GDPR Six Months On: Business eMail Marketing Complies & Continues To Attract New Business For UK Corporates

The market for business mailing data and email marketing lists changed after May 2018. Marketing departments stepped back from buying cold email and mailing data for fear of tripping up over the new GDPR regulation.

But social media, blogs and vlogs do not pull in direct sales in quite the same way as email marketing. Marketing teams selling in to businesses are getting to know GDPR and looking beyond the scary headlines of last summer to discover that for b2b marketing, GDPR does not mean the end of great email marketing campaigns.

But there is a check list of key changes to run through before you hit send on an email marketing campaign to cold prospects.

1. As before, your business marketing email must contain an unsubscribe mechanism and if a prospect requests to be removed from your list, you must not email them again. Simply keep a file of the unsubscribed email addresses.

2. Emailing a bought in or cold email list means that you cannot contact sales prospects on the basis of consent for collecting and processing data: instead you must rely on the basis of legitimate interests. The Information Commissioner’s Office has issued guidelines which confirm that business-to-business direct marketing can be a legitimate interest. But a company must carry out a Legitimate Interests Assessment, make the Assessment available ie put it on your website and best practice dictates that you put a link to your assessment on your business marketing email. Or put a link to your company’s Privacy Policy which contains a link to your LIA: this is termed a ‘layered approach’ by the ICO. The layered approach means that you are not putting too many links into your marketing email and attracting the unwanted attention of email filters and blockers.

3. Your sales prospects have a Right To Be Informed that you hold their name on your mailing list. This can be incorporated into your statement at the end of your email which links to your Legitimate Interests Assessment or Privacy Policy. Electric Marketing’s sign off is currently

“As a GDPR compliant company, we would like to explain why you have received this email. We believe that you have a need for business marketing data within your business. We have identified your email address as being an appropriate point of contact within your organisation. This represents legitimate interest in line with the ICO’s guidance. Our Privacy Notice is available here

And finally, if your company is still worried by those scary headlines that we all read earlier this year about career-ending fines for non-compliance with GDPR, read the Information Commissioner’s blog where she states that issuing fines has been and always will be a last resort. If you slip up and are found to be non-compliant, the ICO will advise you of the changes that you need to make, maybe they will take enforcement action to commit your organisation to comply with GDPR. The ICO has the serial and wilful abusers of data protection in its sights. Companies which can show that they have made efforts to comply with GDPR are unlikely to be hit with financial penalties. 

What Makes A B2B Mailing List GDPR Compliant?

Now that we are all getting used to GDPR, you have probably seen mailing lists advertised with the reassuring words “GDPR Compliant Data”. But what does it mean for b2b mailing list data to be GDPR compliant?

  1. The mailing list has to be current and up-to-date. The new General Data Protection Regulation does not define ‘current’. Electric Marketing is taking the view that our mailing lists, verified by telephone two or three times a year, qualify as being current.
  2. If the mailing list contains personal information, and names and company email addresses which contain a person’s name do count as personal information, every person on the list must be informed that they are on the mailing list and be informed of the extent of the information held by the data owner. This is not the same as consent, but a mailing list owner should contact the data subject and give them the opportunity to opt out. Unlike consumer marketing where consent is required, business-to-business marketing remains an opt-out regime.
  3. Data must have been collected lawfully ie data must not be stolen and must have been collected for the purpose it is being used for eg data subjects should not be told that their email address will be used for research purposes only to be sent sales and marketing emails.
  4. It may seem obvious but the mailing list company itself must comply with the GDPR and must be registered with the ICO (every registered company has an ID issued by the ICO). GDPR compliance for marketing data companies insists that data must be stored in a secure environment.  Staff must be trained in the obligations GDPR places upon the company. The mailing list company must have a Data Protection Policy (internal company document), a Privacy Policy and a Legitimate Interests Assessment in place. If you cannot see the privacy policy and the Legitimate Interests Statement on the mailing list company’s website, you can ask to see them.

So now you know what to expect of a reputable mailing list supplier. My next blog covers the steps that you, the user of bought-in b2b email lists, must take when running a GDPR compliant email marketing campaign.

How To End Your Business Marketing eMail in the Post-GDPR age

Have You Invested In an eMailing List which is GDPR Compliant?

Have you remembered to change your email sign offs and to put links to your privacy policy and legitimate interests assesment in your marketing emails?

After the deluge of permissioning emails around GDPR, many people are acutely aware of which emails they have signed up to receive and which requests for permission they denied or ignored.

