For years B2B marketers have had a relatively easy-ride with Data Protection. When GDPR comes into force on the 25th May, the way we deal with data relating to business contacts will arguably be treated much the same as for consumers. In this article, Ellie Allseybrook, Head of Business Growth at Inform Billing, gives a stern warning to Channel marketers to not be fooled into thinking that GDPR is not for B2B!
GDPR applies to ‘personal data’ - any information that identifies a living person either directly or indirectly. Much has been debated about business contacts, but the overriding view is that company employees of any size business are still individuals at work. With increased remote working, BYOD and blurred lines between what’s personal and what’s business, the conscientious marketer is wise to err on the side of caution.
GDPR v PECR
Additional confusion has risen from the overlap of GDPR and PECR (The Privacy and Electronic Communications Regulations 2003) which currently govern direct marketing. It’s worth noting that these are to be replaced by the EPrivacy Regulation which although yet to be finalised, was intended to be implemented alongside GDPR, but will now come into force at the end of 2018, possibly 2019.
Under PECR, it’s permitted to market to individuals in limited companies or PLCs, if communication is relevant and an easy-opt out option is provided. Sole traders and partners email address are classed as personal and generic business addresses such as ‘Sales@...’ can be used with an opt-out. But this does not mean GDPR is not relevant to B2B marketing.
More than direct mail
For marketing managers, GDPR is about much more than just direct marketing. GDPR is concerned with how you manage, protect and administer data. When building an account in your CRM system, you store a contact’s email address, DDI and mobile number, perhaps home address and even their birthday, details of ‘significant others’ or a favourite sports teams – for hospitality purposes or solely to make interactions more personal. Suddenly you are building up a vivid picture of an individual with data that undeniably identifies them. Simply by storing and analysing personal data, you are ‘processing’ and are required to comply with GDPR.
Don’t get too hung up on consent
Even now, too much focus is placed on gaining consent. With B2B marketing, unless it’s to fulfil your contract with a customer or prospect (which could simply be responding to an enquiry), ‘legitimate interest’ should be your first-choice lawful basis for processing data. Only if you decide you can’t really justify this route, should you move to consent. Remember, legitimate interest can only be relied upon if you haven’t already asked for consent.
Never too late
Interpretations of GDPR are still being finalised and whilst it is critical to be ready and prepared, don’t be panicked into making rash decisions. Over the past year too many companies hurried into needlessly gaining consents and unnecessarily deleting data.
Even at this late stage, the regulators interpretations in some areas are still unclear. Therefore, proactively striving to meet GDPR on an ongoing basis should be your primary aim. GDPR compliance is like a maths test; showing your workings out - even if you get it wrong - will work in your favour with the ICO.
Practical tips
- Update web consent forms – Where you do ask to collect data online, you must detail what you intend to use it for and split out if you want consent for more than one reason.
- Revisit your website privacy policy - previously written for the benefit of the company, the policy should now inform the customer.
- Review CRM fields –check your CRM enables you to easily record how you gained data, where from and how long you’re keeping it for. As well as full details of any opt-outs.
- Don’t forget 3rd parties – check how CRM and marketing automations systems, processing data on your behalf, will help you meet GDPR obligations.
Disclaimer
My views and recommendations are based on extensive research, with guidance from solicitors. To ensure full compliance, I would advise seeking your own professional legal advice.
Ellie recently took part in a panel discussion about GDPR on Comms Business Live. You can view that below.