GDPR and Direct Marketing
There is some confusion around how GDPR affects direct marketing, what is permissible and what isn’t.
Our following guidance relates to the use of email marketing and telemarketing for Business-to-Business direct marketing.
The EU General Data Protection Regulation is a far-reaching piece of European privacy legislation, which came into effect on 25th May 2018.
GDPR replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
The GDPR applies to organisations processing and holding personal data within the EU. It also applies to organisations outside the EU who offer goods or services to individuals in the EU.
Personal data means any information that can be used to directly or indirectly identify the person. This could be anything from a name, computer IP address or bank details to location data.
Your obligations under GDPR are not affected by the Brexit; this has been confirmed by the Secretary of State for the Department of Culture Media and Sport.
The use of email marketing is governed by the Privacy and Electronic Communications Regulations (PECR). PECR sits alongside the Data Protection Act and the GDPR.
Under PECR, marketing emails are permissible in a B2B environment with no requirement for a prior opt-in, although there must be a clear opt-out option.
Sole traders and partnerships are excluded from this; take care not to send marketing emails to sole traders or partnerships.
GDPR and Legitimate Interest
Where GDPR is relevant is as the basis for processing of personal data; including data of employees within a business (i.e. B2B data).
GDPR has six lawful bases under which personal data can be processed. The sixth clause in Article 6 – Legitimate Interests – is the one that is relevant to email marketing, in a B2B context.
The sixth clause in Article 6, ‘Legitimate interests’ states:
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
This clause is consistent with Article 16 of the European Charter of Fundamental Rights, the ‘freedom to conduct a business’ which confirms the right to supply goods and services and generate profit, provided your business activities comply with the law.
This is clarified further under Recital 47 of GDPR, which states:
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Businesses do need to apply a balanced view in using legitimate interest as the basis for processing the subject’s data, which in the context of PECR and the sending of B2B marketing emails should include:
- Clearly identifying the sender and their contact details
- Ensuring the relevance of your offer to the recipient
- Provide a simple and robust opt-out
There has been far less confusion around the continued use of telemarketing as a direct marketing channel for B2B businesses.
In the post GDPR world, Telemarketing continues to be permissible as a direct marketing channel to reach individuals in businesses.
Again, Legitimate Interests should be respected, and in addition to the 3 points above, telemarketing data should be screened against the Corporate Telephone Preference Service.
The use of both email marketing and telemarketing is still permissible in today’s GDPR compliant world.
Marketers must however:
- Ensure there is a legitimate interest in contacting the individual (whether by telephone or email), which can be achieved ensuring your offer is relevant
- Restrict communications to businesses – and exclude consumers, sole trader and partnerships communications
- Provide a simple, robust opt-out process
Useful Supporting Documents
For further guidance on GDPR & Legitimate see further information from The Direct Marketing Association and The Information Commissioner’s Office:
The ICO Guide to GDPR & Legitimate Interests
The DMA Guide to Consent & Legitimate Interests