One of the biggest concerns marketers have is the impact GDPR has on sending emails to EU data subjects which many believe could spell the end of cold email sending. Fortunately, this is not the case. Read on below GDPR Guide to find out why.
Tracking, storing, and using customer data has become commonplace in the era of smartphones, social media, and the internet. However, the way businesses use data is about to change—at least in the European Union. This year, the EU will officially implement GDPR, a game-changing piece of legislation that is going to rewrite the rules of using customer data. The question we are here to answer is what the push for GDPR compliance will mean for B2B businesses?
First of all, What Is GDPR?
GDPR stands for “General Data Protection and Regulation.” It is a new piece of European Union legislation meant to protect the privacy of personal data and give EU data subjects more control over their own personal information. To do business with anyone in the European Union, whether you are part of the EU / EEA or not, companies will need to follow strict guidelines concerning how they collect, use, and retain data about their customers.
The good news is that no business is going to be blindsided by GDPR. The new regulation was first adopted by the European Council nearly two years ago, in April 2016. The actual enforcement date for the legislation, meanwhile, is May 25, 2018. Businesses not compliant with the rule by that date could face substantial fines (up to €20,000,000 or 4% of global turnover, whichever is the larger).
If your company is based in the European Union or does any business there, you need to pay attention to this new law which has been described as “the most important change in data privacy regulation in 20 years. It will impact virtually any business that has clients or customers in Europe”.
On the Surface: What GDPR Means for B2B Marketers
GDPR is a massive law—to the point where giving a meaningful overview can be daunting. The basic summary is that it protects consumers by setting strict rules for how companies can gather, process, and protect their personal data. The GDPR covers all communications with data subjects (B2C & B2B) however there are still other regulations in force (the PECR which will be replaced soon by the ePrivacy Regulation) and for the UK the Data Protection Bill when it gets passed and becomes law. As a business we are only concerned with B2B communication so the remainder of this article is focused on this aspect and how GDPR applies.
Some B2B companies have already made the mistake of assuming that GDPR won’t affect them. They believe that, since their dealings are with businesses and not consumers, they aren’t handling personal data. If your company isn’t handling personal information, then you can disregard GDPR. Right?
Wrong. Think about the pieces of information that are most crucial to your B2B campaigns. They include email addresses, details about the decision-makers at the companies you are targeting, and more. Some of the details you’ll use in a B2B campaign don’t qualify as personal data. For instance, firmographic information—facts about a company’s industry, location, size, etc.—is information about a company, not a person. Business email addresses, though, are still technically “personal information” under GDPR.
There are two very crucial GDPR requirements of which B2B companies will need to be aware.
Consent
First, you cannot send email to prospects without consent that is “freely given, specific, informed and [an] unambiguous indication of the individual’s wishes.” In other words, you can’t spam prospects with emails they don’t want. You need to get their permission before you can start pitching your products or services.
Right to be forgotten
Second, you must honor the “right to be forgotten.” Say you reach out to a contact who has no interest in your business or what you are offering. This person wants you to delete their email address, along with any other information you might have about them. To comply with GDPR, you must respect these wishes and erase the person’s information from your B2B database.
Going deeper: Is this the end of cold-emails?
Obviously, there is some intense concern among businesses that the new GDPR requirements could be the end of B2B marketing as we know it. Based on the section of the regulation quoted above, GDPR essentially prohibits cold-call emails. Seemingly, this requirement puts B2B marketers in a tough position. Sure, it isn’t impossible to get prospective clients to consent to your emails before you send them. A typical example of this type of consent might be a trade show or exhibition, where you encourage prospects to sign up for your email list. Provided the prospects know what they are signing up for, this kind of scenario would qualify as consent under the GDPR regulation.
The problem is that many businesses do not go about their B2B marketing activities in this fashion—at least not for every contact. It’s far more common for marketers to do research online, identify potential clients, find contact details for decision-makers, and reach out to those key personnel. This strategy allows you to grow your contact list consistently. It also means that you can reach out to companies that you haven’t encountered at trade shows, or that you haven’t drawn to your website already by way of inbound marketing.
The big question about GDPR for most B2B marketers, then, is: do we indeed need to get every prospect to opt-in before sending an email?
Fortunately, the answer is “Not necessarily.” Article 6.1 of the General Data Protection Regulation includes six legal grounds for processing and using personal data.
Those grounds are as follows:
- Opt-in consent:The customer permits you to contact them, or invites you to do so.
- Contractual requirement: The business (e.g., you) must process the customer’s personal data (their email address/contact info) to fulfil a contract.
- Legal Compliance:The business needs to process the customer’s data for reasons of legal compliance.
- Best Interest:The business must process the customer’s data to protect the best interests of the data subject (or the best interests of someone else).