This means that slack marketers can no longer rely on the short memory of a target by writing something like this:

“You are receiving this email as you have subscribed in the past to receive information about our events. If you wish to update your email preferences or unsubscribe, please click the link below”.

Yes this statement is doing the right thing by offering an unsubscribe but post-GDPR this sort of email sign off is increasingly being called out by targets.

A little white lie claiming that the prospect is receiving emails because they have ‘previously signed up’ or ‘enquired in the past’ when the marketer bought in an email list and the company has no previous relationship with the data subject does not enhance your campaign. In the post-GDPR age, very few people are falling for this anymore.

Transparency is one of the key principles of GDPR.  We suggest that you follow the ICO recommendations of adopting a ‘layered approach’ to giving data subjects information about privacy and legitimate interests. Somewhere on your marketing email, you should state the reason for contacting the company under the terms of legitimate interests and you should provide a link to your privacy policy, which in turn has a link to your legitimate interests assessment.

I have seen this at the bottom of a few emails this month:

“This email was sent to you as a corporate subscriber within the meaning of the Privacy and Electronic Communications Regulations 2003. Your personal data are protected under the General Data Protection Regulation and Data Protection Act 2018. If you would like to know how and why you have received this message, please visit our information page.”

(Unfortunately the information page link clicks through to something that is blocked by my office spamblock, but I’d like to think it is a link to a Privacy Policy and a Legitimate Interests Assessment.)

Electric Marketing is signing off its emails with this:

“As a GDPR compliant company, we would like to explain why you have received this email. We believe that you have a need for business marketing data within your business. We have identified your email address as being an appropriate point of contact within your organisation. This represents legitimate interest in line with the ICO’s guidance. Our Privacy Notice is available here

Like the new regulation, our statement is a bit clunky but as we all get used to what GDPR means for business-to-business marketing, this will no doubt become shorter and snappier over time.

GDPR: Do I Need Consent To Send B2B Marketing eMails?

Before the introduction of GDPR in May 2018, many companies emailed everyone on their client and prospect databases with a polite request (with a helping of desperate pleading) for consent from the data subjects to receive marketing emails.  But with reported response rates at below 10% and with “consent fatigue” running high well before the deadline, any company which sent an email threatening that the recipient would ‘never hear from us again’ is now looking at a much diminished marketing database.

But businesses marketing to other businesses do not have to rely on consent as a lawful basis to process personal data (ie use email addresses for marketing) . B2B marketers can use an alternative basis to process personal data; legitimate interests.

You can send business-to-business marketing emails on the basis that you have a Legitimate Interest in doing so. Before using Legitimate Interests as a reason for data processing and email marketing, you will need to carry out a Legitimate Interests Assessment.

LIA is a three part test assessing the purpose and necessity of your use of personal data and a test balancing your interest against the interests, rights and freedoms of the person whose data you are processing. After you have documented your LIA, you must then update your Privacy Policy to show that you are relying on Legitimate Interests as a basis for processing personal data.

Your third responsibility is to communicate that you are using Legitimate Interests to the data subject. We believe that this can be done by putting a statement at the end of every marketing email that you send stating something along the lines of

“As a GDPR compliant company, we would like to explain why you have received this email. We believe that you have a need for business-to-business marketing data within your business. From our research, or from information that you have provided, we have identified your email address as being an appropriate point of contact within your organisation. This represents legitimate interest in line with the ICO’s guidance.”

You can read the ICO’s guidance on Legitimate Interests.

All B2B marketers who are using bought-in email lists in eMarketing campaigns must carry out and document their Legitimate Interests Assessment.

Any mailing list or email list that you have bought from a mailing list company can only be used on the basis of Legitimate Interests after 25 May 2018. Consent is now only valid if the company using the data was mentioned at the time of data collection. Unless your mailing list was researched on your behalf and your company name was mentioned to the data subject, consent (or third-party opt-in) is not valid under the terms of GDPR.



This blog was first published on 17th May 2018 (pre-GDPR) and was updated on 14th August 2018.

GDPR: Getting Your Mailing Lists Up-To-Date To Comply With GDPR

There has been a fair bit of scaremongering (and some unseemly profiteering on the back of scaremongering) surrounding GDPR.

If you are looking at files of old email addresses and wondering if you can continue to send business marketing emails, Electric Marketing’s data cleansing services can help you tidy up your b2b mailing lists and remove the records that are incorrect.

