GDPR Guide: Is this the end of cold emails?
Chris Whife 23rd May 2018
One of the biggest concerns marketers have is the impact GDPR has on sending emails to EU data subjects which many believe could spell the end of cold email sending.
Fortunately, this is not the case.
Read on below GDPR Guide to find out why:
- What Is GDPR?
- On the Surface: What GDPR Means for B2B Marketers
- Consent & Right to be forgotten
- Going deeper: Is this the end of cold-emails? [jump to this section]
- Do we indeed need to get every prospect to opt-in before sending an email?
- Legitimate Interest – How It Works & Is It a Loophole? [jump to this section]
- How to avoid running into GDPR compliance issues
- What to Do about Your Databases
- But What If I’m Not in the EU?
Tracking, storing, and using customer data has become commonplace in the era of smartphones, social media, and the internet. However, the way businesses use data is about to change—at least in the European Union. This week, the EU will officially implement GDPR, a game-changing piece of legislation that is going to rewrite the rules of using customer data. The question we are here to answer is what the push for GDPR compliance will mean for B2B businesses?
First of all, What Is GDPR?
GDPR stands for “General Data Protection and Regulation.” It is a new piece of European Union legislation meant to protect the privacy of personal data and give EU data subjects more control over their own personal information. To do business with anyone in the European Union, whether you are part of the EU / EEA or not, companies will need to follow strict guidelines concerning how they collect, use, and retain data about their customers.
The good news is that no business is going to be blindsided by GDPR. The new regulation was first adopted by the European Council nearly two years ago, in April 2016. The actual enforcement date for the legislation, meanwhile, is May 25, 2018. Businesses not compliant with the rule by that date could face substantial fines (up to €20,000,000 or 4% of global turnover, whichever is the larger).
If your company is based in the European Union or does any business there, you need to pay attention to this new law which has been described as “the most important change in data privacy regulation in 20 years. It will impact virtually any business that has clients or customers in Europe”.
On the Surface: What GDPR Means for B2B Marketers
GDPR is a massive law—to the point where giving a meaningful overview can be daunting. The basic summary is that it protects consumers by setting strict rules for how companies can gather, process, and protect their personal data. The GDPR covers all communications with data subjects (B2C & B2B) however there are still other regulations in force (the PECR which will be replaced soon by the ePrivacy Regulation) and for the UK the Data Protection Bill when it gets passed and becomes law. As a business we are only concerned with B2B communication so the remainder of this article is focused on this aspect and how GDPR applies.
Some B2B companies have already made the mistake of assuming that GDPR won’t affect them. They believe that, since their dealings are with businesses and not consumers, they aren’t handling personal data. If your company isn’t handling personal information, then you can disregard GDPR. Right?
Wrong. Think about the pieces of information that are most crucial to your B2B campaigns. They include email addresses, details about the decision-makers at the companies you are targeting, and more. Some of the details you’ll use in a B2B campaign don’t qualify as personal data. For instance, firmographic information—facts about a company’s industry, location, size, etc.—is information about a company, not a person. Business email addresses, though, are still technically “personal information” under GDPR.
There are very crucial GDPR requirements which B2B companies will need to be aware of and comply with once it’s established Personal Data is being used for direct marketing purposes.
Firstly, you can send emails to prospects with their consent that must be “freely given, specific, informed and [an] unambiguous indication of the individual’s wishes.” In other words, you need to get their permission before you can start pitching your products or services. This can be achieved in several ways and is critical to any B2C marketing communications.
Right to be forgotten
Secondly, you must honour the rights of the individual such as their “right to be forgotten.” Say you reach out to a contact who has no interest in your business or what you are offering. This person wants you to delete their email address, along with any other information you might have about them. To comply with GDPR, you must respect these wishes and erase the person’s information from your B2B database. (unless you have a lawful reason for retaining some or all of the person’s information).
Going deeper: Is this the end of cold-emails?
There has been and still is some concern among businesses that the new GDPR requirements could dramatically affect B2B marketing as we know it.
If consent was the only option available to B2B marketers then the GDPR essentially prohibits cold-call emails. This would, seemingly, put B2B marketers in a very tough position. It’s not impossible to get prospective clients to consent to your emails before you send them. One method to obtain this type of consent might be a via trade show or exhibition, where you encourage prospects to sign up for your email list. Provided the prospects know what they are signing up for, this kind of scenario would qualify as consent under the GDPR regulation.
The problem is that many businesses do not go about their B2B marketing activities in this fashion—at least not for every contact. It’s far more common for marketers to do research online, identify potential clients, find contact details for decision-makers, and reach out to those key personnel. This strategy allows you to grow your contact list consistently. It also means that you can reach out to companies that you haven’t encountered at trade shows, or that you haven’t drawn to your website already by way of inbound marketing.
The big question about GDPR for most B2B marketers, then, is: Do we indeed need to get every prospect to opt-in before sending an email?
Fortunately, the answer is “No”. Article 6.1 of the General Data Protection Regulation provides six legal grounds for processing and using personal data.
