GDPR has been designed to give individuals greater control over their personal data. This means that, for B2C companies, rules on consent have been tightened. But, whilst employee contact information is personal data, the rules for B2B are not the same. Consent is not required before contacting a lead.
For marketing consent, there are two conditions. First, you must give the contact a clear opportunity to unsubscribe or opt-out from the marketing information. And second, the product or service you are marketing must be relevant to the audience.
So, if you’re promoting a trade show on engineering to an engineering firm, then you’ll be within the regulations. If you promote the same show to an accountancy firm, you won’t. And if you fail to provide an opportunity to opt-out – in either case – then you’ll fall foul of GDPR. Remember, this only relates to employees of corporates – limited companies, limited liability partnerships, public sector organisations, etc. If your contact is a sole trader or partnership, then you’ll need to adopt a B2C approach.
Legitimate Reason for Outreach
Under GDPR, consent is not the only basis for contacting potential customers and clients. There are five other lawful bases for processing data. The most important one for B2B marketing is legitimate interest. This states that ‘processing is necessary for your legitimate interests or the legitimate interests of a third party’.
While it the most flexible of the bases, your organisation will need to answer to three key areas. You will need to be clear about what the legitimate interest is. Note – commercial interests are also included. Then, you’ll need to show that processing is necessary to achieve the interest. Ask yourself if you need to use B2B marketing to achieve your goal. If not, then you cannot use this as a basis.
Finally, you’ll need to balance the interests of the individual with your own interests. For example, Would a lead expect that you can use their data this way? Most importantly, you’ll need to document your processes, including why you have made particular decisions.
Managing your Data
GDPR calls for ‘privacy by design’ in the way you process personal data. In effect, this means that you’ll need to make sure your data is up-to-date and accurate, with secure management and processing systems.
All data processes need to be understood across your organisation. This means clear documentation for every aspect of your data management. And it means telling all relevant staff about their responsibilities. Remember, you might also need to integrate different systems, so that your whole approach to data processing is GDPR compliant.
This can all sound daunting, but help is at hand. The UK Information Commissioner’s Office provides some useful guidance about GPDR however if you need any help feel free to contact us.