The General Data Protection Regulation, or GDPR, means businesses are going to have to apply quite the re-think in how they market their products to consumers But what about business to business, or B2B, will this be affected too?
The simple answer is yes, B2B marketing will be affected by GDPR, but to understand how, we need to look a little closer.
GDPR, which becomes enforceable on May 25th, entails a raft of considerations for marketeers, but for those in the business of marketing to other businesses, the considerations are different, and maybe a little softer.
First, let’s start with the broader considerations:
- Marketing lists - data subjects need to have given unambiguous permission for a inclusion on such a list, they must have opted in and there must be clear opt-out procedures.
- Right to access - meaning data subjects have the right to know what data is held about them.
- Right to be forgotten.
- Portability of data, such that data subjects can request data held about them is held in certain formats.
- Privacy by design - this means that as a marketeer, when managing data privacy considerations need to be taken into account at the outset - privacy needs to be integral to the entire process of data management.
- Data protection officers - there may be a need to employ a data protection officer.
- Breach notification - appropriate procedures need to be in place to inform data subjects in the event of a data breach.
The first point to bear in mind is that sole traders and partnerships are normally defined as coming under business to consumer - B2C.
In the past, however, data subjects of B2B marketing, were often seen as fair game by marketeers, providing, that is, there were appropriate opting out procedures in place. And since GDPR did not distinguish between B2B and B2C data subjects, marketeers had initially felt they were, as it were, off the hook.
However, GDPR does state six legal grounds for using data:
- consent of data subject,
- where processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract,
- where processing is necessary for compliance with a legal obligation,
- where processing is necessary to protect the vital interests of a data subject or another person,
- where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- and finally is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
In fact, GDPR does state that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
A second piece of regulation: Privacy and Electronic Communications Regulations, dovetails with GDPR and in January 2017, the EU Commission published a draft of a new version of this directive. This regulation applies to data sent via electronic communication including instant and social messaging, VOIP, web-based email and the IoT, all to be covered by the same laws as phone calls, emails and SMS.
The regulation states: “It is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services”
It also distinguishes between B2B and B2C communications sent via “electronic communication services”. It states that for B2C marketing, the data subject must have given consent to receive communication, but for B2B, member states are given more autonomy to ensure legitimate interests of corporate data subjects are protected from unsolicited communications.
However, the draft version of this regulation does not require opt-in for consent to B2B marketing but require clear opting out procedures.
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/