GDPR Compliant Marketing – How To Guide for B2B and B2C

Did you know that last year various companies were issued substantial fines by the Information Commissioner’s Office (ICO) due to so called ‘nuisance marketing’?

It’s pretty scary stuff when you think about it. You want to market your business to prospects, but you need to do it in the right way, or you’ll risk falling foul of a multitude of different laws.

So, in the rush to win over new customers how do you ensure you’re marketing and selling to prospects without running the risk of the UK’s data protection watchdog the ICO or Ofcom baring their considerable teeth? You need to ensure you have GDPR compliant marketing.

Whether you’re booming, getting by or trying to avoid going bust, using the ongoing global pandemic as an excuse for sending out unsolicited marketing messages won’t wash with the ICO, which enforces the host of laws that regulate communications, networking and data protection. And remember, if you are sending out digital mailers and relying on consent, the ICO may ask you to demonstrate how this was obtained.

The 2018 Data Protection Act (DPA) and the Privacy Electronic Communications Regulations (PECR) applies alongside UK GDPR. The Corporate Telephone Preference Service (CTPS) and the Telephone Preference Service (TPS) for consumers, are also in place to protect UK residents. They apply to any organisation or business that handles any personal data whether the firm or organisation is based in the UK, EU or elsewhere, known as “extra-territorial effect”.

Avoid data processing pitfalls and ensure GDPR compliant marketing

Regulations exist to restrict unsolicited marketing by phone, fax, email, text (SMS) or other electronic messages. Some of the supervision is managed on behalf of the ICO by the Data & Marketing Association (DMA) (see the association’s code of practice). There are also Ofcom regulations to deal with nuisance phone calls.

Rules are generally stricter for contacting consumers than for B2B marketing. So, what measures do your sales teams, marketing teams or business owners need to do things the right way? Firstly, it depends on what you want to do when it comes to ensuring you have GDPR compliant marketing.

Stick to the six UK GDPR guiding principles

For email marketing UK GDPR applies to any data processing undertaken in the UK no matter where the client or customer is based in the world. This means you must extend data subjects’ rights and other legal obligations to everyone in the world, not just those located within the UK and European Union. 

UK GDPR is currently in sync with EU data protection legislation, encompassing the following six data protection principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality

Also remember that there are only six lawful reasons for contacting people by digital communications like email. These are consent, performance of a contract, compliance with a legal obligation, vital interests, public interest or legitimate interests. Most marketers rely on legitimate interests, which is fine and easier to justify on a B2B basis but more challenging for B2C where you will need to demonstrate a relationship such as a customer or recent sales enquiry. Documents like privacy policies and processing agreements must match with which of the lawful methods your business is relying on. Marketing communications can in certain limited circumstances be sent without prior consent to past customers on the basis of legitimate interests, to tell them about similar products or services. However, these must abide by strict rules regarding their content and provide the opportunity to opt out.

If individuals opt out, you cannot contact them again as this would contravene Regulation 22 of the PECR. So please don’t fall for the school boy error of emailing customers who have opted out of further communications to resubscribe by sending a further mailer, as the ICO will rightly get very upset.

Obviously if you’re communicating with a customer concerning the delivery of an order then its outside the scope of marketing, as its contractual and therefore lawful processing.

For any company using a contact marketing database containing even limited personal details such as even just a data subjects name, these contacts have certain UK GDPR legally binding rights including:

  • The right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure/to be forgotten
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights in relation to automated decision making and profiling.

You will need to demonstrate through a Privacy Policy and other procedures that you are able to uphold these rights and fulfil within a maximum of 30 days any data subject access requests.

Switching people off from unwanted phone calls

So, what about phone canvassing? PECR lays down the law applied to this area effectively covering marketing which is outside the scope of UK GDPR. It is actually quite prescriptive on what businesses must comply with when making unsolicited sales calls, which should not be made to anyone who has previously notified the caller that they do not wish to receive such phone calls.

You must also never call any number registered with the Corporate Telephone Preference Service (CTPS) or for consumers the Telephone Preference Service (TPS), unless the person has specifically consented to your calls or there are legitimate reasons for contacting them such as an existing trading relationship or for research purposes. Remember that CTPS and TPS enables businesses and consumers respectively to opt out from receiving calls. There are providers like us who offer a database screening service to check and remove any that have opted out of communications.

Ofcom, the communications regulator, has powers to deal with unsolicited and silent calls through the use of automated systems including in certain circumstances the ability to block certain numbers. 

The ICO can impose penalties of up to £500,000 for breaches of the PECR, while UK GDPR and DPA have set a maximum fine of £17.5million or four percent of annual global turnover – whichever is greater – for data infringements. To avoid these heavy fines businesses must be diligent with any personal data and must make sure that their marketing is compliant.

An additional aspect to factor into your future strategic marketing plans it could pay dividends to seek external professional guidance from someone like a GDPR Practitioner from Allott and Associates who can undertake a data processing audit. Having the peace of mind to know that your business or organisation is data and marketing compliant for a tiny percentage of the potential fines applicable, is worth every penny.

Find out more about our UK GDPR services here. And/or talk to our PR experts about how to ensure you market in the right way, with GDPR compliant marketing. Call us on +44 (0)1423 867264 or + 44 (0) 207 257 2017.