Companies dealing with B2B marketing data aren’t getting off the hook when the EU General Data Protection Regulation (GDPR) rolls into town. But where do you draw the line between business data and personal data? It’s fair to say the marketing landscape has changed since the first EU data protection directive was introduced 23 years ago. Back then, the internet was in its infancy, email was clunky, and inbound was just a twinkle in our eye. The major difference between the GDPR and what went before is that it's a regulation, not a directive. All EU member states will have to implement it as law. No ifs, no buts.
The GDPR is a regulation, not a directive, so it will have to be implemented - no ifs, not buts
With respect to consent and privacy, personal and B2B marketing data will be treated in the much the same way. Allow us to explain why - and how.
Gaining consent to process business marketing data
GDPR formalises concepts such as the ‘right to be forgotten’, data breach notification and accountability - and those who fail to take it all seriously will be subject to fines. Big fines. In fact there are probably two things that most marketers already know about the GDPR:
- Consent is a big deal
- Non-compliance fines will be hefty
While the second of these is guaranteed to make any CEO sit up and take notice, consent is a slightly more abstract concept. Plus, aren’t B2B marketers with good practices already handling consent like pros already? The answer is, kind of.
Let’s take a step back to a time when it seemed that GDPR might only ever apply to B2C data gathering. B2B communications were not explicitly mentioned in much of the interpretation when the first plans were rolled out a couple of years ago. By and large, the mention of ‘personal data’ led B2B digital marketers to jump to the conclusion that they were off the hook.
‘Thank goodness we don’t collect personal data,’ was the audible refrain from the B2B camp, as they dabbed beads of perspiration from their furrowed brows. Relief was short lived when changes to the Privacy and Electronic Communications Regulations (PECR) came into clear view.
PECR sets out the rules on electronic communications, marketing calls, messages and email, cookies, and the provision of internet or telecoms services. The EU thought it was about high time that these had a facelift too. So, concurrent with GDPR, PECR will be overhauled and a new ePrivacy Regulation will be implemented in its place, dovetailing with GDPR laws. This is really where the prospect of GPDR should be of special interest to B2B marketers.
The ePrivacy Directive ensures the protection of fundamental rights and freedoms, in particular the respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector
It should be noted that much of this is upheld under the Data Protection Act 1998 which states that data relating to sole traders or partners is considered to be personal data - however, GDPR offers a new context and heightened awareness of consent within B2B marketing data collection. Consent can’t be circumnavigated purely because people have a work email address and crucially, opting out should always be an option.
Who can I email and under what circumstances?
Here’s a sweeping summary:
“The key thing is that you are going to have to use a bit more clarification to users that they have these rights [to be ‘forgotten’], and then obtain their consent to use this data for commercial process”
- Simon Morrissey, head of data privacy at legal firm Lewis Silkin LLP
Consent is a core tenet of data protection law. However, it is a much more abstract concept that it appears - particularly when the conditions that must be met are muddied in the waters of change.
Only when GDPR and the ePrivacy Regulation come into effect later this year will we know the full scope and their implications. But one thing is for sure, organisations need to prove they have processes in place to deal with data - and be prepared to show the regulators if they come rapping, too.
We’ll discuss Legitimate Interests, ‘soft’ opt and the role of EU member states - i.e. Ireland - in the ePrivacy Directive in our next blog.
[Please note: This blog is written from Squaredot’s point of view and understanding of the GDPR and changes to PECR (which is still in draft as of the publication date of this blog). Information herein does not replace qualified legal advice, and should not be taken as such. Please consult with legal experts and/or the Irish Data Protection Commission for any controversial questions.]