GDPR and PECR: The opportunity to be a loud voice in a quiet space
4 min read - by Richard Sapsed - COO
Before we start, I’d like to get something off my chest, I’m not a lawyer.
So, this blog should in no way be viewed as legal advice. I reveal more of my legal disclaimers in the ‘Legal bits’ section at the end of the blog.
Right, that should get my own legal team off my back… let’s now wade into the murky confusion of GDPR and PECR, and how it relates to B2B email marketing campaigns.
The perceived confusing muddle of GDPR and PECR has no doubt lined the pockets of quite a few consulting and legal firms… understandable though as everyone seemed really slow off the mark. Businesses took time to understand the implications and the ICO’s Direct Marketing guidance required a PhD to translate (well to me at least!). Add in the confusion of B2B vs. B2C, the vast grey areas in between, and differing appetites for risk. It’s not surprising marketeers and agencies are holding off on campaigns to focus on more ‘compliance free’ tactics.
But whilst some reports suggest that email volumes are down by half since the introduction of GDPR, click rates are up 30%.
So, how can you use this ‘quiet time’ to increase your pool of B2B targets?
Let’s start at the end… (subject to caveats, thanks legal).
You can email market to any “company” unless they’ve expressly opted-out. That’s my understanding.
But what questions do we need to ask to stay on the right side of legislation?
- Do you have lawful basis to process the personal data under GDPR in the first place;
- If yes, do the PECR consent to marketing requirements apply:
- If genuine B2B comms i.e. corporate email addresses – no consent necessary (but check for opt-outs!);
- If not B2B (including sole traders or partnerships) – express consent required
Do you have lawful basis to process the personal data under GDPR in the first place?
What “personal data” are we talking about?
The business email address itself (e.g. firstname.lastname@example.org) is personal data under GDPR. If you’re in the EU, he’s in the EU or one of the other criteria applies, GDPR will be applicable. Given the broad definition of “personal data” under GDPR, I have taught myself to always think about marketing activity as processing personal data (and forget any marketing connotations to it).
GDPR requires you to have a lawful basis for processing personal data, which in the case of a corporate email address means – do you have a lawful basis for having that corporate email address in the first place? In a B2B scenario, ‘legitimate interests’ (LI) may be enough to justify you processing ‘personal’ data.
If you can show the way you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing’ (ICO).
As a B2B marketer, I’d start with a Legitimate Interest Assessment to see if LI is an appropriate lawful basis for processing. Then if needed, move on to the 5 other lawful bases for processing, consent being one of these.
If neither of these justify you holding the email address – well you’re in breach of GDPR and that’s not a good place to be. Do not pass go and question your marketing credentials…
Do the PECR consent to marketing requirements apply?
The PECR consent requirements apply (amongst other things) to email marketing to “individuals”. The current understanding is “individuals” does not include email addresses subscribed for by an incorporated entity (remember our Joe.Bloggs@MegaCorp.com). Simply put, for most B2B marketing you will use corporate email addresses so you just need to follow GDPR… but be especially wary of sole traders and some partnerships – they are treated as individuals so you’d better be sure to know your list!
So, the way forward…
Theory is, if you have a corporate email address that is not for an individual (e.g. Joe.Bloggs@MegaCorp.com), you have a GDPR-friendly reason for having it, and if they have not opted-out of marketing, you can email away to your heart’s content. Let’s face it though, that’s like going back to the good old days of fax marketing! So, my check list for a B2B email campaign is super simple;
- Do I have a lawful basis for processing this data, conduct an LIA (sample can be downloaded here)?-If not, consider other lawful bases (your legal team may be able to help you here)
- Am I certain that all email addresses on the list belong to an incorporated entity (this can be a company, limited liability partnership, a government body or Scottish Partnership), not “individuals” (remember, sole-traders and partnerships will be viewed as “individuals” under the eyes of PECR)?
- Have I run all email addresses against suppression lists to ensure recipients have not previously opted-out?
GDPR and related laws have certainly proved a challenge to the old-ways of marketeers, but the reality is a GDPR/PECR compliant marketing list, is a group of people with real interest and requirement for what your business has to offer. Generating far and away the best results. GDPR and PECR can be thanked for that!
And, if you want to hear it from the horse’s mouth, the ICO have a handy guidance note on business to business marketing
Before starting any campaigns, you should always check with your own legal advisers on the legality of your marketing. This blog is not a comprehensive overview of GDPR, PECR or the ICO’s guidance – and should not be used in place of legal advice and/or ICO (or any other binding) guidance. This area is also subject to changes (I’m looking at you ePrivacy Regulation) and I won’t necessarily be updating this article with updates to the law, so again, always check with your own legal advisers!