Compliance

E-Marketing and GDPR

To clarify what the current status is regarding the processing of data and how GDPR affects e-marketing the following information is provided.

GDPR Overview

The EU General Data Protection Regulation is a far-reaching piece of European privacy legislation, which came into effect on 25th May 2018.

GDPR replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.

The GDPR applies to organisations processing and holding personal data within the EU. It also applies to organisations outside the EU who offer goods or services to individuals in the EU.

Personal data means any information that can be used to directly or indirectly identify the person. This could be anything from a name, computer IP address or bank details to location data.
GDPR requirements are not affected by Britain leaving the EU (Brexit); this has been confirmed by the Secretary of State for the Department of Culture Media and Sport.

E-Marketing

The use of email marketing is governed by the Privacy and Electronic Communications Regulations (PECR). PECR sits alongside the Data Protection Act and the GDPR.

Under PECR, marketing emails are permissible in a B2B environment with no requirement for a prior opt-in, although there must be a clear opt-out option.

Sole traders and partnerships are excluded from this; take care not to send marketing emails to sole traders or partnerships.

GDPR and Legitimate Interest

Where GDPR is relevant is as the basis for processing of personal data; including data of employees within a business (i.e. B2B data).

GDPR has six lawful bases under which personal data can be processed. The sixth clause in Article 6 – Legitimate Interests – is the one that is relevant to email marketing, in a B2B context.

The sixth clause in Article 6, ‘Legitimate interests’ states:

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

This clause is consistent with Article 16 of the European Charter of Fundamental Rights, the ‘freedom to conduct a business’ which confirms the right to supply goods and services and generate profit, provided your business activities comply with the law.

This is clarified further under Recital 47 of GDPR, which states:

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Businesses do need to apply a balanced view in using legitimate interest as the basis for processing the subject’s data, which in the context of PECR and the sending of B2B marketing emails should include:

• Clearly identifying the sender and their contact details
• Ensuring the relevance of your offer to the recipient
• Provide a simple and robust opt-out

Summary

The use of both email marketing and telemarketing is still permissible in today’s GDPR compliant world.

Marketers must however:

• Ensure there is a legitimate interest in contacting the individual, which can be achieved ensuring your offer is relevant
• Restrict communications to businesses – and exclude consumers, sole trader and partnerships communications
• Provide a simple, robust opt-out process

Useful Supporting Documents

For further guidance on GDPR & Legitimate see further information from The Direct Marketing Association and The Information Commissioner’s Office:

The ICO Guide to GDPR & Legitimate Interests
The DMA Guide to Consent & Legitimate Interests

Who we work with