECR).

Here is a link to the ICO’s Guide to PECR for more on when you need consent for electronic marketing: https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/

What data am I allowed to store?

GDPR heavily regulates the storage and processing of Personally Identifiable Information (PII).

You should map your business systems to determine the data fields you store, and categorise these in terms of their GDPR status.

Generally speaking company information is not considered PII and can be stored and processed freely, as needed. This means you do not need to obtain consent to store a database of target companies.

Personally Identifiable Information may include fields such as prospect name, email, phone number, job titles and social profile URLs.

On what basis can I legally store Personally Identifiable Information?

GDPR sets out a number of permissible circumstances under which PII can be processed, the most appropriate category in the case of B2B Marketing is Legitimate Interests.

This link explains the Legitimate Interests basis for processing PII: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

To ensure client activity falls into this category, prior to engaging, you should carry out a full Legitimate Interests Assessment (LIA) for any marketing campaing you intend to run.

Essentially the LIA is a questionnaire containing a series of questions about your scenario. There are 3 areas that need to be satisfied for Legitimate Interests to be used as a basis for processing PII:

Area 1: Identify a legitimate interest

The legitimate interest can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

The data processing is generally in your interests – whether it be to increase market share, increase brand awareness, or engage business leaders.

Area2: Show that the processing is necessary to achieve it

Can the same result be achieved differently? Core to the SoPro service is the efficiency and constant drive to be the most cost-effective sales channel which we believe cannot be replicated using other methods.

Area 3: Balance it against the individual’s interests, rights and freedoms.

Would the individual expect their data to be used in this way? Would an individual who lists publicly their role within a company expect to be contacted about services that may help that company or their department within the company?

No data processing may replace or infringe the individuals interests or cause unjustified harm.

What if my marketing activity fails the LIA?

If you determine that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR you may not be able to conduct the activity within any regions subject to GDPR.

What policies or processes do I need in place?

Privacy Policy

Any marketing messages should contain a link to a privacy policy explaining exactly what the user’s rights, as well as the type of data that is held about them and by who.

(If needed SoPro can provide a template privacy policy or review your existing one to ensure it meets the required standard.)

 

Managing Opting Out & Exclusion Lists

All recipients must be able to opt out easily to prevent further email communication being received.  This is typically handled with an “unsubscribe” link.

 

Managing Subject Access Requests

All individuals have the right to request a copy of all data you hold on them.

When you receive a SAR you must have a clockwork process to supply all personally identifiable data that you hold in connection with a data subject.

 

Managing Right to be Forgotten Requests

All individuals have the right to have their data removed (to be ‘forgotten’).  You must have a reliable, repeatable process to remove all personally identifiable data that you hold in connection with a data subject.

Can I send unsolicited emails to prospects legally?

Whilst GDPR controls the storage and processing of personal data in the UK, sending messages is regulated under the Privacy and Electronic Communications Regulations (PECR).  This is very clear as to the requirements on business to business communication:

“You can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that.”

What is the ICO / Direct Marketing Checklist?

Great question – the ICOs DM checklist is a great set of guidelines, here it is:

https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/

Do I need to conduct additional Employee Training

You should ensure all employees undergo GDPR, PECR and general compliance training, covering the GDPR rule set in detail and the relevance and impact of those rules on your business.  This training should set out the steps you take to ensure best practice is observed at all times and make clear the consequences associated with failure to meet the strict standards.

Data Storage

No passwords are stored in clear text, and access to any information is secured with appropriate security measures.

Non-EU/rest of world regulations

Where marketing activity is conducted to target countries outside of the UK, and in many cases, outside of the EU, these campaigns are generally not subject to the same data privacy laws.

 

Naturally, we cannot be abreast of the constantly evolving regulatory frameworks in all countries at all times, as such it is important that you have knowledge of your local regulatory climate and ensure your business operates within the relevant regulatory frameworks.

Useful Links

We have collated the most useful links available to UK businesses researching the GDPR framework, key areas, timelines, scope and likely impact on B2B marketing.

Please note the new GDPR rules are implemented at an EU Government (multinational) level.  Each state is separately responsible for developing it own appropriate rule set ensuring, as a minimum, compliance with the EUs GDPR framework.

The UK Government has appointed the Information Commissioners Office (ICO) as the official body charged with ensuring national compliance with the GDPR. In light of this the ICO has released several handy guides.

Here are the most useful links from the key official bodies, including the UKs ICO, the UK Government, the European Legislation archives and the UKs Direct Marketing Association (DMA).

We suggest you put the kettle on: