The EU recently introduced sweeping new rules regarding online privacy and data collection. Any business operating in the EU, as well as any business that has an online presence in the EU, will have to comply with the General Data Protection Regulation (GDPR) as of May 25th, 2018.
The goal of the GDPR is to give EU citizens more control over how their data is collected and used. The GDPR has several parts that speak directly to marketing activity, and there are specific consequences of the regulations for B2B marketing.
To help you prepare for compliance, here’s what you need to know about the GDPR as a B2B marketer:
Managing Opt-Ins, Consent and Customer Data Preferences
Under the GDPR, web users now have to give explicit, unambiguous consent to receive marketing materials such as email solicitations. This means providing an email address to download a whitepaper does not constitute consent to receive marketing materials. No longer can marketers leave a box pre-checked when a user fills out a form – the user has to check the box themselves to explicitly state that they consent and are opting in to receive marketing communications.
Further, web users have a right to be forgotten and a right to access any of their personal data that’s been collected. This means companies must set up some form of automated system, or preference center, for web users to view and request changes or erasure of their personal data.
Legitimate Interest and Recital 47
One of the most talked about parts of the GDPR is Recital 47 regarding legitimate interest. Recital 47 says, “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Many marketers have understood this as justification for direct marketing without consent, but this isn’t the case. Article 6(1) outlines when legitimate interest applies to direct marketing. Essentially, if you don’t have a user’s explicit consent, you can only send direct marketing material if it’s purpose is to fulfill a contract, protect the vital interests of the web user, or carried out in the interest of the public. In most cases, gaining consent will take priority over legitimate interest.
Collecting and Using Business Cards
When someone hands you a business card at a trade show or other event, this is no longer considered explicit consent to receive marketing communications. This has been a controversial part of the GDPR, as someone who gives out a business card is expecting to be contacted. While it’s impossible to say how the Data Protection Authorities (DPA) will enforce this part of the ruling, as it stands, giving out a business card does not constitute proper consent. This applies to existing business cards too – you will need to obtain explicit consent to send marketing materials to existing contacts.
Expanding Definition of “Personal Data”
The boundaries of what qualifies as personal data are expanding. Of course, email addresses, names, phone numbers and other contact information are all personal data. But now, IPs, cookies and any other type of device identification are also considered personal data. You will need explicit consent to collect this information. This rule coincides with the ePrivacy Directive, which is currently under review, but the GDPR makes it clear that the definition of personal data has expanded.
Cleaning Existing Contact Database
Marketers will have to pay very close attention to how their existing list of contacts was acquired. Any data collected in compliance with the GDPR can continue to be used for marketing purposes. If contacts were acquired in a non-compliant way, marketers can reach out before May 25th to establish a dialogue and attempt to gain explicit consent to receive marketing materials. For example, after the 25th, you won’t be able to email someone who became a contact by downloading a whitepaper. However, if you email this person prior to the 25th and they take explicit, unambiguous action to consent to receive marketing communications, then you may contact them after the 25th. Cleaning up your existing list of contacts will be a necessary step to remain in compliance with the GDPR.
Under the GDPR, a data controller is an organization that collects and processes personal data for uses such as direct marketing. LinkedIn is a data controller, however, once your organization obtains data from LinkedIn, such as contact information, your organization becomes the data controller. This means that explicit consent must be obtained to solicit people on LinkedIn. Many marketers and sales reps are getting around this by rapidly expanding their network of connections. LinkedIn allows members to message their connections, and in some instances 2nd degree and 3rd degree connections. Your organization may market to 1st, 2nd and 3rd degree connections as allowed by LinkedIn. Otherwise, consent is needed.
The GDPR effects B2B marketing in many different ways. Every B2B marketing operation in the EU will have to adjust the way they collect and use personal data and change their marketing strategy accordingly.
Whether you’re located in the EU or only have an online presence there, it’s important to look at the GDPR as a B2B marketer. Regardless of location, the GDPR will impact the way you conduct business. It’s important to prepare for compliance now before the GDPR goes into effect.