From 25th May 2018, the General Data Protection Regulation (GDPR) will be subject to enforcement by the UK Information Commissioner’s Office (ICO), and every organisation across Europe is affected.
In summary, the regulations centres on how ‘Personally Identifiable Information’ (PII) is captured, and how it is used. It provides a series of fundamental rights to the individuals whose data is held.
Misuse – or careless release – of PII is a crime, and the punishments are rising from a ceiling of £500,000 to either €20m or 4% of the preceding year’s turnover – whichever is higher. As the law firm, Irwin Mitchell, revealed in a survey of their clients, this would put 17% of firms out of business automatically.
A lot of businesses are buying their heads in the sand, either counting on Brexit negating the legislation, or on the ICO not enforcing the laws. Countering this, the government has announced that GDPR will be implemented ‘no matter the outcome of Brexit’, and given that the ICO has undergone continued expansion reaching 600 staff at the end of 2017, it’s fair to say that enforcement will be active.
In addition to GDPR, the EU will reform the Privacy & Electronic Communications Regulation (PECR) and hopes to have new legislation in place for May 2018 to coincide with GDPR. Draft legislation has been published and this seems to retain B2B marketing's opt-out regime.
According to the PECR review, existing customer ‘soft’ opt-in for email marketing will remain. That means that if you obtain a business or individual email address through your sales activities, you can use that email address for marketing purposes. The stipulations are that the marketing messages must be used for ‘similar products or services’ and have a clear opt-out (unsubscribe) option.
The Direct Marketing Association has offered the following guidance:
"When dealing with employees of corporates, that is limited companies, LLPs, partnerships in Scotland and government departments, the rules for telephone and direct mail are the same: opt-out. When emailing or texting, you do not need the prior consent/opt-in from the individual. You can, therefore, send them a marketing email/text as long as you provide an easy way to opt out of future communications from you”.
It’s clear, then, that all businesses must be alert to these legislative changes, but what of the specifics? Below, I’ve assembled ten key facts which demand attention.
The Ten Key Facts
1. For any B2B marketing communications, regardless of channel, the content must be about products and/or services that are relevant to the recipients’ job role.
2. If your marketing targets smaller SME’s, then be aware that partnerships and sole traders may be considered to be individuals. For these firms, you must ensure you have specific ‘opt-in’ consent to receiving your marketing communications.
3. It’s likely that your CRM database contains many personal ‘non-corporate’ email addresses, such as @gmail, @yahoo, @mac etc., and these now represent a commercial risk. As personal data, can you prove you have specific opt-in consent? If not, then you are advised to delete them.
4. You must maintain ‘opt-out’ lists. All outbound marketing must be verified against your managed opt-out list, and it’s for this reason that you must not delete entire records: you don’t want someone adding that person back into the database.
5. Presently, commercial email addresses, such as ‘firstname.lastname@example.org’, may be regarded as exempt even though the email address contains personally identifiable information. So, even though you don’t have a commercial relationship with the individual, the guidance is that you may still communicate to the individual in this manner.
6. Marketing teams need to plan ahead for changes: marketing to business individuals may be restricted by pending legislation. For this reason, a strategic approach includes securing opt-in’s now rather than later.
7. Train your staff to be careful as to what data they enter on your CRM. For example, an entry which reads, ‘Julie’s on maternity leave’, or ‘Paul’s PA said he’s off sick’, are indisputably records of PII, and it’s almost certain that you have no right to hold this data. Better to write ‘not available for x days, months’ etc.
8. The burden of proof for proving you gained consent is your duty: it’s not for the individual to prove they did not give consent. As the ICO has said, a tick box in an Excel spreadsheet or an entry in a database does not constitute proof of consent! Your proof must consist of a true copy of the form with a genuine date/time stamp with identifiable information (such as an IP address).
9. The regulations extend to any form marketing to individuals or businesses in the United Kingdom or across the E.U., so outsourcing to a low-cost country, or your international headquarters in, say, the USA, must also comply or be at risk.
10. Compliance is multi-faceted, and you have a legal obligation to conduct privacy awareness training to all staff who handle PII. This includes all staff engaged in marketing!
Apart from the many policies and procedures your organisation needs to prepare for GDPR, if you engage in any form of direct marketing, you are advised to create a formal policy document for each: B2B and B2C.
The policy itself isn’t the end, though. It needs scheduled review and refinement, as well as documented processes to ensure your compliance. Indeed, failure to comply with your own policy will open the door for censure or worse from the ICO.
External, specialist consultants are already in short supply. With the sudden realisation that the legislation is serious, business are advised to engage the resources required without delay.
About the Author
Humperdinck Jackman is a Records and Document Management specialist, and published author. He lectures on the application of technology in respect of regulatory compliance with the Data Protection Act and GDPR.
About Advanced UK
Advanced UK is celebrating its 26th year, and is a Xerox Platinum Partner: we are one of the UK’s and Europe’s largest and most experienced providers of office and production print solutions.
Our expertise extends across all aspects of the document lifecycle, from print production, through to records and document management, so as to encompass all data within the organisation.
Our team includes industry-leading experts in the fields of Data Protection and GDPR regulatory compliance, experienced in supporting small businesses through to international corporations.
Advanced UK is a trading name of:
Advanced Business Equipment Ltd
Tavistock House, 5 Rockingham Road
Uxbridge, Middlesex, UB8 2UB
T: 01895 811811 E: email@example.com