GDPR sure has been a long time coming. We’ve been worrying about the effects of the new Data Protection legislation from Europe since 2011. We are now a year away from the deadline of 25 May 2018 to comply. And Brexit won’t save us.
For consumer marketers there are big changes but for b2b marketing, changes need to be made but they are not too onerous. And if you already comply with current legislation, you will find yourself with a pretty short to-do list for GDPR.
Electric Marketing has prepared this guide to GDPR for b2b marketing. It focuses on what is relevant for b2b marketing.
The key change is that a company must show itself to be compliant with the rules. Write a policy document which sets out how you comply with the rules. Our guide puts the eight key issues into simple language that your policy document must cover.
There is a lot of misinformation out there about how email marketing will be affected by the new rules. This is certainly true for consumer marketing but b2b email marketing is not governed by GDPR, it is covered by the Privacy & Electronic Communications Regulation (PECR).
Until PECR is updated, the rules for b2b email marketing remain as they are ie you may send an email to a person’s business email address about business matters without first gaining their permission. Your email must have an opt-out mechanism. If the person opts out, you must not email them again. This is known as an ‘opt-out regime’.
What About Consent?
If you are using data for the sole purpose of b2b direct marketing, you do not need the prospect’s consent to do so. GDPR gives six reasons for lawfully processing data ie using emailing lists. Read them here on the Information Commissioner’s website.
B2B marketing does not rely on consent as the reason for data processing. Your policy document will say that you are processing data for the reason that the GDPR calls “legitimate interest” ie you have a legitimate business interest in emailing the person at their business email address.
Worried About PECR (Privacy & Electronic Communications Regulation 2003)?
The EU has an ambition to update the rules of PECR in May 2018 and has drafted legislation. The draft legislation appears to allow the UK to retain its opt-out regime for b2b marketing and while this could change, it seems unlikely. It is also possible that the EU’s timetable for updating PECR may slip beyond May 2018.
So PECR is as yet unknowable but if the EU’s timetable for the legislation slips just ten months to beyond March 2019, the UK’s Great Repeal Bill may not include the PECR update. To read more about the likely effects of the PECR update, look at solicitors Bird & Bird’s take on PECR here.
On 26 March 2016 the Information Commissioner issued new guidance on Data Protection and Privacy & Electronic Communications Regulations for direct marketing.
The full guidance can be read here https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf but we’ve extracted the sections for business-to-business marketing and they are shown below:
Business-to-business texts and emails
1. Rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies eg limited liability partnerships, Scottish partnerships, and government bodies. The only requirement is that the sender must identify itself and provide contact details.
2. However, it serves little purpose to send unsolicited marketing messages to those who have gone to the trouble of saying they do not want to receive them.
3. Corporate subscribers do not include sole traders and some partnerships who instead have the same protection as individuals. If an organisation does not know whether a business is a corporate body or not, it cannot be sure which rules apply. Therefore we strongly recommend that organisations respect requests from any business not to email them.
4. In addition, many employees have personal corporate email addresses (eg firstname.lastname@example.org), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.
1. Sole traders and partnerships may register their numbers with the Telephone Preference Service (TPS) in the same way as individual consumers, while companies and other corporate bodies register with the Corporate Telephone Preference Service (CTPS). So organisations making business-to-business marketing calls will need to screen against both the TPS and CTPS registers.
The right to opt out
1. Organisations must not make unsolicited marketing calls to a person who has said that they don’t want those calls. In other words, there is a right to opt out, and organisations cannot call someone who has objected to or opted out of marketing calls.
Organisations should not make it difficult to opt out, for example by asking individuals to complete a form or confirm in writing. As soon as an individual has clearly said that they don’t want the calls, they must stop.
2. If an individual objects or opts out at any time, their details should be suppressed as soon as possible. It is important not to simply delete their details entirely, otherwise there is no way of ensuring that the organisation does not call them again.
3. Organisations must not send marketing texts or emails to an individual who has said they do not want to receive them. Individuals have a right to opt out of receiving marketing at any time. Organisations must comply with any written objections promptly to comply with the DPA – but even if there is no written objection, as soon as an individual says they don’t want the texts or emails, this will override any existing consent or soft opt-in under PECR and they must stop.
4. Organisations must not make it difficult to opt out, for example by asking individuals to complete a form or confirm in writing. It is good practice to allow the individual to respond directly to the message – in other words, to use the same simple method as required for the soft opt-in. In any event, as soon as an individual has clearly said that they don’t want the texts or emails, the organisation must stop, even if the individual hasn’t used its preferred method of communication.
5. If an individual objects or opts out at any time, their details should be suppressed from marketing lists as soon as possible. It is important not to simply delete their details entirely, otherwise there is no way of ensuring that the organisation does not contact them again.