- Public Interest: Data processing is essential in the interests of the public.
- Legitimate Interest: There is a direct quote in the GDPR regulation that says, “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
A few of these points are confusing. Luckily, B2B marketers only really need to worry about two of them. The first is the opt-in consent requirement, which we have already discussed. If a prospect willingly signs up to receive emails from your business, that person has fulfilled the grounds of opt-in consent.
The second point of interest is the last one: legitimate interest. B2B marketers will be able to use this argument to justify most communications with prospective clients.
Legitimate Interest – How It Works & Is It a Loophole?
What exactly is legitimate interest, you may ask? Unfortunately, there is still some debate about that question as it’s not 100% clear what qualifies as “legitimate interest.” However, since the GDPR specifically mentions direct marketing in Article 47 as potentially being viable under legitimate interest (e.g., email marketing), it does seem that business interests on the part of the sender (you) with relevant communications to the recipient (your prospect) may qualify.
The crucial aspect here is, that whilst it’s not 100% clear, the GDPR does state that when using legitimate interest as your lawful basis to process Personal Data, you must be certain that the individual rights and freedoms of that person are not negatively impacted and such an impacts overrides your legitimate reason to process their data.
The “legitimate interest” rule is not a loophole that gives your business carte blanche to ignore GDPR. While this point does seem to provide some extra wiggle room for direct marketers, it’s still worth noting that there must be interest on both sides of the equation. It is obvious that your business has a “legitimate interest” in turning a prospect into a paying customer. Whether the prospect has a “legitimate interest” in receiving communications from your business, though, is another matter entirely.
To avoid running into GDPR compliance issues with your direct marketing strategies, businesses should follow three key rules.
First, make sure you are practicing permission-based marketing. Permission can be given with opt-in consent from the outset, but it can also be earned over time. If you don’t have consent, you do not have “permission” to email someone unexpectedly and pitch a sale. Instead, you want to establish a relationship and earn the right to pitch a sale later. If you follow this strategy, you should avoid a situation where the people you contact feel spammed or otherwise inclined to report you for GDPR violations.
Second, remember that you still want opt-in consent. Getting that consent should be a natural part of the permission marketing process. You want to build enough trust with your prospect that you can ask for permission to make a pitch. If you get the consent, you are in the clear regardless of how the European Council decides to interpret the “legitimate interest” rule going forward. You should also keep track of when you got consent, who gave it, and other details of the interchange. Having this information on record will help you protect yourself in the unlikely event that someone files a GDPR-related complaint about your business.
Third, you must, with no exceptions, respect opt-out requests. If someone says that they don’t want to receive your emails anymore, or suggests that you are bothering them, you should back off at once. Failing to recognize signs that your communications are not welcome could put you at risk for a GDPR compliance violation. You do not want to take that risk, given the fact that businesses can face maximum fines of €20 million or 4% of their annual “global turnover” (another term for global revenue).
What to Do about Your Databases
Knowing about legitimate interest should put some of your fears about GDPR requirements to rest. The regulation should not kill email marketing as we know it. Instead, it will just encourage businesses to be smarter and more respectful with direct marketing strategies—not a bad thing for anyone. However, even with the legitimate interest argument in your back pocket, you should still look through your email database and go through the steps of making it GDPR-ready.
There are a few preparations you can make. First, and most urgently, you should get consent now for your existing clients. Yes, existing clients and contacts are supposed to opt-in, too—even if they’ve been buying your product or service for years. Of course, if you have an existing relationship with someone, then opt-in consent is little more than a formality. A long-time client is probably not going to turn around and report you for a GDPR violation if you fail to take this step. However, having proofs of consent for all your clients is still preferable.
Next, every time you add new potential clients to your email database, do your homework. Make sure you are contacting prospects whose interests are relevant to your product or service. Otherwise, you will have a tough time making any “legitimate interest” defense. If you tend to buy your email lists from data providers, get in the habit of only buying from companies that allow you to do advanced profile selection. This strategy will help you avoid irrelevant contacts—something you should want to do anyway.
Finally, make sure your databases are secure. Email contact lists include personal data and are subject to the privacy and data protection requirements of GDPR. You should review the General Data Protection Regulation to learn what your obligations are here—not just for email lists, but for any customer data you are retaining.
But What If I’m Not in the EU?
One of the big misconceptions about GDPR is that it isn’t going to matter to any businesses that are based outside of the European Union. Even if your business isn’t geographically based in the EU, you still have to follow GDPR if you do business with EU companies.
Say your business is based in the United States, but you are expanding overseas and want to target companies in countries such as France or Germany. Before you engage in any B2B (or B2C) activities in any EU country, you need to make sure you are compliant with GDPR. You can still face all the same punishments as actual EU companies, even if you aren’t based in the EU.