B2B marketing and the GDPR

There has been much uncertainty over what the effect the General Data Protection Regulation (GDPR) will have for B2B marketers once the comes into force in May 2018.

We can ignore Brexit, as the Secretary of State for the Department of Culture Media and Sport has confirmed GDPR will apply from May 2018.

The Information Commissioner’s Office recently announced that their first batch of guidance will be published before the end of January 2017. This is later than expected. The vote to leave the EU has delayed this, but sooner than many thought given the circumstances. This guidance will tackle profiling and consent.

Let us clarify the rules for B2B marketers.

The only difference between B2C and B2B marketers now is in connection with email and text marketing to employees of corporate organisations. When dealing with sole traders or partnerships, the rules governing B2C marketing will apply to B2B marketers so the general position for email and sms will be that you will need opt-in consent. For telephone and direct mail, you need to offer an opt-out.

When dealing with employees of corporates, that is limited companies, LLPs, partnerships in Scotland and government departments, the rules for telephone and direct mail are the same, opt-out.

However when emailing or texting, you do not need the prior consent/opt-in from the individual. You can therefore send them a marketing email/text as long as you provide an easy way to opt-out of future communications from you.

For any B2B marketing communications, regardless of channel, the content must be about products and/or services that are relevant to the recipients’ job role.

This situation will not change under GDPR. These rules for email and text messages come under the Privacy & Electronic Communications Regulations (PECR) and this will not be affected by the implementation of GDPR. There will be other obligations under GDPR when collecting personal data that will apply, for example enhanced information requirements, the clear recording of consent and improved privacy policies.

What is important to remember when emailing or texting corporate employees is that where personal data is used for marketing, for example a work email address, they have the right under the Data Protection Act to prevent their personal data being processed for direct marketing, which is why you must provide a way to opt-out of future communications.

One thing to note, PECR comes from another piece of EU legislation, the ePrivacy Directive, which is now under review by the EU Commission. There was a preliminary consultation earlier this year, which the DMA responded to, calling for the legislation to be emasculated where it covered ground already in the GDPR. We are awaiting the Commission’s full response to this consultation, which we understand to be imminent, with a legislative proposal to follow in early 2017.

The Commission aims to conclude the review of the ePrivacy Directive by May 2018 to coincide with the implementation of GDPR. However, some doubt this timetable, as it took seven years to get to where we are now with GDPR.

Although, what the future will really look like depends on what shape the ICO consent guidance takes and what the revised ePrivacy Directive looks like.