GDPR for B2B Marketers

White Paper
Data security padlock on networking cables

After years of deliberation, the EU Parliament approved the General Data Protection Regulation on April 14th, 2016. Since then, many businesses have been assessing their data, systems, processes and pa rtners, in readiness for May 25th 2018, when the GDPR becomes enforceable by EU & UK authorities.

Various media outlets offer conflicting opinions when assessing the readiness of UK organisations in relation to the GDPR - in B2B, the picture is even less clear. In this paper, we’ll look at the fundamentals of the GDPR, and how they apply to B2B organisations. We’ll debunk some of the myths surrounding how the Regulation relates to B2B, and discuss some of the grey areas. The paper will help you think about how to assess your own organisation, and identify areas where you need to take action.

Get the download

Below is an excerpt of "GDPR for B2B Marketers". To get your free download, and unlimited access to the whole of bizibl.com, simply log in or join free.

download

Personal Data & Legal Basis

In B2B marketing, since the inception of GDPR, what actually constitutes personal data has been a matter of some debate. Historically, B2B marketers and data leaders have suggested that data relating to business people is, by definition, not personal - so GDPR effectively doesn’t apply. However, article 4 of the GDPR defines personal data as;

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

This definition is broader than its predecessor (the UK’s 1998 Data Protection Act), and is fairly unambiguous in this respect. If you hold data, including (but not limited to); email addresses, phone numbers or postal addresses that relate to a natural person - it is personal data. If you wish to process personal data, you need a legal basis upon which to do so.

The definition of “processing” has also been widened to;

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Making it virtually impossible for any use of data not to be considered processing.

A Legal Basis for Processing

The GDPR defines the 6 bases under which data may be lawfully pcoessed, specifically;

  • With the subject’s consent
  • Necessary for the performance of a contract
  • Necessary to comply with a legal obligation
  • Necessary to protect vital interests of the subject or another person
  • Necessary for the performance of a task in the public interest
  • Necessary for the legitimate interests of the controller of a third party

For direct marketing purposes, the most useful (and in most cases, the only justifiable) bases for processing are “consent” and “legitimate interest”, so we’ll look at both in more detail.

Consent

Businesses could be forgiven for thinking “what’s changed?”. Most organisations have been obtaining consent from prospects and customers for years, so surely, this is adequate? Where an organisation has been using 3rd party data, that data is normally passed to them on the basis that the subjects have given their consent to receive communications from third parties, so businesses can all breathe a sigh of relief, right?

Unfortunately not. Within the GDPR, consent is defined as;

freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

This definition is worthy of close examination as it contains various terms which have wide ranging consequences for marketers, specifically;

Freely Given

In order for consent to be considered “freely given”, there needs to be no penalty if a user doesn’t want to give it. The user being denied access to a service may be considered a penalty.

Specific and Informed

If an organisation wishes to process data in a number of different ways - for example, to email the customer, to pass their data to a 3rd party, and to conduct analysis of their data to offer them specific products, the organisation would have to specify each of these when asking for consent.

Unambiguous

Ambiguity is in itself a difficult thing to define, so in order to ensure compliance, it’s necessary to err on the side of caution. With that in mind, when obtaining “unambiguous consent”, the consent for data processing must be unbundled from other terms and privacy statements. It’s also necessary to stop using terms such as “third parties”, unless those are clearly defined.

Clear Affirmative Action

In order to satisfy this requirement, the consent mechanism must rely on action rather than inaction - meaning pre-ticked boxes or statements referring to privacy policies alone, are no longer enough.

Legitimate Interest

Legitimate interest is a broader basis under which companies can process personal data. The text specifies that personal data can be processed without consent on the basis that it is;

Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject

In fact, the statute even specifies that;

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest

Whilst this might sound like a universally-applicable ‘get-out clause’ for marketers, relying on the fact that your organisation may have an interest in processing the data comes with a fairly large caveat: If the subject decides that they have an interest in you not doing so, or that you have breached their rights, it’s imperative that you are able to demonstrate that you’ve conducted a fair assessment, covering all forms of processing you undertake, which balances the two. Your assessment is open to interpretation by enforcing bodies and ultimately, the courts, so it needs to be detailed and robust.

Interpretation is Everything

Perhaps some of the uncertainty, particularly in B2B, stems from a lack of guidance. The ICO, the DMA, and others are noticeably silent on B2B, suggesting that they are still waiting for agreed interpretation from the EU. In the long term, whether such guidance materialises or not, many of the grey areas will be clarified, once precedents are established in the form of case law.

For the uninitiated, “case law” is simply a single legal case, or, in the wide-ranging topic of GDPR, a number of cases - tried in court - which set precedents on how the statute is interpreted. The truth is, that however well written the legislation, the GDPR leaves a lot open to interpretation.

Understandably, organisations are erring on the side of caution when it comes to untested interpretations, pending case law. The likelihood is, in this new age of customer-awareness and digital ubiquity, that when those decisions do come, they’ll almost certainly be in favour of consumers - or in B2B, the recipients of marketing communications.

