This article is based on one published in Marketing Week on 14 February about GDPR.
We have taken aspects of it and added a few of our own observations because we thought it provided a very useful perspective that may help business to business (B2B) marketers when determining the legal basis on which you chose to justify your contact – ‘consent’ versus ‘legitimate interest.’
GDPR has become the new ‘millennium bug’ – has got everyone in a frenzy that they must re-obtain consent from everyone on their database.
The marketing week article suggests that “consent” may not always be the best legal basis for data processing; indeed, it goes so far as to say that “legitimate interests” should be the first choice.
We think this basis has some merit in the B2B world – afterall, the primary aim of GDPR is to protect the security of individual data and to prevent spamming! So if you’ve previously been marketing to your database on a regular basis and keeping it up to date, surely legitimate interest prevails?
The 25 May deadline is fast approaching, which is the data when the General Data Protection Regulation comes into effect, these are what I think our clients should be focusing on:
Have you done a data audit?
The first thing is to examine your data flow. This data audit is often a bit of an eye-opener because there are always third parties, legacy systems or bits of data whizzing around that not everybody knows about. Think website enquiries – when a lead comes in, it is often emailed to everyone who may be involved in the sales and quoting process – what happens to these emails once the contact has been added to your database?
Once this map is drawn out, companies need to decide which data processing activities they intend to carry out, and which legal basis they will use to justify them.
For most B2B marketing, there are two relevant legal bases specified by GDPR – consent and legitimate interests – and whichever you choose, you need to document and be able to justify your reasons for processing data on a customer-by-customer basis.
Basis for processing data: Consent or legitimate interest?
Everyone thinks about GDPR as being about consent and processing.
Consent may not always be the best legal basis for data processing. Legitimate interests should be the first choice, and only if you decide you can’t really use legitimate interests should you move to consent. Essentially, this is a business’s right to carry out commercial activities such as direct marketing.
The decision of which legal basis to use is fundamental. Once you have made it, it is highly unlikely it can be changed, and if you have been using consent up until now, you are going to have to continue going down that route.
Indeed, Wetherspoons is reported to have deleted all their data and plan to start afresh by contacting subscribers to ‘opt back in’. I was watching the Man Utd v Chelsea game on TV and their pitch-side advertising was dedicated to getting fans to opt in again,
In our opinion, there could be a slightly less complicated playing field for B2B when compared to B2C marketing and this depends on the type of data you are storing and processing, and its security.
Personal data is likely to have ages, home address and other lifestyle or financial records, whereas B2B data is more related to their company – so if xyz company needs your products and there is an individual who acts as the main buyer, and is person you have been communicating with – it would make sense that ‘legitimate interest’ is the most realistic option.
There are two key priorities in this area in B2B Marketing. The consent on your website upon loading and the consent on any forms and those that people fill in in the real world, such as letters of engagement etc.
GDPR requires that the consent given for data processing – including for marketing purposes – be “freely given, specific, informed and unambiguous”. This means you will have to be more detailed in your explanations of what you plan to do with personal data, and that consent must be signalled by a clear, affirmative action rather than simply not opting out.
Ensuring these forms and data collection processes are compliant now – in advance of GDPR coming into force – will mean any new user data acquired in the next three months should be compliant with the regulation.
If your consent is of a good quality and a high standard such that what you have been collecting over time fulfils the requirements of GDPR – then that’s fine. You can pretty much continue doing what you are doing. If it doesn’t, you may have to go through a refresh process to bring that data up to the right standard.
If your recent data is compliant, you can then take a view on whether previously collected data has adequate permissions attached. If not, there could be value and justification in recontacting older customers to ask if they are willing for their data still to be used.
However, the article does suggest that rather than contacting everyone in a database to request new consent, instead, they recommend deleting data that may be of unknown origin such as third-party lists.
What are your ‘legitimate interests’?
The requirements of using this legal basis are that you have a relationship with the consumer, and that they would reasonably expect you to carry out the specific kinds of data processing you are employing. That doesn’t necessarily mean they’re a customer – they might just have made a website enquiry.
If this is the case, you may simply have to inform consumers what processing you plan to carry out when you collect their data – perhaps in your privacy policy – and allow them to opt out if possible.
However, legitimate interests are not a “get out of jail free card.”
Businesses must perform a balancing test, weighing their rights with those of the consumer, and legitimate interests can be relied upon only if you haven’t already asked consumers for consent. The data processing also has to be necessary – in other words, you can’t achieve the same result in a less intrusive way.
How sensitive is your consumer profiling?
As with other kinds of processing, the data-driven automated profiling of individuals can be justified under one of the two legal bases above. Legitimate interests are the most likely basis, and for run-of-the-mill activities, such as segmentation, there should be few problems with GDPR compliance.
If you’re doing something straightforward like segmenting your file based on the consumer’s age, what they have bought in the past or where they live in the country, it’s fine because you can explain that very simply.
If you were doing something much more intrusive – such as linking with third parties and getting additional data about the income of the household or the car they drive – whilst you may have a very good reason for collecting that data, it might be more difficult to pass the balancing test to be able to do that under legitimate interests. If you’re doing particularly sensitive profiling, you might have to ask for consent.
Key to determining this is whether the automated profiling has any “significant or legal effect”, in GDPR’s wording. This might include personalised pricing, for example, or the denial of a particular service. In such instances, the consumer must give consent before they can be profiled.
Your privacy policy
Specificity also extends to privacy policies – particularly as these are likely to be the primary means of informing consumers what will happen to their data. But this area requires a delicate balancing act.
You have got to tell people everything, and you’ve got to make it really easy.
The Information Commissioner’s Office, which will police the law, recommends a ‘layered’ privacy policy, which could involve dividing the online document into headings that can be expanded with a click, so consumers can easily find out more in the specific area that concerns them. These policies cannot be written in legalese.
In the past, privacy policies were written for the benefit of the company – they were there to protect the business – but now they’re intended to inform the consumer. Of course, that means you have to take a completely different stance. The language has to be written for people to understand.”
This principle of consumer empowerment underlies all of GDPR. Businesses that adapt and offer consumers real choice around their data stand a good chance of being seen favourably – both by consumers and the ICO.
Summary
There are few certainties yet about how the regulator will interpret GDPR, and we are sure the scaremongering about the size of fines that can be imposed will continue.
However, in our humble opinion, companies marketing B2B that take the proactive steps to ensure they gather data with GDPR compliance in mind and have strict policies to protect the security and use of data, and who can demonstrate their justifications for doing so, should avoid nasty surprises.
This article is our interpretation of the basic things B2B marketers need to address. It does not constitute advice. If you want advice on how to ensure full compliance, you should contact a GDPR specialist or a lawyer. The Information Commissioner’s Office’s guide to GDPR can be found here.