GDPR protects the personal data of individuals. So, information about commercial entities, such as limited companies isn’t covered by the regulations. However, this does not mean you can ignore data protection principles altogether when engaged in activities such as B2B marketing. Even then, it’s likely that you will have to be GDPR compliant if you can identify an individual at a particular organisation through the data you hold. Similarly, the Privacy and Electronic Communications Regulations (PECR) limits the way businesses can use emails, texts and phone calls in their B2B marketing efforts – albeit to a lesser extent than when targeting individuals.
In this guide to the way GDPR and PECR impact your B2B marketing campaigns we will look at the regulations and examine some of the issues our small and medium-sized business clients regularly encounter. If you have any specific enquiries or requests, contact one of our data protection lawyers today.
- How does GDPR apply to B2B marketing?
- What if we’re not GDPR compliant?
- How does PECR apply to B2B marketing?
- Consent vs. legitimate interests
- How do you obtain appropriate consent for B2B marketing?
- When can you rely on ‘legitimate interest’?
- What do you need to know in relation to ‘opting out’?
- What do you need to know about marketing calls?
- What do you need to know about marketing emails?
- Can we use publicly available data to send business-to-business marketing?
- What about buying and selling marketing lists?
How does GDPR apply to B2B marketing?
If, during your B2B marketing, you process personal data then generally the GDPR rules apply. Even though you may be targeting a particular organisation as a whole, if you have the name, address or other personal information about an individual employee or officer of the company, and you use this in the course of your B2B marketing, GDPR applies. This also means GDPR sanctions will be available to the regulator if you breach the rules.
You might find our guide on what constitutes personal data under GDPR useful.
What if we’re not GDPR compliant?
Whilst compliance is an ongoing factor for your business, you must be GDPR compliant, or at least strive to be as much as possible, simply because you can’t afford not to be. The impact of non-compliance is costly. There are two levels of fines:
1. Lower level
Potential fines of up to £8.7 million under the UK GDPR, or 2% of annual global turnover can be issued for infringements of:
- Article 8 (conditions for children’s consent)
- Article 11 (processing that doesn’t require identification)
- Article 25 – 39 (general obligations of processors and controllers)
- Article 42 (certification)
- Article 43 (certification bodies)
2. Higher level
Potential fines of up to £17.5 million under the UK GDPR, or 4% of annual global turnover can be issued for infringements of:
- Article 5 (data processing principles)
- Article 6 (lawfulness of processing)
- Article 7 (conditions for consent)
- Article 9 (processing of special categories of data)
- Article 12 – 22 (data subjects’ rights)
- Article 44 – 49 (data transfers to third countries or international organisations)
Senior management may be held directly responsible if the business is non-compliant. You may also find companies and consumers losing trust in how you look after their personal data. Supervisory authorities not only impose fines, but they also name and shame. People will not be willing to put their personal data at risk with a business that cannot prove to comply with data protection laws and instead move on to the next competitor that can show compliance.
GDPR compliance is an ongoing process and one that cannot be put in place immediately. However, our data protection solicitors are on hand and ready to assist in making this a swift and easy process.
How does PECR apply to B2B marketing?
PECR sits alongside GDPR to bolster the regulation of unsolicited direct marketing by phone, email, text, or other electronic means. The Data Protection Act 2018 specifies that direct marketing is ‘the communication of advertising or marketing material which is directed to a particular individual’. The rules are less strict when you are targeting a company rather than an individual. You should also be aware that partnership and sole trader businesses are treated as individuals for the purposes of direct marketing.
Under both PECR and GDPR different forms of marketing attract different rules. For example, this means when sending unsolicited emails to a corporate subscriber you don’t need consent (but you would need consent if sending such an email to an individual). Instead identifying yourself and providing contact details within the email is sufficient for compliance purposes.
Consent vs. legitimate interests
If your B2B marketing communications are caught by GDPR and PECR (that is, you are processing personal data during your marketing activities) then you need to establish a lawful basis for processing the information. ‘Consent’ and ‘legitimate interests’ are two of the most common grounds relied upon when it comes to justifying B2B marketing communications under GDPR and PECR.
How do you obtain appropriate consent for B2B marketing?
When processing any data under GDPR or PECR, including personal data used for B2B marketing, you must obtain consent that’s freely given, specific and informed. So before sending texts or making marketing calls you must ensure you have obtained valid consent. You must record what an individual has consented to and be able to demonstrate – if requested by the ICO – how you obtained consent. If you engage in marketing without obtaining proper consent you may face regulatory scrutiny and punitive fines so it’s important to have the right procedures in place to ensure compliance.
