Alert BI is data compliant
Summary of GDPR and B2B guidelines
In other words, the default is ‘they’ve opted in’. You do not need to seek prior permission and you are not obliged to reveal where you obtained their contact information.
However, when you make contact, you must provide the means for that individual to easily unsubscribe from future communications, and you must make it clear who you are, business-wise. You need to have a robust internal system in place to ensure ALL communications to OPT-OUTERS cease, unless the individual proactively contacts you later to change the opt-out position and/or to request service, support etc.
BUT, for telephone and direct mail, you don’t need an opt-in first, though you do need to offer the ability to opt-out from future communications.
The six different lawful bases of processing personal data are:1.Consent (where explicit consent is given by the data subject)
2.Contract (where processing is necessary to fulfil a contractual obligation or as part of entering a contract)
3.Legal Obligation (where processing is necessary for compliance with a common law or statutory obligation)
4.Vital interests (where processing is necessary to protect someone’s life)
5.Public interest (where processing is necessary to perform a specific task in the public interest that is set out in law)
6.Legitimate interest (where processing is necessary for the purpose of legitimate interest – which includes commercial interests.
These are aimed to be all-encapsulating, relating to every type of organisation as well as all departments within them.Some are not applicable to B2B marketing. The two main, lawful bases that apply to B2B marketing when processing personal data are ‘Consent’ and ‘Legitimate interest’.Let’s explore each of those further:
The most notable change is to the definitive ‘opt-in’ process. This cannot be in any way ambiguous. For example, pre-ticked opt-in boxes are expressly unlawful under the new consent regulations. Opt-in must be a separate, individual and ‘granular’ process, singled out from any other terms and conditions. There must also be a clear right to withdraw.
Please see the ICO’s page on Consent for further information.
For example, if you’re an organisation offering recruitment services, and you collect and process data relating to HR Managers from a range of businesses, the individual s within those businesses are likely to have a legitimate interest in your services, based upon their job function and seniority.This is a good example of how legitimate interest would apply in a B2B marketing scenario.If, however, as an organisation you purchased a large list of Gmail, Yahoo! or Hotmail email addresses without consideration of who was being sent your email marketing communication, and without thought as to the relevance of your email message, then you would be in breach of those individuals’ legitimate interest and therefore likely to be in breach of the GDPR regulation.
When leveraging legitimate interest as the lawful basis of processing personal data, you must also ensure that the rights and freedoms of the data subject are not compromised. Will your message put that person in danger? Will it land them in trouble? Are they likely to be personally negatively affected by your message? If so, then it is likely that your message will not be compliant with GDPR.Of course, for most B2B marketing it is highly unlikely that a data subject’s rights or freedoms will be compromised. At most they won’t be interested in your message, so it is essential to provide an ‘unsubscribe’ method, as the individual should always have the right to ‘opt out’.
‘You may email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out, and to screen any new marketing lists against that. In addition, many employees have personal corporate email addresses (e.g. [email protected]), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.’
This rule is also stipulated in GDPR guidelines:
‘If you are processing an individual’s personal data to send business to business texts and emails, the right to object at any time to the processing of their personal data for the purposes of direct marketing will apply. This right is absolute and you must stop processing to that individual for these purposes when an objection is received.’
Therefore, with regard to direct marketing specific to businesses, or individuals in a business capacity, it is permitted to send unsolicited messages – provided that the correct measures have been taken to ensure those individuals or businesses have an opportunity to object to such messages and opt-out from any further communications. Mass marketing, with poorly constructed messages of little value to the recipient, is likely to result in objection to such communications, and potentially reports of spam. All marketing messages should be relevant and specific to the needs of recipients. For more information on PECR, please read the following guidance: