GDPR and B2B Marketing – What You Need to Know
For any vendor that does business with customers in the 27 nations of the European Union (EU) you cannot have failed to notice that a new data protection regulation takes effect on May 25th, 2018.
The General Data Protection Regulation (GDPR) is intended to harmonize the hodge-podge of regulations between the EU members into a streamlined single set of regulations.
The key components are:
You must receive an explicit opt-in permission from the client to send them marketing emails.
You must have clear policies explaining how you acquired the data and how you. intended to use it and produce that information on request by the prospect.
Social Media platforms are subject to the same protections.
Fines for non-compliance could be heavy – in theory….
The law applies to EU Residents not Citizens
There is specific personal data you are not allowed to collect under any circumstances. These include:
Political beliefs or affiliations
Each EU member country is responsible for applying the law in its own country using its appropriate data protection authority.
The B2B marketing industry has interpreted the ramifications in various ways from an opportunity to cleanse and scrub your DB to the marketing “Apocalypse”.
We detect a little of the same hype and hysteria that surrounded Y2K. On Jan 1st, 2000 there was only 1 minor incident reported despite the dire warnings of the technology Apocalypse.
Our opinion is that GDPR is not as onerous as some observers would have you believe. Understanding what is permitted and making a few tweaks and operational changes should keep you out of trouble if you are doing B2B direct marketing in the EU countries.
Here’s some facts about data privacy laws already enacted in other countries:
Since the Canadian CASL law was introduced in 2015 there have only been 5 prosecutions under the law and all of the companies prosecuted were B2C companies who exhibited particularly egregious spam behavior. Total fines levied = $1.5M. No B2B marketing companies have been sanctioned to-date
The UK Information Commissioners Office (ICO) is responsible for enforcing data privacy regulations (included GDPR) in the UK. ICO publishes fines and sanctions of the UK’s already strict data privacy laws and these are the key observations:
The heaviest fines have been handed down to nuisance B2B robo-callers and robo-texting companies, not Spammers
Almost all the Spammers on the list are B2C marketing operations with large numbers of complaints
This author could find no examples of a significant prosecution of a B2B marketing operation.
Under GDPR there is a clause defined as:
6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
You will need to get legal confirmation on this clause, but we interpret it as: A crisp marketing message targeted at a well-defined and narrower target audience permits direct marketing to the prospect provided the other requirements of GDPR are provided (see below)
We believe this particular clause was added to ease the burden on legitimate B2B marketing operations, provided you don’t engage in indiscriminate blast email marketing to overly broadly defined prospects. E.g. Sending emails to 100,00 employees of a large company in an attempt to reach 100 specific prospects.
Our Opinion on GDPR and its effect on your B2B marketing operation is as follows:
If you build contact data that clearly shows the contact is located outside the countries covered by GDPR you have little to fear.
The prosecutions of marketers within the EU prior to GDPR have focused on dealing with the most egregious B2C (i.e. Retail) spammers and nuisance telemarketers. If you aren’t one of these, you have nothing to fear.
The GDPR subject countries will not have the administrative resources to pursue every single possible infraction so like many other compliance regimes, they will focus their efforts on the worst offenders, the vast majority of which will still be B2C operations. Put basic safeguards in and run a clean professional B2B operation and you are unlikely to attract attention.
B2B Marketing maybe permitted under the following GDPR 6(1)(f) Legitimate Interest clause
Even if you do B2B marketing to contacts inside the EU you are unlikely to be pursued if you run a clean, professional operation that obeys the spirit as well as the elements of the law. Those would be:
Provide an unsubscribe link in all communications so the customer can subscribe at any time
If a customer does unsubscribe build a mechanism to scrub their data from your databases
Provide an online policy that states what you use the data for
Appoint a person to the full or part time role of Data Protection Officer (DPO)
Do not attempt to collect the prohibited data points explicitly listed under GDPR
Make sure opt-in and later opt-out requests are recorded and can be produced on demand if a legal challenge should emerge
Use an email or marketing tool that includes an unsubscribe function that can be used in all campaigns.
In our next bulletin we will explain how Digital Personal services can help your marketing efforts while keeping you out of trouble with GDPR.
Here are some links to good articles that drill down into the issues around GDPR
GDPR: What Europe’s New Privacy Law Means for Email Marketers
The 5 things You Must Know About EMail Consent Under GDPR
GDPR and Social Media Strategies