GDPR is a legal regulation to protect the data of European Union (EU) individuals. However, it has global implications for all businesses – whether EU-based or not. Wondering how does GDPR affect B2B marketing? We offer a quick overview of what you need to know about data protection regulations to protect your business and your customers.
What is GDPR?
GDPR is a data protection regulation that came into effect on May 25th 2018. It sets out rules for how businesses can use customer data, such as:
- Phone number
- IP address
GDPR replaces the Data Protection Directive from 1995, which had not been updated to reflect developments in technology and business practices since then. Although GDPR is intended to safeguard the personal data of EU citizens, it still applies to those companies that are based outside of the EU.
What does GDPR mean in marketing?
While most of the changes outlined by GDPR will affect companies with an online presence – like e-commerce stores or digital services providers – the regulations also apply to businesses that have no internet presence. In this case, the customer data may be collected in person and processed for marketing purposes, such as receiving emails or advertising.
The way marketers use personal data has become more restricted under GDPR. Personal data must only be used for specific reasons (for example, contacting someone about a product they purchased).
As such, marketers need to be careful with how they plan campaigns, for instance by only using people’s information to contact them with marketing emails, SMS or direct mail where they have given express consent to receive advertising communications, whether that is for use by the business itself or by a third party.
Why is GDPR important for B2B marketing?
We can’t stress this enough: Complying with GDPR regulations is of VITAL importance. Why?
If you’re found to be breaching the law then you could be fined up to 4% of your annual global turnover or €20 million – whichever is greater.
That could put you out of business and ruin your reputation.
Even without the threat of a crippling financial fine, as a marketer, it makes no sense to be advertising to customers who aren’t interested in your products or services.
Keeping a clean and up to date record of your customers is the best way to refine your marketing, keep your customers happy and see a greater return on investment.
Does GDPR distinguish between B2B and B2C companies?
Yes and no. Remember, the chief aim of GDPR is to protect ANY data that could identify an individual. Therefore, you must always ask yourself, ‘is your B2B data personal data?’
If it is generic contact details for a corporate body, you are free to use them in your email or direct marketing. But if the contact details are for an individual at an organisation, you’ll need to ensure you are acting with compliance.
As the Information Comissioner’s Office states:
“The UK GDPR applies wherever you are processing ‘personal data’. This means if you can identify an individual either directly or indirectly, the UK GDPR will apply – even if they are acting in a professional capacity. So, for example, if you have the name and number of a business contact on file, or their email address identifies them (eg email@example.com), the UK GDPR will apply.”
However, B2C companies are generally subject to more restrictions than B2B organisations. This is because under GDPR, a company needs to collect consent from an individual for the use of their personal data by that business or any third party it shares that information with. And with B2C businesses targeting end consumers as opposed to other businesses (B2B), this is likely going to cover almost all of their data.
It’s important to know where the line is drawn on what classes as personal data. If you’re marketing your services to a sole trader or partnership, this classes as personal data and you will need their active consent (or they will need to have bought from you in the past and not opted out when given the opportunity).
The importance of consent
There are 6 lawful bases that apply in GDPR. Consent is the most important and applicable to B2B marketing.
If you intend to market to a B2B customer in your sales funnel, it’s important that your customer has actively consented to you using their data at all stages of them handing it over. This can include:
- Signing up to your email newsletter
- Registering an account and agreeing to communications
- Making a purchase
- Entering a promotion that agrees to communications
- Submitting an application or bid
- Responding to an advert or direct mail for further information
- Lodging a customer service enquiry
According to the ICO, consent needs to be “positive action to opt in”. This means you can’t ask people to opt out because if they miss this step you will be forcing their consent.
The other lawful basis you may be able to use is on the grounds of “legitimate interests”, which the ICO defines as “most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”
However, this can be a fine line as using “legitimate interests” as your basis may make it harder to prove compliance.
What’s more, if someone asks you to stop contacting them you MUST comply and remove their details from your database, or if records need to be retained, they must be added to a ‘do not contact’ database.
GDPR marketing consent examples
There are various ways to get and maintain consent from an individual you have on your B2B marketing database:
1. Positive opt-in
Have them opt-in to a service and they can choose what data is collected about them or not – this includes email address, name, age, gender etc. This can be in the form of a pop-up box on your website which will ask if you would like to sign up for updates via email (or any other means), for example; this way there’s no pre-populated fields.
2. Make it easy to opt-out
This means including the opportunity to opt-out of all marketing emails or SMS they receive. This could be by providing a link in each email or an unsubscribe button at the top or bottom of each message, for example.
3. Make your data policy clear
Provide clear and concise information about what data is being collected on your website or any registration or communication materials and promotions, and how you intend to use it. This should include giving an option for them to refuse permission. Most businesses do this with a dedicated data protection policy page and a GDPR-compliant cookie banner which is a legal requirement.
4. Link to your policies at every stage of data gathering
Prominently display a link that says something to the effect of, “Learn more about our privacy and data protection practices”. It should be featured on every website page, contact form or other marketing material where data can be handed over.
How to store personal data
Once you have begun collecting customer data, even your first name and email address, you need to make sure you are protecting it. Again, this is a legal requirement.
Individuals need to be informed of why you are keeping or using their personal data, your “lawful basis” for using it, how long you will keep their data, and who will have access to it.
You should aim to store data for the shortest amount of time necessary and if an individual requests access to the data you hold about them you must share it. You must also inform customers if their data has potentially been breached.
The way you store your data should also be stringently secure. Databases should be password protected, encrypted and only accessible to those who need them. Any physical backups should be stored in a locked or password-protected cabinet. You should also think about other measures to ensure any personal data you hold is protected, including online and physical security systems such as regularly updated software, firewalls and security camera systems.
It’s not just business owners who need to be concerned about GDPR. Every single member of staff, whether they’re involved in marketing or not, needs to know how the regulations work and should follow them when they are using customer data for any purpose, so training is key.
If you use data companies to provide your leads, rather than gathering it yourself, you will need to be especially discerning to ensure they comply so ensure you pay due diligence. The last thing you want to do is approach a contact who has not given their permission to be contacted.
Keeping your data up to date is important too, so consider contacting your database periodically to ask them to provide consent if they are still happy to receive your communications, or if their details have changed. Data cleaning will keep you compliant and ensure your marketing budget is being spent in the most lucrative areas.
Can you still do B2B email marketing and direct marketing under GDPR?
Even though GDPR looks restrictive, so long as you gather, store and use your data lawfully, you can continue to undertake B2B email marketing and direct marketing. You will just need to make sure that you are only contacting those individuals who have requested to be contacted and that on all of your communications you include the option to opt out.
The ICO has a comprehensive guide to all things B2B marketing and GDPR, including different types of activity, from marketing emails and SMS to calls and faxes. It also covers organisations you may be approaching (whether corporate bodies, sole traders or not-for-profits). Take a look to ensure you know where you stand.
This post is intended to be an overview of how important GDPR is to not just B2B marketing but marketers in all sectors. Whether you’re a new company starting out or an existing one looking to better understand its role in protecting its customer base, ensure you and your staff know the rules surrounding data protection and you’ll not only have fewer legal concerns but a more reliable and satisfied customer base.