If you are unlucky enough to come to the attention of the ICO, the fact that you have taken steps to comply with the regulation that data must be up-to-date will stand you in good stead. The new regulation is clear that companies which fall foul of the new rules will be given guidance to put things right.

What the regulation does not specify is how up-to-date must your b2b data be? It does not define a time-frame for ‘up-to-date’. Given that data on large companies decays at a rate of 50% in each 12 months, Electric Marketing is working on the assumption that data that is more than a year old probably falls into the not up-to-date category. Our tests show that half of the records sold 12 months ago will now be incorrect in some way, be it a new postcode, changed phone number, new email address or change of person’s name or job title.

But the client who called Electric Marketing wondering if the data he bought in 2012 is ‘GDPR compliant’, the answer was a firm no, as you need to update it. However if you have kept your data up-to-date by calling the companies or verifying the data in some way, then yes you can still use your pre-2018 mailing lists. But you must comply with the new rules and use the mailing lists on the basis of legitimate interests.

If you have not kept your data files up-to-date consider using a data suppression file such as Electric Marketing’s Leavers Database to get rid of the egregious errors. It will be tricky to convince the ICO that your data is up-to-date if it includes defunct companies such as Monarch Airlines, Allied Domecq or Consignia. Or old London phone numbers beginning 0171.

If your data update process extends to suppressing the unsubscribes and removing the emails which bounce back, be aware that some servers do not automatically reject email addresses that are no longer valid. Your emails may be being forwarded and read by the replacement managing director. On the other hand they may be sitting unread on the target company’s email server, ready for an officious DPO to report you to the ICO for sending promotional emails to an email address that has been out of use for 2 years.

I feel I may have drifted into scaremongering myself there. But the new General Data Protection Regulation is insistent that data is current and it is a risk to store and use marketing data that has not been maintained.



This is blog was published on 15th May (pre-GDPR) and edited on 14th August 2018 (post GDPR).

How Can You Continue To Use Your Bought-In Mailing Lists After GDPR?

If you buy business mailing lists and email lists, you can be forgiven for thinking that you can no longer use them since the arrival of GDPR on 25th May 2018, when the new General Data Protection Regulation came into force. Much has been written decrying this Data Protection Regulation update as the end of cold email marketing.  And it does herald some big changes, most notably the tightening up of how people consent to their personal data being used. But this does not rule out cold b2b email marketing or using bought-in business mailing lists to generate sales.

Since 25th May, for consent to be used as a lawful basis to process data (ie send b2b marketing emails) a person must actively consent for their data to be processed and used and the name of the company using the data must be mentioned at the time consent is given.  This means that mailing list companies can no longer sell data that is “fully opted-in”. To opt in, people have to opt in directly with the company using the data. Unless your company name was mentioned when the person’s email address was collected, you can no longer rely on consent as a reason to process personal data.

But consent is not the only reason to process personal data. There are six lawful bases for processing data in the Data Protection legislation. You need to show compliance with one reason. The most useful for business-to-business direct marketers and email marketers is known as Legitimate Interests.

Legitimate interests might be your own interests, or the interests of the third party receiving the data, or a combination of the two.

Latest guidance from the Information Commissioner says that legitimate interests may be the most appropriate basis when:

“the processing is not required by law but is of a clear benefit to you or others; there’s a limited privacy impact on the individual; the individual should reasonably expect you to use their data in that way; and you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.”

Crucially for marketers, direct marketing is described in the GDPR as an activity that may indicate a legitimate interest.

We’ve put together a guide on the simple steps you need to take to use legitimate interests as your reason to continue processing data and to continue using bought-in mailing lists for your email marketing.

Principally you need to carry out a simple legitimate interests assessment and document this assessment. Then update your Privacy Policy to state that you are relying on Legitimate Interests as a lawful basis on which to process personal data. And finally communicate that you are using Legitimate Interests to the people whose data you are processing.

Electric Marketing’s guide details how to do the legitimate interests assessment. And as an example we’ve put our own Legitimate Interests Assessment on our website.

Legitimate Interests is not a new concept and in fact, Electric Marketing has never relied on consent as a basis for collecting and processing data. What is new is that GDPR requires us all to document how we are using data and to communicate this to users and data subjects. Which on balance, seems quite reasonable.

Get Me Off This Mailing List! The Insider’s Guide To Removing Yourself From Mailing Lists and eMail Lists.

