I’m aware from the GDPR training that I’ve been doing that people are being subject to misrepresentation when it comes to marketing to other businesses (as opposed to consumers).
You may be aware that there are a number of potential pathways through the legislation only one of which is consent, so if I give you my business card with my email address on it I am giving consent for you to send me something, and I’m giving you my consent to you doing that.
Another pathway is the legitimate interests of the organisation, and direct marketing is a potential legitimate interest of a business or organisation selling a service or a product that is potentially of interest to my business, thus you are still entitled to tell me and send the advert for your product or service, a promotion or an event that you might wish me to attend to come and view your products. This means you have a legitimate purpose for processing my personal data (my business email address).
As well as having that legitimate interest you also have to pass the necessity test. Is the processing necessary for that purpose? Is there a less intrusive means of achieving the same aim? For example, If this was advertising an insurance product it would make sense to only market that insurance product to those within an organisation responsible for making decisions about insurance or the Board of Directors. It would not be proportionate for to be sending emails about insurance to a large selection of employees in a scatter gun way.
The third test is whether or not the legitimate interest is overwritten by an individual’s interest rights or freedoms, otherwise known as the balancing test. This is about balancing rights to market against others interests, so we would want to make sure we’ve got safeguards in place to mitigate the negative impacts of what we might do. In particular, we might draw people’s attention to an unsubscribe button so if they no longer wish to receive such marketing from us they don’t have to.
It is particularly important to note that marketing in this way where the processing of data is not required by law but is of clear benefit to the organisation involved, with limited privacy impact on an individual where a work-related email address is being used is allowed. Individuals can reasonably expect their data to be used in that way, particularly if they’ve ordered product or services from you before and you probably don’t want to give the individual the full upfront control by using consent as the pathway through the legislation, or to bother them with disruptive consent requests when they’re unlikely to object to the processing.
Currently we are subject to the Privacy and Electronic Communications (EC Directive) Regulations 2003 that govern any marketing by electronic means including texts, emails, calls and faxes but it has been amended four times so is likely to continue to be regularly altered. Generally, you need somebody’s consent to be receiving marketing messages, such as they’ve ticked a box, clicked on an icon, sent you an email or subscribed to a service in circumstances where they fully understand that they are giving you that consent. You should therefore be keeping records of what people have consented to and remember that somebody can withdraw their consent at any time. Marketing from a business to business perspective is less constrained than it is to individuals. You’re still expected to get peoples opt in and only use bought in lists where you’ve got proof of opt in and use the lists for marketing purposes, deleting any excessive information that you have, so that if there are any inaccuracies or complaints, you can inform people where we got their details from and can provide them with privacy notices and make it very clear to them how they can avoid receiving further marketing activities. This means that any of those emails that you get that do not have an unsubscribe button on them are currently illegal so feel free to quote this at them!
You also need to be very careful about calls that you are making, reviewing your own ‘do not call’ lists if people have asked us not to call them and screening all activity against such lists and giving our number to the person we’re calling. You shouldn’t be recording calls unless you have explicit consent and need to screen against the preference service and corporate telephone preference service to check that anybody that we’re phoning hasn’t registered with those to say they do not wish to receive such marketing. When outsourcing any marketing activities to third parties you’re going to need to have in place assurances that the parties are following all of these rules and for example, will indemnify you if there is any breach.
With regards to compiling your own in-house marketing lists and recording information for example in a CRM system, you can’t assume that everyone is happy to receive marketing just because they’ve provided their contact details. We should make it clear upfront to people that we intend to use their details in this way, for example in our terms and conditions, on our website and at sensible junctures when we’re communicating with our customer base. If we intend to share information within a group of companies again you need to make that really clear to people that that is what you are doing.
We talk about people in terms of them having opted in in a ‘soft’ way: this is how we might think of an existing customer – they’ve bought something from us already, gave us their details, didn’t opt out of any marketing messages so they’re probably happy to receive further marketing even if they haven’t specifically consented. If we do communicate with them again we still need to give them a clear chance to opt out in any message that we send. This isn’t going to apply to prospective customers where we are going to need to do more to obtain their consent, where can’t rely on legitimate interests.
You probably want to look through the Information Commissioners Office guidance on legitimate interests to make a legitimate interest assessment, a type of risk assessment to at least ask yourself the sorts of questions I’ve been talking about here, and also you want to make your mailing list more granular so that your marketing is targeted. if you were running a training event you may wish to market this to the learning and development staff, and at an event relating to technology updates might be applicable only to those in the IT department.
You do have to be careful – you can’t just use legitimate interests as a blanket catch-all, you need to ask yourself the right questions and identify that there is a relevant and appropriate relationship between you and your customer or potential customer. For example, can you identify that you have informed your customers that you communicate back to them from time-to-time about new products or services, perhaps in the information you have given them when they originally entered into a contract with you?
You might be more cautious about something like buying in a database of potential customers from one of those companies that sells databases. I wouldn’t want to buy such a database that was not constructed on the basis of people who have positively opted-in to marketing. This sort of database would probably be much more expensive to purchase. This is already the case under relevant e-marketing regulations.
For further support and assistance in relation to anything to do with the GDPR email us at email@example.com.