I often get asked about how B2B organisations are allowed to market to their customers once GDPR is in force.
Below is a simple guide, with references, if you’re struggling with navigating the confusing wording of the regulation:
GDPR states that you can direct market to customers using the lawful basis of legitimate interest, without consent.
PECR (based on the current EU Privacy Directive) states that you can’t electronically market to consumers (B2C) without their consent or unless they’ve bought from you in the past and you’ve offered them simple ways to unsubscribe (over riding the above in relation to consumers only). However, you can email business contacts (i.e. business email addresses) without consent. (So the legitimate interest clause applies).
Legitimate interest applies because:
– it will have little impact on their privacy
– they would reasonably expect companies to contact them to promote their business
To use this, you have to complete a short checklist (LIA), and offer a clear way to opt out of the communication.
From the ICO guidance:You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don’t need consent under PECR. See our Guide to PECR for more on when you need consent for electronic marketing.
From the ICO in relation to PECR:You can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that.
You may also need to consider data protection implications if you are emailing employees at a corporate body who have personal corporate email addresses (eg email@example.com). For further information, see our guidance on direct marketing.
From the ICO in relation to Business Contacts:
In addition, many employees have personal corporate email addresses (eg firstname.lastname@example.org), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.
So, it’s OPT OUT, not OPT IN. Make sure people can opt out easily, and that it is actioned as soon as reasonably possible.
Best practice of course would mean that if people don’t respond in a given time you should really remove them from your database, after all, who wants to non-responders?
NOTE: the eprivacy regulation is also being overhauled, but the above will apply in the meantime, until this legislation is finalised.
Ice Blue Sky provides detailed consulting and documentation for GDPR compliance, so if you’re not finding the time to get it done, we can get you compliant in as little as two days.