It’s the elephant in the room for organisations everywhere- the General Data Protection Regulation, or the GDPR. But it’s not as scary as all that! GDPR is an evolution. It’s an evolution of data protection regulations that are already in place, regulations that businesses already have to comply with. We are currently in a “period of grace” before the GDPR rules are fully enforced, and so we must use this time wisely to fully prepare.
A few key areas are changing, and we all need to knuckle down and check we’re compliant by 25th May 2018; but as the Information Commissioners Office point out - if you’re already compliant with the current regulations, then you’re almost there!
The major question is - how will this affect the world of B2B marketing? In this blog we aim to take you through a few ways the new GDPR will alter B2B marketing, and the simple steps you can implement to have fully compliant marketing systems. The important thing is not to fear it or worse, ignore it. The best thing B2B marketers can do right now, is to understand GDPR and the truth about how it will affect their business. Data is at the very heart of our business, and we make it our business to ensure we are ahead of the crowd when it comes to understanding data regulation and compliance.
What Data Matters for the GDPR?
The first thing to do is address the key area of the GDPR (Hint: it’s in the title!) - Data. It‘s a known fact that the GDPR applies to “personal data” and “sensitive personal data”, but not to “business data” – but how do we distinguish between these terms and ensure no wires are crossed in confusion. Data can be defined as follows:
- Personal Data: Any information that allows a person to be directly or indirectly identified. The obvious fields of “personal data” are names and identity numbers, but factors such as location and online identifiers (emails/usernames) also count under the ICO definition.
- Sensitive Personal Data: This is referred to in the GDPR as “special categories of personal data”, and mainly covers data surrounding genetics and biometrics.
- Business Data: The GDPR only applies to data relating to individuals, not relating to businesses. So, data that is clearly related to a business such as business name and address, landline number and info@ email are all outside of GDPR ruling. However personal business email addresses can fall under a classification of “personal data”. There has been some ambiguity around the subject from the ePrivacy Regulation, though it appears that where a name is present in the body of an email address- that address counts as “personal data”- whatever the format of the name (initialised, abbreviated etc.). So this data must be processed in compliance with the GDPR, and will affect what lawful basis of processing you choose under GDPR.
We have pulled together everything marketers need to know about GDPR in one handy infographic:
GDPR Lawful Basis for Processing Data
“You must have a valid lawful basis in order to process personal data” – The ICO
The GDPR is meticulous in its requirements for all data to be processed under a lawful basis. It allows six different options, encouraging companies to choose the basis that applies best to their needs in each business area.
The six different lawful basis of processing personal data are:
- Legal Obligation
- Vital Interests
- Public Task
- Legitimate Interest
These are aimed to be all encapsulating, relating to every type of organisation as well as all departments within them. Some are not applicable to B2B marketing - the main two lawful basis for processing personal data that apply to B2B marketing are ‘Consent’ and ‘Legitimate Interest’. Let’s explore each of those further:
Consent is the most commonly known and practiced lawful basis of processing used by organisations currently, but the new GDPR has rigid rules surrounding consent. If it’s your chosen path, then you’ll need to intricately check your ongoing systems for consent and refresh them accordingly.
The most notable change is to the definitive “opt-in” process. This cannot be in any way ambiguous, for example pre-ticked opt-in boxes are expressly unlawful under the new consent regulations. Opt-in must be a separate, individual and “granular” process, singled out from any other terms and conditions. There must also be a clear right to withdraw.
Please see the ICO’s page on Consent for further information.
- Legitimate Interest
The ICO labels Legitimate Interest as “the most flexible” of all lawful basis of processing, and it is likely that data processing for most B2B marketing departments will sit comfortably within this basis. In essence, it allows you to process personal data on the grounds that your organisation is working towards the legitimate interest of the individual - this can include commercial interests. As long as the data processing doesn’t infringe on the rights and freedoms of an individual and you can prove the data subject (individual) in question could be likely to have a legitimate interest in what you’re marketing, you can collect and process their data.
For example; if you’re an organisation offering HR software, and you collect and process data relating to HR Managers from a range of businesses, that individual is likely to have a legitimate interest in your HR software, based upon their job function and seniority within the business. This example would be a perfect example of how legitimate interest would apply in a B2B marketing scenario. If however, as an organisation you purchased a large list of gmail, yahoo or hotmail email addresses without any consideration of who was being sent your email marketing communication, and without any thought with regard to the relevance of your email message, then you’d be in breach of their legitimate interest and would likely be in breach of the GDPR regulation.
When leveraging legitimate interest as the lawful basis of processing personal data, you must also ensure that the rights and freedoms of the data subject are not compromised. Will your message put that person in danger? Will it land them in trouble? Are they likely to be personally negatively affected by your message? If so, then it is likely that your message will not be compliant with GDPR. Of course, for most B2B marketing it is highly unlikely that a data subjects’ rights or freedoms will be compromised – at most they won’t be interested in your message, so it is essential to provide an ‘unsubscribe’ method, as the individual should always have the right to ‘opt out’.
