Two years after the GDPR (General Data Protection Regulation) took effect, a lot of organisations remain unsure of how to approach compliance.
This is especially apparent in B2B marketing, which deals with both business information and personal information. Employees often don’t know which details are subject to the GDPR’s rules and how extensive their data protection practices should be.
Let’s take a look at their concerns and what you should do about them.
What data is affected?
The GDPR only applies to personal data – information that identifies or can identify a specific person, like names and ID numbers. Business data, such as a company name and an email address operated by multiple people, is not subject to the Regulation.
However, business email addresses and phone numbers do count as personal data if they are owned and operated by a single person. So, for example, ‘johnsmith@company[.]com’ is considered personal data but ‘techsupport@company[.]com’ isn’t.
How can you process personal data?
The GDPR states that personal data can only be processed if the data subject provides their consent or if the information is required:
- To complete contractual obligations;
- To fulfil legal obligations;
- To protect the data subject’s, or someone else’s, vital interests;
- To complete a task in the public interest; or
- To fulfil the legitimate interests of the data controller without overriding the interests of the individual.
Of these, only consent and legitimate interests realistically apply to B2B marketing.
Given that the GDPR’s rules for obtaining and maintaining consent are strict – and the pitfalls numerous – it should only be sought if you cannot rely on legitimate interests.
Legitimate interests are the broadest of the GDPR’s lawful bases for processing personal data, and generally apply whenever an organisation uses personal data in a way that the data subject would reasonably expect.
‘Interests’ can refer to almost anything here, including an organisation or third party’s commercial interests or wider societal benefits.
The Regulation even specifically states that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
There are some conditions for relying on legitimate interests for marketing purposes. Since data subjects must reasonably expect the processing, you should only market to them if you have an existing commercial relationship with them.
Say, for example, they have downloaded a brochure on one of your services, you can follow up by marketing similar services to them via email or text.
Remember, however, that you must allow your subjects to opt out at any time, without any negative impact on them.
You also need to document your justification for using a lawful basis for processing, something that requires much more thought when it comes to legitimate interests than, say, a contractual or legal obligation.
Documenting your data processing practices
The documentation process is essential for GDPR compliance, as it proves to individuals and supervisory authorities that you’ve taken the appropriate precautions regarding personal data.
This will help in the event of a regulatory investigation – which may occur after a data breach or complaint – into your practices, or when you receive a DSAR (data subject access request).
Having the right documentation in place enables you to quickly find the information you need and satisfy the concerns of interested parties.
Documentation also helps you streamline your business processes. For example, there are several requirements related to the way you collect personal data – such as limits on how long you store it – that are much easier to comply with if you have oversight of your data collection practices.
Boost your GDPR expertise
You can find out more about how to ensure your organisation is compliant with our Certified GDPR Foundation Distance Learning Training Course.
This course provides a comprehensive overview of the GDPR, and is an essential solution to help you tackle the data protection risks resulting from the novel coronavirus pandemic.
If your organisation is among the many following work from home policies, you’ll have first-hand experience of the strain caused by the growing dependence on digital tools – many of which may be unfamiliar to your team – and the uncertainty surrounding your business operations.
These issues weaken your security measures and open the door for cyber criminals, whose operations will thrive during the chaos.
Without in-person support from data protection and cyber security experts, staff rely on managers more than ever for guidance on how to work safely and within the GDPR’s requirements.
By enrolling on this course, you’ll learn everything you need to lead your team through these challenging times.