GDPR is going to change the face of marketing – and mostly for the better. In many ways, the new data protection laws will encourage businesses to adopt best practice, and strongly discourage the quick-fix approaches that often give marketing a bad name.
With the warning of hefty fines, GDPR compliance is paramount, but initial drafts of the regulation made it difficult for UK businesses to continue with much of their current direct marketing activity. That’s why the Direct Marketing Association (DMA) – a network of over 1,000 UK marketing firms – successfully lobbied for the GDPR to include a concept called legitimate interest, a legal basis for data processing which more closely matches the needs of B2B firms.
B2B marketing will have to consider what data and activities are necessary. Those activities are the legitimate interests of the business, and justify direct one-to-one marketing activities to employees of other businesses.
It’s different from the consent basis on which B2C marketing has to operate – but this difference has caused confusion among B2B marketers. We’re here to talk you through legitimate interest – what it is and how it works.
Isn’t GDPR about opting in to data processing and marketing communications?
Many businesses have assumed that they cannot process any individual’s data without their direct, informed consent. It’s true that GDPR will promote a higher standard for consent than previous legislation, but it’s not true that consent is the only basis for processing data. It’s one base among six, and each has the same legal weight and standing. They are:
(1) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(2) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(3) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(4) Vital interests: the processing is necessary to protect someone’s life.
(5) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(6) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
It’s this final one – legitimate interests – that we think will be the go-to legal basis for data processing for B2B marketers.
What is legitimate interest?
Legitimate interest is a legal ground on which businesses can process the personal data of their existing audience. Once legitimate interest is established and proven, marketing activities can continue, as long as the recipients have been allowed to opt out of these activities.
Rather than an objective restriction, legitimate interest is a subjective option: it involves weighing marketers’ right to market against individuals’ right to privacy. If marketers offer a compelling case for why someone may be interested in their goods or services, they can continue marketing to them – as long as the recipients are clearly informed of what’s happening and the marketer gives them a clear opportunity to opt out.
Why will legitimate interest be the go-to legal basis for B2B marketing and not B2C?
The UK’s legal framework for privacy in marketing is not solely defined by GDPR. It’s also defined by the existing Privacy and Electronic Communications Regulations (PECR), which will remain in force once GDPR takes effect.
PECR applies to all forms of B2C marketing, but not to all forms of B2B marketing. Under PECR, the customer must consent to receive electronic marketing messages, hence the opt-out and pre-ticked opt-in options marketers currently offer. PECR also demands that customers be given an opt-out option with every message.
Staff members of limited companies, incorporated partnerships, local authorities and government institutions are all exempt from PECR. This means B2B marketers are free to use legitimate interest as a legal basis for electronic marketing to these people, in their professional capacity. This much more closely matches the current marketing practices for B2B businesses.
How will legitimate interest work as a basis for B2B marketing?
Justifying your legitimate interest involves carrying out a Legitimate Interest Assessment. We’ve written about the ins and outs of this elsewhere – the key question is “would the recipient expect this?” If they could reasonably anticipate you using their data in the way that you have, it’s likely that your activity falls under legitimate interests.
How can I know what recipients expect?
Flip the question on its head. If you signed up for another company’s newsletter, by giving them your work email address, what would you expect them to do with it? You’d expect to receive the newsletter. You’d expect a clear, functional way to unsubscribe entirely. You’d probably appreciate an opportunity to switch from weekly to monthly to quarterly newsletters, depending on your workload and the time you have available. But it’s not allabout digital marketing.
The Information Commissioner’s Office (ICO) – which has recently released its own guidance for complying with GDPR – highlights postal marketing, emails and texts to business calls, and live phone calls (provided there’s no TPS/CTPS registration or clear personal objection) as marketing activities covered by legitimate interest.
Phone calls to protected numbers, or when the recipient has clearly objected to a call are out. Speculative emails to personal addresses are out. Bulk email without purpose, sent to purchased ‘contact’ lists is definitely out. Ultimately, GDPR is about improving the quality of life for individuals, and will force marketers to up their game.
If you need any advice on the marketing elements of GDPR please contact our sister business The Marketing Centre or for HR advice please drop us a line on firstname.lastname@example.org. Read our other GDPR Blogs here.