What is GDPR?
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It came into direct force on 25th May 2018.
GDPR replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
Brexit will not affect the new regulation as the Secretary of State for the Department of Culture Media and Sport confirmed GDPR will be enforceable from 25th May 2018.
How will it affect my business?
The GDPR applies to all businesses holding and processing personal information in the EU. If you are a company outside of the EU but offer services and goods to individuals within the EU, you are also affected.
Personal data means any information that can be used to directly or indirectly identify the person. This could be anything from a name, computer IP address, bank details or location data.
You can be fined for non-compliance. How much depends on the severity.
Either 2% of global turnover or 10 million EUR, whichever is greater or for more severe breaches, 4% of global turnover or 20 million EUR, whichever is greater.
Who can i email?
Currently, email marketing is governed by the Privacy and Electronic Communications Regulations (PECR). GDPR still applies as it covers the processing of personal data in a general sense.
Licensed data (bought-in) data
An email address at work is personal data, whether that email address is a corporate one or that of an employee of a sole trader/partnership. GDPR applies to the processing of the email address. The difference between sole traders/partnerships, and corporates comes when you look at PECR.
PECR deals with gaining permission to send marketing by email. The general rule is that you must gain prior consent to send a marketing email. However, in a B2B environment, there is an exemption for employees of corporates, and you can send a marketing email to these individuals without their prior consent.
In summary, email addresses of corporate employees can be licensed for third-party email campaigns. Legitimate interests would be used to process this personal data as long as all the following criteria are fulfilled:
A corporate is defined as a limited company, public limited company, limited liability partnership or government departments and can be emailed without prior consent (eg. firstname.lastname@example.org).
You must give employees of corporates the option to easily unsubscribe and opt-out from receiving any other email communications from you.
Whichever product or service you are promoting, it must be relevant to the recipient on a professional rather than personal level.
You must provide contact details and identify who you are.
We supply from one of the largest, legally-compliant email feeds in the UK. The emails supplied by our media partner for third party direct marketing are all corporate emails to meet the current requirements of GDPR.
Existing customers and prospects
You can use legitimate interest to email and existing customer or prospect that is within a corporate body i.e. a limited company, PLC, LLP or government department.
When emailing these using the legitimate interest route you must:
1. Offer an easy unsubscribe option and handle that unsubscribe
2. The product or service being promoted must be relevant on professional rather than personal level
3. Identification of who you are must be clear
Sole traders and partnerships
When emailing sole traders or partnerships there are two options available to you:
1. You can email existing customers if they bought a similar product from you in the past and didn’t opt out from marketing messages when you gave them that chance. This is known as the ‘soft opt-in’ but does not apply to non-commercial promotions (eg. charity fundraising or political campaigning). You must include an opt-out or unsubscribe option in each message and you must identify your company and provide contact details.
2. You can email existing customers OR prospects if they have specifically consented to receive emails from you – for example, by ticking an opt-in box. You must include an opt-out or unsubscribe option in each message and you must identify your company and provide contact details.
Can I still call businesses?
On the basis that your call lists are screened against the TPS (Telephone Preference Service) and CTPS (Corporate Telephone Preference Service) every 28 days. The offer to opt-out of any future calls is also necessary.
Still okay to send mail?
You can send postal mailings to corporates and sole traders/partnerships. There is a misconception that postal mailings to businesses (including sole traders and partnerships) have to be matched against the Mailing Preference Service. They don’t, just ensure the data has been matched against any in-house suppression files you hold.
Click here for information about the fantastic b2b data we supply