When can you rely on ‘legitimate interest’?
A lot of B2B marketing can be justified under the legitimate interest basis for processing personal data. You will need to establish:
- A specific interest for the processing
- The processing of the data is necessary to achieve this purpose
- On balance the processing doesn’t outweigh the interests of the individual
The legitimate interest ground for processing data is often preferred because it is flexible and gives you greater control over your processing. Whereas, if you rely on consent you never know when an individual might withdraw that consent and render further processing unlawful. That said, there is a considerable amount of work involved in identifying a legitimate interest, demonstrating the necessity of the processing, and then subjectively undertaking a balancing exercise to ensure the interest isn’t undermined by the rights of the individual.
What do you need to know in relation to ‘opting out’?
Opt-out boxes are not an appropriate method of obtaining consent to use personal data in B2B direct marketing activity. Valid consent under GDPR and PECR must be freely given, specific and informed. GDPR is underpinned by the idea of transparency so it follows that any consent you rely on to process data must be unambiguous. GDPR requires that consent should be given by a clear and affirmative act. This might be by ticking a box when visiting a website or choosing certain technical settings. In the ICO’s opinion the problem with opt-out boxes is that they are more or less the same as pre-ticked consent boxes – they rely on an individual’s action in order to obtain consent.
Once consent is obtained you must have appropriate protocols in place to allow ‘opting out’ – individuals must be able to withdraw their consent easily, at any time and ideally in the same way as they gave consent in the first place.
What do you need to know about marketing calls?
Protecting consumers is at the heart of the GDPR/PECR data protection regime. The ‘cold-calling’ of potential customers and scam calling has long been a concern of regulators. GDPR and PECR in large part are aimed at addressing issues like this.
The two main things to bear in mind about B2B marketing calls are as follows:
- If a company has explicitly agreed to receive calls from you, through an opt-in box on your website for example, you can contact them for marketing purposes.
- Businesses can register with telephone preference services to indicate they do not wish to receive unsolicited marketing calls. By checking these registers to ensure the business you wish to call has not registered with them, you may call them without breaching the data protection rules.
Businesses should take note that the ICO regularly intervenes in relation to marketing calls made in contravention of the rules, imposing significant financial penalties on organisations found to have breached the rules.
What do you need to know about marketing emails?
There is no bar on emailing or texting a company but from a reputational point of view it’s always good practice to carefully monitor any email campaign you embark on. Many of our clients maintain an up-to-date register of companies that have objected to being contacted in the past to ensure they aren’t contacted by email or text in future.
Remember that sole traders and partnerships are classed as individuals under the rules. You’ll need explicit consent to email them unless they have purchased something from you before or used your services and didn’t opt out of receiving marketing messages.
Read our guide to email marketing compliance for more information on obtaining consent for email communications.
Can we use publicly available data to send business-to-business marketing?
The ICO makes clear that GDPR applies to business-to-business marketing if the business details you use contain personal data, rather than business data. For example, if you were sending an email from your business to firstname.lastname@example.org, you will need to comply with GDPR and PECR. If you are sending a marketing email from your business to another business, for example email@example.com, which clearly doesn’t contain any personal data, then data protection laws won’t apply. However, for PECR you must confirm who you are and inform them how they can opt out from receiving further marketing emails from you.
What about buying and selling marketing lists?
Accurate mailing lists are a hugely valuable tool for B2B marketing: their uses include providing a way to track a customer’s use of your products and services and testing out new commercial offerings. But with the backdrop of GDPR and PECR you must ensure that you use the personal data on marketing lists in a way that fully complies with data protection rules. You should consider the following:
- Buying marketing lists: You can legitimately use information contained in marketing lists you acquire from a third party. But before calling companies on the list, you should ensure you follow the rules about checking call-screening registers and, where contacting a sole trader or partnership, ensure that they have given specific consent to marketing calls. In relation to emailing contacts on a bought-in list you must check that organisations have agreed to receive the type of message you intend to send. A blanket agreement to receive texts or emails from third parties will not normally be sufficient to meet GDPR requirements.
- Selling your mailing lists: It’s possible to sell marketing lists you have compiled internally. However, the details you sell will only be of use to third parties if the organisations listed have given specific consent to receive the type of message the purchaser of your list intends to send. As seller of the list, GDPR requires you to keep detailed records of how you obtained consent and the purpose for which that consent was given.
The rules around B2B marketing are complex, and the ICO takes breaches of the rules seriously, imposing fines regularly on many relatively small and medium-sized businesses. It’s essential therefore that you have systems in place to ensure compliance with GDPR and PECR and that there is regular staff awareness training.