Electric Marketing mailing lists are targeted, compiled mailing lists of 60,000 corporate influencers and budget holders. If you’re included in our mailing lists and you don’t want to be, we’ll remove you within hours. We won’t be pleased about it. We’ve selected you as a business person with senior responsibilities that other companies want to reach. And we only allow verified companies offering products and services pertinent to your role to access our data. But we will swiftly remove you from the mailing list.

We often get messages requesting removal from people who are not on our mailing lists and messages from corporate managers who do not believe that we have removed them from our mailing lists because they still receive business marketing emails. Here is our guide to the mailing list business and how, if you really don’t want to receive information that is pertinent to your job and industry, you can get yourself taken off mailing lists for good.

  1. Remove your email address from the internet. First type your email address into a search engine. You may find that your email address has been scraped from the web and added to a mailing list. Your email address may be on your company’s website as a senior manager or perhaps your email has been added to the end of a corporate press release or enquiry form; either way your email address is sitting on the web, ready to be picked up by web spiders or web crawlers. These are programs which trawl the internet, ‘scraping’ email addresses from web pages and adding them to mailing lists which are then sold at bargain basement prices. If you’ve ever received an offer of a mailing list of a million contacts for $99, this is the source of that data. No human has been involved in the compiling of that data, just the guy who wrote the sales pitch. It leads to a lot of untargeted emails coming from outside the UK and no amount of Data Protection Regulations can protect you from these data pirates.
  2. Go back to your favourite search engine and put in your name and company name “jane+doe”  “electric+marketing”. Are you listed in an online email directory such as RocketReach or
  3. Are you receiving somebody else’s emails?  Maybe you are still receiving all the emails forwarded from your predecessor’s inbox?  These emails will look as if they are addressed to you (but may begin with Hi Neville). Ask your IT department to set up an automated reply for that email address that says something like “Neville left Electric Marketing in 2015. Please contact the office on 020 7419 7999 and we’ll be pleased to help you with your enquiry”. Or you can go back to step one and start removing Neville’s email from the Internet which is the time-consuming smart thing to do if Neville still receives emails from clients and sales prospects.
  4. Do not tick the opt in boxes when you buy online. Do not add yourself to any more mailing lists. GDPR makes consumer mailing lists opt-in and forbids the box that adds you to the mailing lists of a company’s “selected partners” if you fail to tick it. But this not does apply to business-to-business marketing. There is still the box that opts you in to a business mailing list if you fail to tick it and opt yourself out.
  5. Stop accepting free stuff. When you sign up to receive a free industry magazine or email, part of the deal is often that you accept “marketing messages”. Selling email lists and advertisements on newsy industry updates pays for the writers and compilers of your free business information.
  6. When an unwanted email comes in, click through to the unsubscribe page and read the name of the list you are on. Sometimes it will give the name of the company which supplied the data. Search online for that data company and contact them directly so that they cannot pass your email address to any new email marketing customers. They are obliged by law to remove you within 28 days of your notifying them that you do not wish to be on their emailing list.
  7. Take yourself off LinkedIn.  LinkedIn charges for its InMail service and when you sign up you agree to receive those InMail messages. But if you have put your name, job title, company name and location on LinkedIn, it is easy for other business people to find your phone number and to call your company or send you an email. GDPR allows companies to email people at other companies providing the email is about a business matter.
  8. Or remain on LinkedIn but disguise yourself. Some people are describing their role and company in their LinkedIn headline eg Heading Up Marketing at Major High-Street Bank or eCommerce Specialist at Top Five UK Supermarket. Alternatively, use a different version of your name, Rob or Robert, Amanda or Mandy whichever your do not use in your email address.

If you are doing an important job in a significant UK company, other business people want to contact you. You may not want to hear from them, what they have to say may not interest you, but if you are in a senior role with budgetary responsibilities, accept that other business people will get in touch. And their right to contact you once by email is enshrined in the UK’s Privacy & Electronic Communications (EC Directive) Regulation 2003. The law is different in Ireland and most of the rest of Europe.

The UK is a marketing friendly business space.

Serious business people keep their minds open to new ideas, refresh their supplier base and take on new business practices. Pushing forward with new ideas, updating company business processes and being an early adopter of new technology are hallmarks of successful corporates and their senior teams. How can you find out about the latest trends and new technology if you don’t read pitches from potential suppliers?

Obviously some companies abuse this right, take hold of your email address and send you stuff three times a week.

Hit the unsubscribe button.

Show no mercy.

I’ve written about over-frequent emailers here.

Posted 10 August 2015
Updated 1 November 2018