GDPR is a European legislation that came into effect on May 2018. If you hold data on any person (including business-to-business contacts), you need to know about the rules governing the collection and use of personal data. This is important if your company holds personal data or if you use 3rd party data. It is imperative that you only use Lists from a reputable source that makes sure every record is opted-in and compliant with ALL countries regulations.
For clarity, I want to stress, that even if your business operates outside of the EU, the legislation is still enforceable. Penalties for failing to adhere to the rules can be as high as 20 million pounds or 4% of annual turnover, whichever is greater
What you need to know about GDPR
In this article we aim to cover the key areas of the rules. This is intended to provide an overview of GDPR and does not constitute legal advice. I would urge you to undertake further research into GDPR for B2B marketers and what it means for your business.
Be Clear about How B2B Data is Used
When a person supplies you with their information are you crystal clear on how their data will be used? For example, if a new customer buys a product from your website are they automatically added to your mailing / email list? Did the individual have the opportunity to choose whether they would like to receive more information from your company?
Under the GDPR rules, the way in which you use a person's data must be clear and the person should have the choice as to whether their data is used in this way. This is important for your companies in-house promotions or if you let 3rd parties rent your list.
In the above example, the customer needs to give explicit consent to join the mailing list, i.e. an empty checkbox which the customer ticks on an order form.
Using B2B Data Only for its Intended Purpose
This scenario might sound familiar, a new product is being launched and your team wants to ensure that everyone knows about it. So, they gather together a mailing list made up of past customers, mailing list subscribers, suppliers, and a few other contacts provided by members of the team. This use of personal data would not comply with the new rules.
Data can only be used for the reason it was collected. If you store supplier information for the purpose of processing orders and sending payments, you can only use the data for that reason. You can't automatically 'opt in' suppliers to your marketing messages. You can however change your processes so that suppliers are asked if they would like to join your mailing list – if they agree, then add them.
Another example could be when you host a webinar and attendees sign up for that event. If your sign-up form doesn't explicitly request their consent to use their data in future marketing then you cannot use it. It's important to note that you couldn't email them later and ask their permission either – the email itself would be outside the intended use of the data, so there's no second chances. Make sure you have systems in place to gain appropriate permission at the time of data collection.
When using 3rd party data you must make sure that the list owner is doing their due diligence to follow all the regulations, keeping their data as up-to-date as possible.
Restrict Data Collection
When you stop to consider the data held in your business you will be surprised by just how much information you hold. Data is often unnecessary, unused and at risk of abuse. You should have processes in place to ensure that only essential data is stored. If someone joins your email marketing list, do you need their full postal address? When a customer buys from you, do you collect their date of birth, or other information? Is this necessary? These are all questions you should be asking, making it easier to keep all the data that you do need GDPR compliant.
Keeping Data Secure
We all have a responsibility to keep information, especially sensitive information, secure. The GDPR goes a step further. If you hold someone's information – even just their name – you must ensure that it is protected from unauthorized use or abuse.
In practice, this means storing data securely, giving access only to authorized personnel as necessary and only keeping data for as long as it is necessary.
As a marketer, think about how, when, and why you share data. A good example of this is when you are preparing for a mail-shot, do you circulate a spreadsheet of names to your colleagues by email? Is the final version then sent to a printer or mailing fulfillment supplier? Think about the number of places that customer information is stored:
- Your computer network
- In several colleague's email accounts
- Potentially colleague's laptops – even home computers – where they've downloaded the list
- Mobile phones and tablets – as many of us access email in this way
- Cloud storage- such as DropBox or Google Drive
- Your supplier's email, cloud storage, network.
Do you have a strict process for encrypting data of this type? Deleting all copies of files when the process is complete? Compliance checks with suppliers to ensure their processes are as thorough as yours?
No? Well you need to get on this fast – soon it will be your responsibility.
*** For this reason most reputable list sources will not release their data. You need to send them your marketing promotion piece for distribution. After the campaign is sent out the vendor will supply a tracking report.
Right to be Forgotten
Now that we have seen on a simple example where data can be stored, it's a good time to consider another element to the legislation. A person's right to be forgotten.
We have all tried to remove ourselves from mailing lists at some point, but the emails keep coming and the junk mail keeps piling up at the door. This part of the rules aims to tackle just that.
A person has the right to be completely removed from your systems if requested, unless there is a legitimate legal reason for retaining their data. A good example is someone requesting to be removed from your mailing list. You are obligated to do this. This is more than an opt-out request. You cannot simply put them on a 'do not mail' list, you MUST erase their data from your systems. This means they do not receive further correspondence from you and more importantly means their data is not on your system should it be compromised in the future.
This presents B2B Companies with two key challenges-
1. Knowing where data is stored and who has access to it.
2. Ensuring there is an easy process in place for removing it.
Many companies are attempting to tackle this idea of unengaged customers. Find out HERE why Hubspot unsubscribed 250,000 people and began sending less email.
Where to Begin Looking at your B2B Data
A good place to start is auditing your current processes. Find out:
- What data you are holding
- Why you collect it – is it necessary?
- Where it is stored – is this secure?
- How long is it retained?
When you have that information at hand, it's time to look at your privacy policies and check that they are up to date.
Further Reading for B2B Marketing Professionals
This article provides an overview of key points for B2B marketers, but is in no way comprehensive. I would recommend familiarizing yourself with the legislation here.
The Information Commissioner's Office is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. They provide checklists and guidance on how to approach GDPR, you can see more information on their website here. In summary, B2B companies need to be GDPR compliant.
Talk to a B2B Marketing Expert
If you’re concerned about the GDPR and your data, please feel free to contact me;
Donna Peterson at +1 860-210-8088 or email me directly -firstname.lastname@example.org.