Skip to main content

Due Diligence And Bought In Mailing Lists

Mon, 16/11/2020

Which Questions Should You Be Asking Your B2B Data Supplier?

Last month the Information Commissioner's Office (ICO) took enforcement action against credit reference giant Experian. After a two year investigation, the ICO could have fined Experian heavily but instead it opted for a polite request that Experian tackle its compliance issues. Proof that the ICO is not the ogre that jobbing data protection experts often allege.

But the ICO used the announcement to spread the word that if you buy in data, you need to do your own due diligence and make sure that the mailing list you are buying complies with GDPR. The ICO has put out a handy check-list of questions that you should be asking your data supplier.

Here are the ICO's basic list of questions that you should be asking Electric Marketing and other mailing list companies that you approach for data quotes.

Who compiled the data? Electric Marketing compiles its own list data. Nothing is outsourced or bought in.

Where was the data obtained from? We use publicly available sources and monitor the business press, business news websites and business social media. All information is checked, with a phone call to the company, before it is added to our mailing lists.

What were individuals told that their data would be used for? Electric Marketing emails every individual before they are added to our live database This is demanded by GDPR's Right To Be Informed and it is one of the issues that tripped up Experian. Our email explains that companies will contact them with news of products and services that are relevant to their job. This is behind our insistence that Electric Marketing lists can only be used for business-to-business marketing.

How old is the data and when was it last updated? Electric Marketing data is updated with a phone call to the company twice a year. During the pandemic, where we cannot contact all companies by phone, we are using email and online sources to verify some of our data. It is a labour-intensive process but Electric Marketing is proud of its reputation for reliable, accurate data and we think that this is worth the trouble.

How was the data collected - what was the context and method of collection? Data is sourced online and checked with a phone call to the company. As we only add senior managers, directors and decision makers to the mailing lists, we usually cannot speak to these busy individuals personally to confirm their information. So we rely on PAs, receptions and EAs to confirm that the information we have is correct. We do not make a phone call into a company until we are pretty sure that we have the correctly spelt name, job title, address and email address of the individual.

Records of consent (if it is 'consented data') - what did data subjects consent to, what were they told and was your company named? Electric Marketing's data is not 'consented data'. Note that for data to be 'consented', your company needs to be named when the data is collected ie before the list is sold to you. This is a new requirement under GDPR and it essentially knocked all consented lists out of the list market in 2018. If anyone is offering you a mailing list 'with all consents', this is now a red flag.

Evidence that the data has been checked against opt-out lists - can it be demonstrated that data has been screened against the TPS or CTPS? We screen our data against the fresh CTPS list every morning. Electric Marketing takes a daily feed from the Corporate Telephone Preference Service (CTPS) which is a list of phone numbers of businesses which have opted out of received sales and marketing phone calls. On all Electric Marketing lists, phone numbers on the CTPS are marked with the letters CTPS before the phone numbers that you must not call. It is worth bearing in mind that companies on the CTPS must update their registration annually, so a company on the Do Not Call list last year, may no longer be on it.

How does the data supplier deal with individual's rights? Do they pass on objections? If an individual contacts Electric Marketing requesting to be removed from our mailing lists, they are immediately removed. We send an email to the clients who have accessed that data record in the last year. This does not happen too often as most individuals who are minded to unsubscribe do so when they receive our initial Right To Be Informed email. If a data subject contacts your company and wants to be removed from your list, it is up to you to remove them and keep your own file of your 'unsubscribes' so that you do not contact them again. I'm afraid we cannot do this bit for you.

What About PECR? PECR’s (Privacy & Electronic Communications Regulation) rule that consent must be given before marketing emails can be sent to individuals does not apply to business-to-business email marketing in the UK. The UK negotiated an opt-out for b2b email marketing back in 2003. PECR does apply to all consumer email marketing and also to all email marketing in the rest of the EU. Although the UK has left the EU, the rules of PECR and GDPR apply in the UK.

This might seem like a lot of questions but responsible data suppliers are well used to answering them. Plus you only have to do it once. Once you have satisfied yourself that your data supplier is compliant, you can stick with them. Electric Marketing has been supplying mailing lists for 29 years next month. We're happy that lots of companies have stuck with us and continue to trust us for reliable, accurate (and compliant) mailing lists.

If you are worried about GDPR and how it affects your business-to-business email marketing, please see our guide to GDPR for b2b marketers.