Business to business marketers have had countless questions about the GDPR (General Data Protection Regulation) since it took effect – and for good reason.
Sensitive data is at the centre of everything they do. They need names, contact information and any other relevant details if they are to advertise and spread awareness.
But is all this information subject to the Regulation’s requirements? And, in cases where it is, how can you protect the data and prevent data breaches?
In this blog, we explain how the GDPR affects B2B marketing.
What personal data is affected?
The GDPR only applies to personal data – information that identifies or can identify a specific person, like names and ID numbers.
Business data, such as a company name and an email address operated by multiple people, is not within its scope.
However, business email addresses and phone numbers do count as personal data if they are owned and operated by a single person. So, for example, ‘johnsmith@company[.]com’ is considered personal data but ‘techsupport@company[.]com’ isn’t.
The GDPR states that personal data can only be processed if organisations document one of six lawful bases. These are:
- If the individual provides their consent;
- When processing is necessary to complete contractual obligations;
- When processing is necessary to fulfil legal obligations;
- When processing protects the data subject’s, or someone else’s, vital interests;
- When processing is necessary to complete a task in the public interest; or
- When processing fulfils the legitimate interests of the data controller without overriding the interests of the individual.
Of these, only consent and legitimate interests realistically apply to B2B marketing.
Given that the GDPR’s rules for obtaining and maintaining consent are strict, it should only be sought if you cannot rely on legitimate interests.
Legitimate interests are the broadest of the GDPR’s lawful bases for processing personal data, and apply whenever an organisation uses personal data in a way that the data subject would reasonably expect.
‘Interests’ can refer to almost anything here, including an organisation or third party’s commercial interests or wider societal benefits.
The GDPR even specifically states that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
- The GDPR: Legitimate interest – what is it and when does it apply?
- General Data Protection Regulation – A compliance guide
There are some conditions for relying on legitimate interests for marketing purposes. Since data subjects must reasonably expect the processing, you should only market to them if you have an existing commercial relationship.
Say, for example, they have downloaded a brochure on one of your services, you can follow up by marketing similar services to them via email or text.
Remember, however, that you must allow your subjects to opt out at any time, without any negative impact on them.
You also need to document your justification for using a lawful basis for processing, something that requires much more thought when it comes to legitimate interests than, say, a contractual or legal obligation.
Documenting your data processing practices
The documentation process is essential for GDPR compliance, as it proves to individuals and supervisory authorities that you’ve taken the appropriate precautions to prevent security incidents and protect people’s privacy.
This will help when you receive DSARs (data subject access requests) or in the event of a regulatory investigation, which may occur after a data breach or when someone submits complaint.
Documentation also helps you streamline your business processes. For example, the GDPR contains several requirements related to the way you collect personal data – such as limits on how long you store it – that are much easier to comply with if you have oversight of your data collection practices.
How to meet your documentation requirements
Take the hassle out of documenting your compliance practices with our GPDR Toolkit.
Designed and developed by GDPR experts, this toolkit contains everything your marketing team needs to meet its documentation requirements.
You don’t need to be a data protection expert; you can simply take our 80 policies, procedures and checklists, and embed them into your organisation.
The toolkit also comes with tools to help you identify and address potential data protection weaknesses, as well as two licences for our GDPR Staff Awareness E-learning Course.
Meeting the documentation requirements of the GDPR doesn’t get any easier than this.
A version of this blog was originally published on 19 March 2020.