I have come across a number of articles claiming that B2B communications do not fall under the scope of the EU General Data Protection Regulation and it will simply be business as usual come 25 May 2018. I believe this is a mistaken view and B2B marketers need to adapt and change to be compliant in the rapidly changing privacy landscape we face.
The key here is the definition of personal data under the GDPR. If a business email address is personal data it will fall under the scope of the Regulation. Article 4.1 of the GDPR states:
'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
There is no debate that a personal email address, such as email@example.com constitutes personal data, so why would john.smit@CompanyX.com be any different?
Simply because my email address relates to me at work does not mean I am no longer a data subject and I am identifiable from it, in just the same way as I would be identifiable from my personal email address.
If an organisation is relying on Consent as the lawful basis for processing personal data, even when it comes to business email addresses, it will need to comply with the definition of Consent, as per Article 8.11 which says Consent means:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
In the Information Commissioner's Office's draft Guidance on Consent it clearly states, "Consent requires a positive opt-in."
It is however not all doom and gloom, Consent with an opt-in is not necessarily the only way and prospecting is not dead and buried. The ICO has been keen to stress Consent is only one of six legal grounds for processing personal data under the GDPR. In the draft Consent Guidance, it says:
You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives.
The other lawful bases are; contract, legal obligation, vital interests, public task and last but not legitimate interests. Legitimate Interests may well prove most appropriate for some B2B activities.
You can consider the use of Legitimate where another lawful basis is not available due to the nature and/or scope of the proposed activities, or where there are a number of lawful bases that could be used but Legitimate Interests is the most appropriate. I would stress this should not be seen as a simpler route to take than Consent. It is crucial that organisations give this careful consideration and ensure they have balanced their own interests with the privacy rights and freedoms of individuals. It is advisable to document any assessment and decision taken, to clearly demonstrate why the organisation considers Legitimate Interests to be appropriate in any given scenario. The use of Legitimate Interests must also be transparent, i.e. individuals must be clearly informed that you are relying on this lawful basis and they must have a clear opportunity to object to such processing.
Another point to consider is the proposed new ePrivacy Regulation governing electronic regulations. The new Regulation is due to replace the 2002 ePrivacy Directive (amended 2009). This Directive gave us the Privacy and Electronic Communications Regulations (PECR) in the UK. PECR clearly distinguishes between marketing to people within companies and marketing to individuals; the rules for the former are more relaxed and allow for an opt-out.
It had been hoped we would have a final text of the ePrivacy Regulation soon, but it is still being debated and has yet to be agreed. However, as it currently stands, no clear distinction has been provided in draft texts between B2B and B2C communications. The same level of protection may therefore stand for both. There is a hope (which may be fading) that member states will be able to make provision for this under national law. However, even if this exemption holds, named corporate B2B data is still personal data, and would therefore have to be processed in line with the GDPR. It will remain a choice between using consent or legitimate interests for sending electronic B2B communications.
The aim was for the ePrivacy Regulation to be implemented in line with the GDPR on 25 May, but this is increasingly unlikely, so it is expected PECR will run alongside the GDPR in the interim.
If you would like to learn more about GDPR and understand how it might affect your business, the IDM offers a full portfolio of GDPR courses and qualifications, ranging from foundation level to expert level.