For those organisations found to have fallen foul of the GDPR, the penalties are severe, including fines of up to €20 million or 4% of group international turnover, whichever is higher - not to mention reputational damage, or even civil lawsuits brought by wronged parties. If even one recipient can persuade a court that your Consent process was unclear or unfair, then all of your consented data would be suspect due to the flaw in your process - and probably would no longer be safe to use.

One last point worth noting in this section is that the UK’s exit from the EU is almost certain to have no noticeable impact on the need for UK organisations to comply with GDPR. Trade requirements will ensure that the UK and the EU’s policy on GDPR are aligned to the letter for decades to come.

Assess and Take Action: The Basics

Conduct a data audit

  • Identify inbound data sources and collection mechanisms
  • Review 3rd party data supplier agreements
  • Do some due diligence on suppliers – check they are compliant
  • Assess existing consents, if appropriate

Assess your use of personal data

  • Define your basis for processing
  • Document the ‘necessity’ and ‘balancing’ tests, if required

Adjust (or define) your policies

  • Document data protection impact assessments
  • Define processes for opt-out, complaints, and right-to-be-forgotten
  • Review or create a Subject Access Request procedure

A Data Best-Practice Case Study: Corpdata

Dept679’s parent company, Corpdata, supplies B2B data to organisations who use it for the purpose of marketing their own products and services. As part of their preparations for GDPR, with the help of colleagues from Dept679, Corpdata conducted a full review of their business model, policy, and operations, in order to declare themselves fully compliant. Here, we’ll look at the six core principles of the GDPR and examine the changes Corpdata made in each area.

Lawful, Fair & Transparent

The first step in GDPR is simply to be clear about your organisation’s intentions - Corpdata generates and re-verifies data primarily with telephone research, so telephone calls afford an excellent opportunity to ensure compliance. Researchers check that data subjects understand that their data is supplied to other companies, for use in their own direct marketing - but only if those organisations offer products or services relevant to the data subject and their business. Calls also detail the basis on which Corpdata processes the subjects data, and explains clearly how Corpdata can record their personal preference to receive or not receive future marketing communications, and even offering information on how they can complain. Each completed call is followed up with an email summary to the data subject.

Purpose Limitation

Having clearly identified what the personal data will be used for, Corpdata take steps to ensure that their clients are also clear about the conditions of usage of any Corpdata marketing list supplied. In this way, they are able to ensure that the data and the data subject is treated properly. Further, by explaining and agreeing the conditions of usage with the client in advance, Corpdata also help the client comply with the GDPR purpose limitations.

Data Minimisation

Minimisation is simply the concept that the personal data processed should be the minimum required to perform the intended task. In the most common use case, that would normally be contact data required for marketing, so Corpdata do not collect or supply data beyond that requirement.

Accuracy

To ensure that their business lists remain accurate, Corpdata re-contact data subjects if they have reason to believe that there may be something that needs checking (perhaps because someone has ‘goneaway’). They also maintain a rolling programme of regular re-validation for accuracy and preferences on all their data. Corpdata’s clients receive updates to their lists twice each month, allowing for changes to be quickly reflected in their on-going campaigns, and importantly allowing these campaigns to reflect any preference changes made by data subjects.”

Storage Limitation

Data should be stored and processed for as long as it’s accurate, and needed - and no longer. To encourage clients to comply with the spirit of storage limitation, Corpdata made changes to the way it licenses data to clients. “12 month” and “eternal” licenses were deemed to no longer be appropriate for GDPR, so Corpdata created new rolling licenses. Rolling licenses include a small monthly rent and a requirement for clients to update their data when supplied with changes. This is deliberately designed to align the urges of a marketer with the storage limitation principle. For as long as the data is useful, the client must pay the small ongoing fee. If the fee ever outweighs the perceived value, then the data should be deleted.

Integrity & Confidentiality

Perhaps one of the lesser-discussed realities of GDPR is the need for robust IT systems and physical security to ensure personal data is safe. Corpdata have redundant servers and regular backups - both on and off-site. Systems are updated regularly for security reasons, and make use of enterprise-grade firewall, antivirus and antimalware appliances. Server rooms have physical entry control, granting access to only those who require it. When data is moved outside of Corpdata’s networks, it is encrypted to ensure security in transit.

Accountability

Accountability runs through GDPR from end to end. Corpdata take responsibility for the personal data throughout the process, from collection to destruction. Calls where the data subject’s preferences are confirmed are kept indefinitely to ensure customers can demonstrate compliance. Corpdata perform due diligence checks on their prospective customers, and the intended usage of the data. They require customers to use data only as the data subject desires and only for professionally relevant direct marketing. Corpdata performs a necessity test and balancing test for its supply of data, and for the customers use of data - this is supplied to the customer with each license. The contractual terms require customers to update the licensed data, ensuring accuracy in the contact details and the data subject wishes. Customers are also required to delete the data when it is no longer licensed, and Corpdata track data usage to identify data breaches. All of this means Corpdata fully embrace the GDPR requirements, protect the rights of data subjects, and ensure customers comply with data protection.

Want more like this?

Want more like this?

Insight delivered to your inbox

Keep up to date with our free email. Hand picked whitepapers and posts from our blog, as well as exclusive videos and webinar invitations keep our Users one step ahead.


By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy

side image splash

By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy