The Information Commissioner’s Office has confirmed that the UK will start to enforce the General Data Protection Regulation (GDPR) on 25th May 2018.
If you’ve any questions about email marketing and GDPR, or if you’ve any general queries about the legislation, please do feel free to call us – we’d be happy to have a chat.
In the meantime, we’ve posted our thoughts on the GDPR below.
GDPR – what is it, and what does it mean for business?
You may have heard about the GDPR, or you may not. You may have even seen advice on what it means in a number of different areas. Either way, it will have implications for the way companies conduct their marketing and interact with customers and prospects.
As with any change there can be confusion, and it feels as though there is a lot of misinformation surrounding the GDPR. We’ve even seen advice that’s fuelling some vested interest too! Anyway, after our chat with the ICO, this is the way we see it.
What is it?
The GDPR is a piece of legislation which changes the way companies handle personal data. It stands for General Data Protection Regulation, and it was put into effect by the EU in April 2016 with a grace period of two years, allowing companies time to ensure they are compliant. The GDPR will be enforceable as of 25th May 2018.
Marketing – what is affected?
The only change that is likely to affect B2B marketers is for those that market to sole traders and partnerships. There are also slight differences between the different marketing communication tools. Each is explained below:
Email and SMS marketing
For sole traders and partnerships, the rules that apply to B2C will apply to B2B marketers. So, in order to send email or text marketing messages to a sole trader for example, you would need their express opted-in consent.
If you are emailing or texting a marketing message to an individual employee of a corporate, a limited company, a LLP, partnerships in Scotland or a government body you do not need them to opt-in. You must however provide an easy way for them to opt-out of future communications.
Telephone and direct mail
You will have to provide an opt-out to sole traders, partnerships, corporates, limited companies, LLPs, and government departments. Essentially, if you are marketing to individuals or companies by telephone or direct mail, you do not need prior consent.
All types of B2B marketing communication
No matter what channel you use for marketing, or who you are marketing to, the information on the ICO website stipulates that content must be about products or services that are relevant to that individual’s job role.
What else do I need to keep in mind?
The right to be forgotten – Under the GDPR, people have the right to be forgotten. However if they have expressed opposition to being contacted, it makes good business sense to suppress them from receiving future communications, rather than deleting them. It would be acceptable to keep only the amount of data necessary to suppress that person from receiving any further marketing messages.
Legitimate interest – If you are calling you must firstly check the TPS register. If the person/business is not listed you may call them, provided you can demonstrate that it would be in the legitimate interest of your business to do so. For example, that they have bought similar services before, or would be likely to buy your products.
Proof of consent – The GDPR states that it is down to the company from whom the marketing messages come to prove that consent was obtained. What exactly this looks like is unsure as yet – for instance, would a call recording be required? We’ll need to await the ICO to advise what they would deem acceptable proof.
Brexit means it won’t affect us, doesn’t it? Not true.
As the name suggests, the GDPR is a regulation which has been set out by Europe. This means that it does not require member states to pass enabling legislation for it to be effective; it will come into force no matter what.
Until the United Kingdom is officially out of the European Union, we will be subject to the rules and regulations of the EU. As we are unlikely to be out of Europe by 25th May 2018, then the GDPR will be enforceable in the UK after this date.
In any case, if the UK is to continue trading with EU member states, we will be required to have at least equivalent or similar data protection regulations in place, making it unlikely that the UK government would amend or repeal the legislation.
The legal stuff
Here are the specifics you’ll need to get right when obtaining consent so you don’t fall foul of the law:
- Make sure the consent message makes it clear what the contact is signing up for – gaining consent using an underhand tactic could be looked upon just as unfavourably as no consent.
- You must keep a record of what the contact is consenting to.
- You must be able to prove that the contact has consented to receive emails.
- You must keep a record of the consent given by customers for the entirety of the time that they are customers.
How will it be enforced? Can’t I just risk it?
It remains to be seen how the GDPR will be enforced in practice. With millions of emails sent every day, the potential for transgression is surely large. However, with a penalty threat of up to €20 million or 4% of annual turnover, whichever is greater, the fines for non-compliance are severe.
In our world, good quality, accurate data is of the utmost importance. Not only is it necessary for compliance with the law, it makes good marketing sense to use data that is up to date, compliant, and from a reliable source. If any of these factors are in doubt, the results of your marketing campaigns are likely to suffer as a direct result.