There has been a lot written about the forthcoming General Data Protection Regulation (including plenty on Blue Sheep), and many businesses are frantically undergoing preparations to ensure that their customer database and marketing practices will conform to these new data laws.
Even so, there are plenty who would admit that they don’t really know what will happen when May 25th 2018 comes around. In many ways, GDPR reminds me of the whole ‘Y2K Millennium bug’ thing, when people were expecting their desktop computers to crash and everything electronic to explode the second we moved into the 21st century.
Once the GDPR is enacted, will we have a period of grace? Are we essentially waiting for the Information Commissioner's Office to claim its first big scalp before the reality of the changes hit home?
Adding to the confusion is a topic that we haven’t covered much here – how GDPR will affect B2B marketing. After all, GDPR is only concerned about the sort of personal data that B2C organisations collect, right?
Will GDPR apply to B2B marketers?
Up until recently, B2B marketers believed that their marketing practices would remain unchanged, because the GDPR did not specify B2B or B2C data. However another piece of legislation – the Privacy and Electronics Communications Regulation (PECR, aka the ePrivacy Directive) – did.
Under PECR, it indicates what is acceptable for B2B email marketing: namely, that B2B marketers can use a soft opt-out approach for subscribers.
The thing is, PECR is also being overhauled. In its place, a new e-Privacy Regulation will be implemented that will “dovetail” with GDPR laws.
What new rules will the ePrivacy Regulation introduce?
Although an unfinalised draft, the new e-Privacy Regulation contains several key points relating to electronic communications that will affect B2B (and B2C) businesses, including:
Application to more communication services: The new regulation now includes instant and social messaging, VOIP, web-based email and the IoT, which will be covered by the same laws as phone calls, email and SMS.
Simplified rules on cookies: Users must be provided with simple opt-in/opt-out cookie consent choices. This is expected to be via their browser settings, rather than asking individual websites to deliver a cookie consent banner. However, the draft report explicitly prohibits making consent to tracking users a prerequisite to using a website or service – with a few exceptions.
Changes to soft opt-in: The soft opt-in (sending marketing messages to existing customers) from the previous PECR will remain, but has been slightly limited. The draft report states:
“It is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services” (Section 33)
However, while PECR allows for soft opt-ins during “negotiations of a sale”, the new Regulation demands that email contact be limited to “the context of the sale of a product or service.” (Article 16)
Are B2B emails classed as personal data?
Depending on whom you ask, you’ll hear mixed messages. An article from the Direct Marketing Association offered the following advice:
"When dealing with employees of corporates – that is, limited companies, LLPs, partnerships in Scotland and government departments – the rules for telephone and direct mail are the same, opt-out. When emailing or texting, you do not need the prior consent/opt-in from the individual. You can therefore send them a marketing email/text as long as you provide an easy way to opt out of future communications from you.”
However, the Data Protection Network says:
“The [ePrivacy Regulation] text is ambiguous as to whether a distinction can be drawn between corporate email addresses and individual email addresses… Named corporate B2B data (e.g. firstname.lastname@example.org) is personal data and would have to be processed in line with GDPR. B2B marketers would therefore need to make a choice between using Consent or Legitimate Interests for sending electronic communications.”
This last piece of advice could be particularly relevant if you are targeting sole traders, who could be treated as individuals. These people can only be emailed once you have acquired specific consent, or have bought from you and did not opt-out from further communications.
Will there be any changes to direct marketing?
The rules will remain similar to that under PECR. However, the new Regulation does distinguish between B2B and B2C communications sent via “electronic communication services”. In B2C communications, the sender must have consented to receive direct mail communications. For B2B, it is up to Member States to ensure that the legitimate interests of corporate end users are protected from unsolicited communications.
Either way, this communication needs to be ‘transparent’. As in, you know the communication is marketing, it is made clear whom it is from and it is made easy to opt-out in future.
Are there any changes to telemarketing?
The ePrivacy Regulation recommends the introduction of an “opt-out consent regime at a national level”. In the UK, this will likely be covered by existing screenings against the Telephone Preference Service.
What about Brexit?
We cover this in greater depth here, but the fact that the UK will still be an EU member state in 2018 means the country will be adhering to both GDPR and the new ePrivacy Regulation. Even after leaving, equivalent – if not identical laws – to GDPR will remain in place. It is my feeling that, with the new ePrivacy laws so intertwined with GDPR, we can assume they will stay post-Brexit, too.
What should I be doing to prepare?
With the prospect of massive fines for non-compliance, it is in your interest to make all the relevant people in your business aware. Along with getting up to speed with new laws relating to obtaining consent and understanding data subject rights, you should also be knowledgeable of:
New data breach rules: Procedures are needed to detect, report and investigate personal data breaches. You can find out more about what’s required here.
Updates to privacy notices: These need to be readily available and free of complicated jargon, stating who you are, what personal information you hold and what you plan to do with it. You must also highlight that individuals have a right to complain if they are unhappy with your use of their data.