Now is the perfect time to investigate whether legitimate interest will be suitable for your business, and if so, start putting together your policies around how you collect, process and store data – to demonstrate that you have conducted your due diligence in considering your data subjects.
Lead Forensics, the GDPR and Legitimate Interest
The Lead Forensics software identifies business visitors to your website….how much more of a legitimate interest is there, than a person pro-actively visiting your website?! Use Lead Forensics to fuel your Lead Generation strategy, whilst also ensuring your compliance with GDPR. Request your demonstration and trial here.
The Importance of Documentation
Another important aspect of the GDPR which will affect B2B marketing is the requirement to document all processes associated with personal data. At first, the prospect of documenting everything can seem a time consuming and daunting task, however the benefits of documenting thought processes and due diligence will pay dividends if ever your organisation is investigated by the ICO – and once completed, will only need to be subject to periodic reviews, so the pain is short lived! Whilst it will be time consuming, by documenting processes and procedures it is likely that you will find further business benefit by having better structures in place and a better framework for all data flowing through the business. You may find pockets of inefficiency that you can improve upon, and by conducting your due diligence around your data flows, you can be safe in the knowledge that your business is committed to protecting the freedoms of your data subjects and that your business processes are robust and secure.
The ICO have said that their main aim is to educate with regard to data protection, and that during an investigation they will be assessing the steps an organisation has taken and the risk to the data subjects. If an organisation can demonstration pro-active and thorough thinking, processes and procedures through comprehensive data planning, the ICO will be pragmatic and pro-active in assisting the organisation in becoming further compliant. By documenting processes and procedures an organisation will be putting themselves in a strong position, should an investigation ever take place. Businesses should review all data processes throughout all departments, and wherever personal data is involved, should look to review and document the end to end processes and rationale including the data’s sourcing, purposes, sharing and retention. If you have 250 or more employees, then all processing activities must be documented, however if you have less than 250 employees, the rules are slightly different. We would recommend however that the documentation process is in depth for all organisations, as it goes a long way to prove compliance and due diligence consideration around your selected lawful basis for processing and possible personal data breaches.
If your organisation has over 250 employees, you must elect a Data Protection Officer, who will oversee the documentation process and your organisation’s overall compliance with the GDPR. It will be up to you to assess where this will fit in your organisation- whether as a new role or in addition to an established one, but a fundamental part of their responsibilities should be to document the following -
- The details of the company and the details of the elected Data Protection Officer
- Categorisation of individuals, their personal data and the recipients of this data
- The purpose of processing, along with accurate information about your lawful basis of processing
- Your data retention schedules and rationale
- Evidence of due diligence around your selected method for lawful processing
- Details of any third parties that come into the data journey, including any oversees offices
- Records of security measures taken by the company in both technology and organisation
- The process for identifying a data breach and notifying the appropriate parties (who will require the above listed documentation)
All documentation should be in writing and there should be an effective review process in place to ensure that all policies are kept up to date in line with changes within the business and with regulation. Business processes change all the time, and therefore it is important to consider compliance up front with all new processes to ensure that your business is compliant both now, and in the future.
Working with Third Parties
The GDPR won’t change an enormous amount for B2B marketing, especially when it comes to third parties. You’ll still be able to work alongside them as you do now, there are just some extra, cautionary steps needed to ensure compliance.
Remember to always request the privacy statement from the third party, and review their lawful basis for processing. Whether they work under consent or legitimate interest, it is best for you to investigate their procedures and be sure that the personal data in question has been considered under the same process. For example, if you’re an organisation that currently markets to businesses, and you document your use of the data for business marketing purposes, you will not be able to purchase consumer data and leverage the same lawful processing. You will need to document a separate process and conduct due diligence around the best and most suited lawful basis for collecting and processing that specific data.
Ultimately, it all comes down to being confident in your compliance, and that of your supply chain. Ensure that you procure and digest all relevant documentation to ensure that they align with your own policies. If you’re ever unsure, use the ICO website to find in depth answers to any questions.
So there we have it - GDPR is nothing to hide from! By using these next vital few months to fully adapt to the new GDPR, you’ll breeze beyond 25th May 2018 without a worry. You can still have an amazing B2B marketing and lead generation strategy, which brings your business great success whilst also being GDPR compliant.
Want to know more? Download our free guide “GDPR: What it means for Businesses”.
Lead Forensics is the essential software for ultimate lead generation, fully compliant with the GDPR lawful basis of legitimate interest. Fuel your sales pipeline by identifying your website visitors who are actively interested in your products and services. Find out more by requesting a demonstration now.
DISCLAIMER: Lead Forensics is a global market leading SaaS organisation. We have conducted extensive research into the GDPR and have an active working knowledge intended to help our clients to become better prepared ahead of the GDPR coming into force. Lead Forensics however does not provide legal advice on the GDPR and cannot be held responsible for the GDPR compliance of any organisation other than its own, it is the responsibility of each business to ensure their own compliance with the GDPR. If you have any need for legal advice, please contact a solicitor or visit the ICO website for further information.