If you buy business mailing lists and email lists, you can be forgiven for thinking that you can no longer use them since the arrival of GDPR on 25th May 2018, when the new General Data Protection Regulation came into force. Much has been written decrying this Data Protection Regulation update as the end of cold email marketing. And it does herald some big changes, most notably the tightening up of how people consent to their personal data being used. But this does not rule out cold b2b email marketing or using bought-in business mailing lists to generate sales.
Since 25th May, for consent to be used as a lawful basis to process data (ie send b2b marketing emails) a person must actively consent for their data to be processed and used and the name of the company using the data must be mentioned at the time consent is given. This means that mailing list companies can no longer sell data that is "fully opted-in". To opt in, people have to opt in directly with the company using the data. Unless your company name was mentioned when the person's email address was collected, you can no longer rely on consent as a reason to process personal data.
But consent is not the only reason to process personal data. There are six lawful bases for processing data in the Data Protection legislation. You need to show compliance with one reason. The most useful for business-to-business direct marketers and email marketers is known as Legitimate Interests.
Legitimate interests might be your own interests, or the interests of the third party receiving the data, or a combination of the two.
Latest guidance from the Information Commissioner says that legitimate interests may be the most appropriate basis when:
"the processing is not required by law but is of a clear benefit to you or others; there’s a limited privacy impact on the individual; the individual should reasonably expect you to use their data in that way; and you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing."
Crucially for marketers, direct marketing is described in the GDPR as an activity that may indicate a legitimate interest.
We've put together a guide on the simple steps you need to take to use legitimate interests as your reason to continue processing data and to continue using bought-in mailing lists for your email marketing.
Principally you need to carry out a simple legitimate interests assessment and document this assessment. Then update your Privacy Policy to state that you are relying on Legitimate Interests as a lawful basis on which to process personal data. And finally communicate that you are using Legitimate Interests to the people whose data you are processing.
Electric Marketing's guide details how to do the legitimate interests assessment. And as an example we've put our own Legitimate Interests Assessment on our website.
Legitimate Interests is not a new concept and in fact, Electric Marketing has never relied on consent as a basis for collecting and processing data. What is new is that GDPR requires us all to document how we are using data and to communicate this to users and data subjects. Which on balance, seems quite reasonable.