Have you ever wondered how GDPR affects marketing?
Take British Airways, for example; the company was fined $20m after a data breach.
It’s scary to think this could happen to your business if you don’t correctly protect and handle marketing data.
After all, the ICO is always watching 👀
If you work with B2B data, you must ensure you stay GDPR compliant.
But how?
Read on to find out everything you need to know about GDPR marketing 👇
Let’s start simple.
GDPR standards for General Data Protection Regulation.
GDPR, a European data privacy and protection law, sets standards for how businesses must collect, process, and store individual citizens’ personal data in the EU (European Union) and the EEA (European Economic Area).
The GDPR also sets out specific guidelines for transferring personal data outside of these areas, such as for US-based companies dealing with the data of EU-based customers.
This regulation sets guidelines for all customer-business interactions in marketing, sales, or support.
GDPR marketing sets general guidelines and requirements for marketers collecting, processing, and storing EU citizens’ personal information, such as names and email addresses.
While the GDPR addresses data protection for individual EU citizens, B2B marketing efforts are not exempt.
Yes, you might be selling to a company, but the people who work within that company (the ones your sales and marketing teams interact with) are individuals, and they have data-related rights that must be protected.
Here’s how GDPR compliance can specifically influence your B2B marketing practices:
To collect or process personal data for direct marketing purposes (such as an email or job title), you must request explicit GDRP marketing consent, such as checking an opt-in box.
In some cases, B2B marketers can collect or process personal data without explicit consent if they can prove they have a legitimate interest.
As a B2B marketer, you must provide clear and transparent information about how you will use an individual’s personal data and the purposes for collecting it.
This information should be made available to the individual should they wish to read it, when they consent to have their data collected, or when they are notified that their data has been collected.
The individuals whose data you collect, store, and process have the right to access that data and to request that you delete it.
The GDPR requires that marketers only collect personal data relevant to the specific purposes stated and not retain it for longer than necessary.
Your company must implement appropriate security measures to protect its customers’ personal data from leaks, destruction, alteration, and unauthorised access.
Even if you purchase data from a third-party supplier, you are responsible for ensuring and confirming that the data complies with GDPR requirements.
Some B2B data providers like Cognism make this easy for prospects as the tool follows strict compliance guidelines for both GDPR and CCPA. These include:
All of these measures give customers the trust they need to market with confidence.
Just ask Henderson Scott👇
Remember:
Transparency, accountability, and respect for individuals’ privacy rights are key themes in your GDPR compliance marketing and will help you remain compliant.
One of the core rules of GDPR is to ensure individuals’ opt-in consent before capturing, storing, or processing their data.
The regulation defines consent as:
“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
It also provides some clear and helpful rules around marketing GDPR consent:
You can’t force someone to consent or back them into a corner, such as by requiring it as a condition of accessing your service.
You have to present the request for consent in a way that’s obvious that they are giving it. You can’t trick customers into providing valid consent.
You must tell them clearly what you’re using the data for and why you’re collecting it.
It cannot be questioned whether the customer has given consent.
The individual can take back their user consent at any time.
Legitimate interest is one of the most critical aspects of GDPR marketing.
Aside from consent, legitimate interest is the most common legal basis for customer communications you’ll use for B2B marketing.
It is also the most flexible of the conditions GPDR provides for legal data processing. Still, your organisation must prove that legal basis and thoroughly justify it in your documentation.
The overarching question to answer is this:
Do you have a legitimate reason for contacting this person that isn’t already covered by another legal basis, such as consent or legal obligation?
Yes, cold outreach can typically be justified as legitimate interest since you have a reasonable reason for contacting them: you have something to sell that could help them.
That said, you should verify that what you’re selling is a potential fit for the person you’re contacting.
For example, cold emailing a stay-at-home mom probably doesn’t count as a legitimate interest if you’re marketing an enterprise sales CRM.
You must also confirm that pursuing legitimate interest does not seriously impact the rights and freedoms of the individuals you’re contacting. Otherwise, you’ll need to find a different legal ground.
The general rules for B2B marketing should be followed when considering GDPR email marketing.
That means you can only use personal data if the individual has provided explicit consent or has a basis for legitimate interest.
Most email marketing is going to fall under the banner of explicit consent.
For people on your mailing list to be on the list in the first place, you’ll have received affirmative consent through the opt-in mechanism when they subscribed.
For instance, your weekly newsletter and monthly product updates, sent to customers, should be covered by consent, provided you collect that consent in a manner compliant with GDPR.
SMS and email messages sent directly to prospects or customers, as well as telemarketing and physical mail, must also comply with GDPR.
These are all forms of GDPR direct marketing.
The same broad guidelines apply:
You need the customer’s consent to receive your communications or the ability to demonstrate a legitimate interest.
If you rely on consent as the legal basis for communication, it must be explicit and clear, and you must use an active opt-in consent mechanism (as opposed to pre-checked boxes or assumed consent).
Individuals also have the right to withdraw consent at any time, and you must give them a method for doing this, such as unsubscribing from emails.
If you are relying on legitimate interest, you must demonstrate that you have a reasonable and legitimate cause for contacting that person and providing them with a method for opting out of direct marketing communication.
Some additional requirements apply to both legal bases:
You must provide clear and easy-to-understand information about why you’re collecting customers’ data and how you’ll use it.
You should only collect the minimum amount of data needed to complete your stated purpose and keep it for as long as necessary.
You are responsible for implementing appropriate data security measures to protect customers’ data from disclosure, alteration, or unauthorised access.
Like with email and direct marketing, running a social media marketing campaign also means considering GDPR.
The big thing with GPDR and social is running ads.
Most social media ads are designed to push traffic from the platform to your website. That means they’ll have to click:
It’s not necessarily a dealbreaker, but it takes three clicks to generate a lead, which is a lot of places for prospects to drop off.
The same applies to running retargeting ads. You’ll need to either receive valid consent to process that marketing data when the person is on your website or be able to rely on legitimate interest.
Beyond that, the principles discussed above for GDPR marketing emails and direct marketing can be applied to B2B marketing on social media.
Performing an audit to confirm you’re 100% GPDR compliant is always a smart idea.
It’s better to find out for yourself that you’ve got to tighten things up than for the ICO to come knocking on your door!
Here’s a quick GDPR marketing checklist to make sure you’re complaint:
Or you can choose a B2B data provider that’s compliant by default. Here’s what you don’t need to worry about with Cognism:
Keen to give Cognism’s compliant B2B data a try? Click the banner to book a demo 👇
The contents of this article are for the purposes of general awareness only. They do not constitute legal or professional advice. The content may have changed since this article was published. Readers should take appropriate professional advice for their own particular circumstances.