EU Regulation On Data Protection Unlikely To Become UK Law Before 2019
Nearly four years into the process, the Council of the European Union has now decided on its negotiating position for the trilogue with the European Parliament and the European Commission. There is now a timetable running to December 2015, during which representatives from the Council, the Parliament and the Commission will come together to decide on the final wording of the new EU-wide data protection regulation. This means that if they stick to this timetable, which on past form is by no means certain, by the end of 2015 we should know how the new regulations will affect direct marketers in the UK.
Among the controversial questions still to be thrashed out are:
What is the precise definition of ‘personal data’?
How will the ‘right to be forgotten’ work in practice?
What exactly is meant by the ‘legitimate interest’ of data controllers? Does this include marketing? And if it does, does it include any or all of consumer marketing, B2B marketing, online marketing and offline marketing?
Must consent be ‘explicit’ or not?
Will compulsory data breach notification apply to minor breaches or just high risk breaches?
Will all businesses be required to have a data protection officer?
What happens if EU data protection rules conflict with a non-EU country’s data protection rules?
While we might know what the new regulations will be by the end of 2015, they are unlikely to be adopted into EU law before mid-2016. In fact the Information Commissioner’s Office now estimates that the two year run-in period before the regulations become compulsory can realistically be expected to start at the end of 2016, meaning that they will not be enforced in the UK before the beginning of 2019.
We are following the progress of the proposed EU Regulation on Data Protection very closely.
While the MEPs voted overwhelmingly for a set of proposals which would outlaw list broking, cold telemarketing and cold mailing to named contacts, the Ministers of Justice & Home Affairs from each of the 27 EU nations are taking a more business-friendly, risk-based approach. They met on 10 October to agree their own set of proposals. They will meet again in January 2015 to try to reach agreement on the issue of the ‘right to be forgotten’.
When the Ministers of Justice & Home Affairs have reached agreement, then the three-way negotiations with the European Parliament and the European Commission begin. This is likely to happen in the second half of 2015.
According to the DMA (Direct Marketing Association), this progress means that the Regulation could be passed into EU law by late 2015. The UK then has two years to implement the law, which means that the Regulation could be enforced in the UK by late 2017 or more likely, early 2018.
To increase the uncertainty of what may happen in direct marketing, David Cameron has promised an ‘in/out referendum’ on Britain’s membership of the EU before 2018. It seems unlikely, but by 2018 we might be negotiating our way out of the EU.
To read the full text of the DMA’s article, written by solicitor James Milligan, see here.
Proposed EU Regulation on Data Protection will affect all businesses using mailing or email lists to prospect for new customers
We’ve been lobbying against the proposed new EU data protection legislation for getting on for two years now.
Earlier in 2014 the EU Parliament agreed a piece of draconian legislation that would outlaw list broking, insist on written consent for all marketing communications sent to a named person, with no distinction between b2b and b2c, and effectively finish off personalised marketing to anyone other than your recent customers. If that legislation were enacted it would mean the end of direct marketing as we know it. We will return to the days of writing to Dear Marketing Manager or Dear Stationery Buyer.
Following this vote there have been some alarmist blogs placed on the DMA’s website which have stirred the small business community into panic. Here’s one from June
However the reality is that the EU is still debating what form the legislation will take and what that legislation will be. The European Parliament has voted for this legislation but that does not mean that it will become law.
The European Commission, the European Parliament and the Council of Ministers have now all drafted three different versions of the proposed data protection regulation. The European Parliament draft is by far the most damaging for anyone who uses mailing or email lists to prospect for new customers. The three bodies will enter into negotiations as to which elements of each version will become EU law.
There are two types of EU legislation;
1. EU Regulation which obliges all countries to enact the legislation without amendment
2. EU Directive which has to be debated and passed through the UK Parliament at Westminster and to which amendments can be made.
The current UK Government is pushing for the laws to become a Directive, which will give UK MPs some leeway to alter the legislation as it applies to the UK.
It should be borne in mind that the UK amended the last similar piece of EU legislation (a Directive) with the Electronic Communications Act specifically allowing the sending of B2B emails in the UK without the sender first obtaining consent.
The UK coalition government opposes the proposals and is lobbying for them to be a Directive at the very worst. Unfortunately the Labour party is currently in favour of the proposals and has not replied to any of our letters on the subject.
As things stand we have at least two years until the law is changed.
If your company buys in data to use to prospect for new customers, please write to your MP, explaining what the proposed legislation will mean for you. Also write to Simon Hughes MP who is in charge of the UK negotiation with the EU. The more letters MPs receive, the more attention will be paid to the issue and it becomes less likely that the UK sleepwalks into agreeing to legislation that is damaging for business.
The time to write to your MEP has passed as the vote has happened and most UK MEPs (bar UKIP) voted in favour of the new draconian data laws. But it is always worth explaining to an MEP the consequences of their vote and the effect it will have on your business, our industry and the wider economy.
