Brexit is still the accelerating vortex of uncertainty that it is, and the ambiguity surrounding the EU’s next legislative foray – the ePrivacy Regulation – could leave even the most stoic of marketers feeling a little uneasy. Add to this the fact that the ICO is beginning to bare its teeth, handing out fines worth hundreds of millions of pounds to businesses. Whilst large fines remain rare (so far); its highly likely that many businesses have fielded questions, complaints and now have ongoing issues regarding GDPR. Now a year on people are much more aware of GDPR and the need to manage the risks properly.
So it may come as a surprise to many, that in the B2B business list industry, some list owners don’t appear to have adapted their data collection and supply methods, which we think could leave marketers with real exposure. It’s never been more important to understand the regulations, and understand and conduct proper due diligence when sourcing any list for marketing.
So let’s have a look at the B2B data landscape, recap the basics, and examine some of the likely legislative outcomes, so you can stay compliant.
The Rules
Firstly, a quick recap of the prevailing law affecting marketing activity in the UK right now, which falls into two main categories;
- Privacy
The basis upon which an organisation may communicate with individuals – these regulations govern citizens’ right not to be disturbed or monitored. Currently the EU’s 2002 ePrivacy Directive (amended 2009) is the prevailing law. To comply with this, the UK government implemented The Privacy and Electronic Communications (EC Directive)
Regulations 2003 – more commonly known as PECR.
- Data Protection
The basis upon which an organisation may collect, store, and process a person’s data. Here, the EU’s GDPR applies directly as written.
For marketing, both pieces of legislation are pertinent. As it stands, PECR allows marketers to send marketing messages to business people, provided that they have consent, or are able to justify processing data on the basis of Legitimate Interest (as defined by the GDPR). In today’s privacy-first environment, unsolicited emails are becoming less prevalent, but they still play an important part of the marketing mix.
There are, of course, plenty of ways to build your B2B marketing database, including trade shows, working with your sales team, and asking for consent as part of telemarketing activity. Of course, you can licence lists from legitimate data services suppliers who maintain compliant repositories.
In all
cases, it’s essential that certain criteria are met, including;
- That the recipient would find messages relevant
- The recipient is given an easy way to opt out
- The cadence is reasonable
- The communication is lawful in the recipients’ EU member states own interpretation of the 2002 EU ePrivacy Directive.
Enforcement
As we’ve already mentioned, the UK ICO has handed out some hefty fines in the last few weeks, but it should be noted that none represent the maximum 4% of global turnover allowed by the GDPR. Industry commentators have long predicted that the ICO would focus on major organisations to make examples of – and few come bigger than the likes of British Airways or Marriott hotels, both of which suffered notable data breaches.
The ICO has certainly established itself as a credible regulatory body, but is seemingly not out to prove a point to all organisations. Other notable enforcement action it has taken has usually been to deal with negligence or deliberate breach of the law, and penalties have been much lower.
The organisation is seemingly well aware that a nudge in the right direction is often the best course of action, especially after its recent admission that its own website wasn’t complying with privacy regulations. To quote Franklin D. Roosevelt, “speak softly, and carry a big stick”.
ePrivacy Reform
Initially, the EU had hoped that a new ePrivacy Regulation (ePR) would be ready for implementation at the same time as GDPR, but the Council of the EU didn’t reach agreement in time for that to happen. Essentially, this is still the case. Most recently, the EU council met in June, and briefly discussed the ePR, but no significant progress was made – there are still many issues that’ll require clarification.
For B2B marketers, the standout revelation of the draft text was that it makes no distinction between B2B and B2C communications. Without clarification, this would likely outlaw “cold” contact – the process of gathering (or deducing) individuals’ contact information, before sending them unsolicited marketing messages. Such communication would require consent from the recipient, as is already the case in B2C marketing.
It’s important to note that the implementation of the GDPR has already brought about some changes to PECR, even though PECR itself hasn’t (yet) changed. This particularly concerns various definitions, most notably that of Consent. This new definition means that often, where consent had been gathered using (what would now be considered) non-compliant means, that data can no longer be processed for marketing purposes.
‘consent’ of the data subject means any freely given,
specific, informed and unambiguous indication of the data subject’s wishes by
which he or she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her
Article 4 (11), GDPR
Timeline
The ePR was being progressed as part of the Romanian Presidency of the Council of the EU. In accordance with EU rules, that presidency came to an end in June, so the new president state is Finland. It isn’t clear how much of a priority ePrivacy is for Finland. Additionally, having recently selected a new president, the EU parliament is due to appoint a new European Commission – which doesn’t sit until November 2019.
The bottom line is that we don’t have a timeline. That said, at this point, it’s highly unlikely that the regulation (in whatever form it finally takes) will be adopted before at least 2021. Thereafter, there may also be an implementation period similar to the introduction of the GDPR, though where GDPR required wholesale reconsideration of Data Protection practices for all organisations, the ePR changes are likely to be easier to accommodate – so may phase in more quickly.
Brexit
An update to the UK’s 1998 data protection laws was always going to be essential, and GDPR does a pretty good job of reshaping how organisations approach personal data. Hardly surprising then, that the UK government has already committed to transposing the GDPR into UK law, come what may.
Whether the UK does leave the EU or not, it’s highly likely that our privacy laws will be equivalent, if not identical. This for a number of reasons, but primarily because of the fact that any UK organisations wishing to sell products or services in the EU would need to comply fully with the GDPR in order to do so. For future trade agreements, the EU, in relation to its own citizens, has the power to determine that a 3rd party country’s data laws have “Adequacy”, but such a determination would only be possible where UK law is deemed the same, or stronger than EU law.
So what now?
Don’t panic! In all likelihood, very little will change in the next few years. Thereafter, it’s certainly a significant risk that cold B2B email, and maybe more will no longer be possible. To mitigate this risk, we suggest adjusting your marketing strategy.
- Look for legitimate data partners who can offer B2B data that suits your business needs, and is demonstrably lawful. Don’t cut corners – be demanding when assessing their compliance, it really matters – you are liable for messages you send.
- Build out your inbound marketing capabilities – develop your content assets, build your social capabilities, ensure you’re gathering consent for ongoing contact.
- Consider your other outbound marketing options – direct mail, telemarketing, even marketing using non-personal data, there’s a whole world out there!
This article comes courtesy of Corpdata, innovator and leading provider of GDPR safe to use B2B marketing data.
