In an ever-increasing digital age, data has become an invaluable asset. This will particularly resonate if your organisation partakes in business-to-business (B2B) marketing. As a B2B marketer, data protection laws still apply and, in turn, you must ensure that you handle and protect the data you collect with care and in compliance with the applicable legislation. Our previous blog covered the data protection considerations that you need to be aware of when undertaking B2C marketing which you can read here.
Regardless of whether you market to other businesses (B2B), or private individuals (B2C), if your business operates in, or processes the personal dataInformation which relates to an identified or identifiable natural person. of individuals located within the UK, you must comply with the following regulations:
In this blog, we will be exploring the key data protection considerations that marketers must keep in mind before undertaking any B2B direct marketing activities.
B2B marketing is defined as sending direct marketing to another business, or business contact. Direct marketing possesses a broad definition and covers all types of advertising and marketing efforts such as emails, phone calls, post, and text messages that include the promotion of an organisation’s products, services, aims, and ideals.
The UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. applies in the same way to any organisation if you are processing personal data for marketing purposes, regardless of whether you market to B2B or B2C audiences. However, the application of PECR will differ for B2B in comparison to B2C marketing.
The UK GDPR applies in regard to direct marketing efforts that involve processing personal data e.g. email addresses that can identify a singular person (joe.bloggs@company.com), a phone number directed to a specific individual, or an envelope with someone’s name and work address on it. UK GDPR will not apply if you utilise generic company email addresses (hello@company.com) or public phone numbers unconnected to an individual.
As such, you must meet the base GDPR requirements for holding and processing personal data. This includes ensuring that your use of personal data is lawful, fair, and transparent. In order to comply with this expectation, you will need to select one of the six lawful bases for processing personal data. The two lawful bases that will be most relevant in a B2B marketing context are consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. and legitimate interestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle..
Consent
If you choose to rely on consent for your lawful basis, then it must be freely given, specific, informed, and require an unambiguous positive opt-in. This means that you must give your subscribers control over whether or not they choose to consent to receive direct marketing. You must also provide a clear and easy opportunity for your subscribers to withdraw consent and opt-out at any time.
Legitimate interest
If your organisation would like to rely on legitimate interest as your lawful basis, then you must conduct a Legitimate Interest Assessment (LIA) to determine whether or not you can use this basis. A LIA is broken down into three areas:
If you can successfully demonstrate that you can meet the first two steps in the assessment, with B2B marketing you may find it easier to be able to comply with the third stage of the assessment. This is because business contacts are more likely to expect the processing of their personal data in a business context and it is less likely to have a significant impact on them personally.
Whilst you can rely on consent in a B2B context, legitimate interest is far more common as it gives organisations more control over who they market to – you can go to your desired audience, as opposed to waiting for them to come to you and opt in. However, whether you rely on consent or legitimate interests, you must always provide recipients with a way to opt outA positive action to choose not to be part of an activity or to stop being involved in it. of further marketing messages.
Regardless of the lawful basis that you choose, you will need to comply with other UK GDPR principles including transparency (including this processing in your privacy noticeA clear, open and honest explanation of how an organisation processes personal data.), data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing. (only collecting the minimum amount of personal data you need to undertake the marketing), storage limitationThe fifth GDPR principle which requires organisations to only store data for as long as it is needed. (devising an appropriate retentionIn data protection terms, a defined period of time for which information assets are to be kept. period for your marketing data), and security (ensuring the tools you use for storing marketing data and sending messages has appropriate technical and organisational measures applied to keep the data secure).
An important note to remember is that PECR splits out marketing recipients (‘subscribers’) into two groups – corporate subscribers and individual subscribers.
The term ‘corporate subscriber’ refers to subscribers that are a corporate body with a separate legal status. This includes:
If you send out marketing messages to individuals’ work email addresses, and they work for a business that falls into one of the categories above, they would be considered a ‘corporate subscriber’ under PECR as their employer is considered the ‘subscriber’.
However, it is vital to understand that not all types of businesses are classed as corporate subscribers. Crucially, sole traders and other types of partnerships are classed as individual, rather than corporate, subscribers. This means that when marketing to this type of business, the B2C rules will apply (see our previous blog – you will most likely need consent). Things are, therefore, not so easy when marketing B2B and you must assess each business on a case-by-case basis.
Before we answer this question, we need to understand what is defined as ‘electronic mail’. Under PECR the definition states:
“any text, voice, sound or image message sent over public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service.”
In short, emails, texts, picture or video messages, voicemails or direct communication via social media.
We are going to focus on two positions when it comes to sending direct marketing to Business Contacts;
There is a general exemption within PECR that allows you to send direct marketing to Business Contacts without their consent, but you must give them the option to opt out in every email and you must then respect that opt out in future if the recipient chooses to unsubscribe.
This is the position taken in the UK under PECR.
In this case, you must have opt in consent to send marketing to an individual regardless of whether they are business or personal contacts. Consent means that the person has expressly asked you to send them marketing.
This is the position taken in the Netherlands under the Dutch Telecommunications Act (the Netherlands’ version of the UK’s PECR).
When sending direct marketing you should work on the basis of the destination country, as this is what data subjects expect. This would require an assessment of your destination countries and their implementation of the EU’s ePrivacy Directive.
It is also important to point out that the above only applies if you are sending an email to named individuals at their personal company email address – this will not be the case if you are emailing a generic company email address.
If your organisation relies heavily on direct marketing in a B2B capacity, and you would benefit from further clarification on how to conduct a legitimate interest assessment, deciding your lawful basis, or anything in between, complete the form below and a member of our team will be in contact.
Fill in your details below and we’ll get back to you as soon as possible