The European Parliament has voted to adopt the less business-friendly version of the Data Protection Regulation, proposed by the European Parliament’s Civil Liberties Justice and Home Affairs Committee (LIBE) in the November 2013 report.
The European Commission, the European Parliament and the Council of Ministers have now all drafted different versions of the proposed data protection regulation.
Europe’s Justice and Home Affairs ministers failed to reach an agreement on the draft legislation at their Council meeting in December 2013.
The Greek government has taken the chair of the Presidency of the EU Council and hopes to thrash out an agreement on the wording of the new legislation by summer 2014. If this happens it is possible that the new regulations could be agreed in 2014 and become law in 2017.
What impact will these changes have on your business? See http://www.electricmarketing.co.uk/EUdata.html
We wrote to a variety of MEPs, MPs, government ministers, other politicians and business organisations.
Here are summaries of their responses:
Charles Tannock MEP, Conservative – no response yet
Claude Moraes MEP, Labour – no response yet
Baroness Sarah Ludford MEP, Liberal Democrat – I am seeking to create an instrument with standards that are workable, realistic and enforceable by being user-friendly for citizens, allowing reasonable business to proceed, focused on outcomes rather than on process and tick-box exercise, and tough in sanctions on companies which practise deception or otherwise cheat the customer.
Dr Syed Kamall MEP, Conservative – The regulations must protect the privacy of citizens without putting too much of a burden on small and medium sized businesses. There is still a long way to go but we are optimistic a good result can be achieved.
Gerard Batten MEP, UK Independence Party – All legislation affecting citizens of the UK should be made at Westminster. I will therefore be voting against these regulations.
Jean Lambert MEP, Green – no response yet
Mary Honeyball MEP, Labour – I do not sit on the committees considering this matter. [BUT SHE DOES GET TO VOTE ON IT]
Marina Yannakoudakis MEP, Conservative – The regulations must protect the privacy of citizens without putting too much of a burden on small and medium sized businesses. There is still a long way to go but we are optimistic a good result can be achieved.
David Cameron, Prime Minister – It’s the responsibility of the Business Secretary, so I’ve passed your letter to Vince Cable.
Vince Cable, Business Secretary – Letter passed to the Ministry of Justice.
Lord McNally, Justice Minister, Liberal Democrat – We want to protect the civil liberties of individuals while allowing for economic growth and innovation. The UK benefits of the proposals are outweighed by the costs of additional administrative and compliance measures they introduce. The regulations in their current form could have a net cost to the UK economy of £100m-£360m per annum. The Government’s position is to negotiate for EU legislation that does not impose disproportionate burdens on business, including the direct marketing industry.
Ed Miliband MP, Leader of the Opposition – Your comments have been noted.
Boris Johnson, Mayor of London – I have no input to this. Try writing to the Direct Marketing Association.
Chuka Umunna, Shadow Business Secretary – no response yet
Nick Clegg, Deputy Prime Minister – no response yet
Institute of Directors – We are working on forming a policy position around the incoming legislation.
Federation of Small Businesses – We agree that the new rules will have a devastating effect on the direct marketing industry and are working hard to have them changed.
You may have heard that the European Union is planning sweeping changes to data protection laws. What you may not have realised is the impact these changes will have on your business.
As the proposals currently stand it will become illegal to
- send a mailshot
- send a promotional email
- make a telemarketing call
to any named individual either at home or at work without first obtaining their explicit consent.
Quite simply it will mean the end of targeted direct marketing in the UK.
These proposals are probably well intentioned. It is likely that tougher data protection laws would protect vulnerable and elderly people from unscrupulous companies. But the proposals make no distinction between a company phoning an 84-year-old widow in her home and a company writing to the marketing director of British Gas at the company’s head office.
How can we stop this happening?
The best course of action is to write to our MEPs. Before becoming law the new data protection proposals have to be approved by the European Parliament. Each region of the UK has several MEPs. The contact details of these MEPs can be seen here: http://www.europarl.org.uk/view/en/your_MEPs/List-MEPs-by-region.html
All that’s needed is a brief letter or email to each of the MEPs that represents your region describing what your company does, how many people it employs and the impact this legislation would have upon you.
What we think
Electric Marketing’s view is that the proposals should make a distinction between business-to-business marketing and consumer marketing. We believe that the current opt-out system works perfectly well for the business-to-business arena and that a switch to an opt-in regime would severely limit the ability of small companies to promote their goods and services to larger businesses. It is anti-competitive and would lead to the failure of many potentially successful start-up businesses.
Whatever your view NOW is the time to make it known by writing to your MEP.
More details of the EU’s proposals can be seen on the Direct Marketing Association’s website: http://dma.org.uk/eu-data-protection/the-proposals-at-a-glance
If you’d like to contact me about this please send an email to email@example.com
Electric Marketing Ltd