We get asked lots of questions about how to ensure that our sales and marketing efforts are compliant with the data protection regulations.
It would seem sensible to answer some of these in a series of top tips articles.
First up, for no reason other than that there appears to be some degree of uncertainty surrounding it, is how to ensure that we comply with Article 14. This is all about the information we need to provide when personal data have not been obtained from the data subject. Remember that B2B contact data will include personal data as defined by the GDPR.
What this is when we are sourcing: third party lists, irrespective of their stated compliance to GDPR or otherwise; LinkedIn data; Zoominfo data and our own research into prospects’ data in the public domain.
We will focus on GDPR and the Data Protection Act 2018 here but you must also consider the PECR (Privacy and Electronic Communications Regulations) before commencing any marketing communications activity.
Our top five tips are:
If you are sourcing personal data indirectly e.g. from LinkedIn, Zoominfo, bought in mailing lists or your own research of data in the public domain and you store this for prospecting purposes (you are processing the data by doing this) you must:
- Determine your lawful basis for processing. For most of us, this is likely to be Legitimate Interests. You will need to complete a Legitimate Interests Assessment, if so.
- Establish which data could be deemed to be personal data. Which data could enable a person to be ‘identified, directly or indirectly’?
- Assuming that you will be using data that could enable this, provide the individual concerned with the following:
- The identity and contact details of the controller (i.e. your organisation)
- Contact details for your Data Protection Officer, if you have one
- Purposes of processing (for example communicating with business prospects) and lawful basis you have chosen e.g. legitimate interests
- The source(s) of the data
- The categories of personal data concerned
- Recipients or categories of recipients of the data, if any. If you are sharing this data with others who are they?
- Transfers to a third country, and reference to appropriate or suitable safeguards. This is becoming increasingly topical. Find out where data will be held by any processors such as email marketing providers. Is this in the EEA? If not, are there adequacy provisions in place for the country concerned?
- How long you will hold the data or the criteria used to determine that period
- Individual Rights including: ability to stop processing; withdraw consent and right to lodge a complaint with a Supervisory Authority
- Existence of any automated decision-making, including profiling
- The information can be provided in short explanatory text at the footer of an email with a link to a Privacy Notice where full details are given. Providing an easy link to object to processing (opt out/ unsubscribe) is good practice.
- When do you need to provide this information?
- within a reasonable period after obtaining the personal data, but at the latest within one month
- if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication or
- if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
The keyword for B2B marketers is TRANSPARENCY. Are you making it crystal clear to the prospect exactly what you are doing with their data and why?
Make sure that you document all of this too. Keep a record of the Legitimate Interests Assessment, the wording you use in explanation and the Privacy Notice to demonstrate compliance.
For more help on B2B marketing within the GDPR, Data Protection Act and PECR contact us today