Those grounds are as follows:
- Opt-in consent: The customer permits you to contact them, or invites you to do so.
- Contractual requirement: The business (e.g., you) must process the customer’s personal data (their email address/contact info) to fulfill a contract.
- Legal Compliance: The business needs to process the customer’s data for reasons of legal compliance.
- Best Interest: The business must process the customer’s data to protect the best interests of the data subject (or the best interests of someone else).
- Public Interest: Data processing is essential in the interests of the public.
- Legitimate Interest: There is a direct quote in the GDPR regulation that says, “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Of real interest to B2B marketers are two of these lawful bases: consent and legitimate interest. We have already discussed consent above. If a prospect willingly and freely signs up to receive emails from your business, that person has fulfilled the grounds of opt-in consent.
The second point of interest is: legitimate interest. Providing B2B marketers enable the right conditions then they may use this lawful basis to justify most B2B communications with prospective clients.
Legitimate Interest – How It Works & Is It a Loophole?
What exactly is legitimate interest, you may ask? Unfortunately, there is still some debate about that question as it’s not 100% clear what qualifies as “legitimate interest.” However, since the GDPR specifically mentions direct marketing in Article 47 as potentially being viable under legitimate interest (e.g., email marketing), it does seem that business interests on the part of the sender (you) with relevant communications to the recipient (your prospect) may qualify.
The crucial aspect here is, that whilst it’s not 100% clear, the GDPR does state that when using legitimate interest as your lawful basis to process Personal Data, you must be certain that the individual rights and freedoms of that person are not negatively impacted and such an impacts overrides your legitimate reason to process their data.
What’s really been helpful to B2B marketers is the latest guidelines published by the ICO which states:
“You can rely on legitimate interests for marketing activities if you can show the way you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing – but only if you don’t need consent under PECR.” Source – ICO.org.uk
The “legitimate interest” rule is not a loophole that gives your business carte blanche to ignore GDPR. While this point does seem to provide some extra wiggle room for direct marketers, it’s still worth noting that there must be interest on both sides of the equation. It is obvious that your business has a “legitimate interest” in turning a prospect into a paying customer. Whether the prospect has a “legitimate interest” in receiving communications from your business, though, is another matter entirely. The ICO has also provided this very useful table to help businesses identify if legitimate interests are applicable.
To avoid running into GDPR compliance issues with your direct marketing strategies, businesses should follow four key rules.
- First, understand what type of marketing you are pursuing and decide what your lawful basis for processing individuals’ Personal Data is. You may have more than one lawful basis apply depending on your requirements.
- Second, be clear and transparent with those prospects you outreach to. Ensure they can easily opt out of receiving future B2B communications and know why you have contacted them.
- Third, have processes and procedures in place that ensure you can uphold requests from data subjects when they exercise any of their rights.
- Four, ensure that whatever personal data you have and use is securely maintained and accurate so it’s fit for purpose. Every company must have sufficient technical and operational measures in place to protect the data it processes.
What to Do about Your Databases
Knowing about legitimate interest should put some of your fears about GDPR requirements to rest. The GDPR is not out to kill email marketing as we know it. Instead, it will just encourage businesses to be smarter and more respectful with direct marketing strategies—not a bad thing for anyone. However, even with the legitimate interest argument in your back pocket, you should still look through your email database and go through the steps of making it GDPR-ready.
There are a few preparations you can make. You should look to get consent now from your existing clients if you wish to continue with consent as your lawful basis for communicating with. Remember, with current customers you are likely to have a contract in place with them to provide goods or services and so can facilitate communication and the use of their personal data as a part of your contractual obligations to them.
Make sure you are contacting prospects whose interests are relevant to your product or service. Otherwise, you will have a tough time proving a “legitimate interest defense”. If you tend to buy your email lists from data providers, get in the habit of only buying from companies that allow you to do advanced profile selection. This strategy will help you avoid irrelevant contacts—something you should want to do anyway.
Finally, make sure your databases are secure. Email contact lists include personal data and are subject to the privacy and data protection requirements of GDPR. You should review the General Data Protection Regulation to learn what your obligations are here—not just for email lists, but for any customer data you are retaining.
But What If I’m Not in the EU?
One of the big misconceptions about GDPR is that it isn’t going to matter to any businesses that are based outside of the European Union. Even if your business isn’t geographically based in the EU, you still have to follow GDPR if you do business with EU companies.
Say your business is based in the United States, but you are expanding overseas and want to target companies in countries such as France or Germany. Before you engage in any B2B (or B2C) activities in any EU country, you need to make sure you are compliant with GDPR. You can still face all the same punishments as actual EU companies, even if you aren’t based in the EU.
Leadiro Is GDPR-Ready!
At Leadiro, we are proud to say that we are GDPR-ready. The email lists we sell and the services we provide are fully prepared for May 25th 2018.
Disclaimer: This article is not legal advice so please seek professional legal advice to discuss your specific circumstances.