The European General Data Protection Regulation (GDPR) has applied in the UK since 25 May 2018.
The UK's Data Protection Act was updated in 2018 to include the GDPR rules.
GDPR (or the Data Protection Act 2018) requires that personal data be processed lawfully, fairly and in a transparent manner and used for specific, explicit and legitimate purposes. The data should be adequate, relevant and limited to what is necessary for the specified purpose, accurate and up-to-date, and processed in a secure manner. The data controller is responsible for, and must be able to demonstrate, compliance.
Electric Marketing has prepared this guide for companies that deal exclusively with other businesses. The major changes in GDPR for marketers apply to consumer-facing companies, with particular emphasis on consumer marketing, profiling and data relating to children, and these issues are not covered here.
The rules for business-to-business marketing remain much as they were before GDPR i.e. there is an opt-out regime. The Data & Marketing Association (formerly known as the Direct Marketing Association) issued the following advice:
"When dealing with employees of corporates, that is limited companies, LLPs, partnerships in Scotland and government departments, the rules for telephone and direct mail are the same, opt-out. When emailing or texting, you do not need the prior consent/opt-in from the individual. You can therefore send them a marketing email/text as long as you provide an easy way to opt out of future communications from you. For any B2B marketing communications, regardless of channel, the content must be about products and/or services that are relevant to the recipients' job role. This situation will not change under GDPR. These rules for email and text messages come under the Privacy & Electronic Communications Regulations (PECR) and this will not be affected by the implementation of GDPR. What is important to remember when emailing or texting corporate employees is that where personal data is used for marketing, for example a work email address, they have the right to prevent their personal data being processed for direct marketing, which is why you must provide a way to opt out of future communications."
Data & Marketing Association website
December 2016
Accountability is a cornerstone of GDPR; companies must be able to show how they comply with its principles and be able to demonstrate that they have effective policies and procedures in place.
You should document that your company complies with all of the following:
1. Awareness You should ensure that all relevant people within the company are aware of GDPR and how it affects your business. This should include all senior decision makers and key people involved in the management of data and personal information, such as HR, IT and marketing departments.
2. Data you hold You should document what personal data you hold, where it came from and who has access to it. It may be sensible to conduct an information audit.
3. Lawful basis for processing data You must identify your lawful basis for processing personal data and document this. A lawful basis can be the consent of the data subject, the legitimate interest of the data controller or a third party to process the data in order to be able to run a business, or the need to process the data to perform a contract with the data subject or to take steps to enter into a contract.
4. Privacy notices You should update your privacy notices and make them freely available, fair and easy to understand. These should state who you are, what personal information you hold, where the information was sourced, what purposes the information will be used for and how long it will be held. The privacy notice must also explain your lawful basis for processing data. You must also explain that individuals have a right to complain to the Information Commissioner if they believe that there is a problem with the way you are handling their data.
5. Individual's rights You should ensure that you have procedures in place so that individuals can easily exercise their right to demand that they can see, correct, restrict access to or remove their personal information from your systems. You must also be able to provide this data in a commonly used electronic format.
6. Data breaches You should have procedures in place to detect, report and investigate a personal data breach. A serious data breach, one that is likely to result in a risk to the rights and freedoms of individuals, should be reported to the Information Commissioner's Office (ICO). If you hold sensitive personal data you should assess the types of personal data you hold and document where you would be required to notify the ICO in the event of a data breach.
7. Data protection officer You should designate someone to take responsibility for data protection compliance within the company.
8. Data protection by design and Data Protection Impact Assessments Privacy and data protection must be key considerations in the early stages and throughout the lifecycle of any project the company embarks upon. A Data Protection Impact Assessment is required where data processing is likely to result in a high risk to individuals. High risk is defined as one that could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage to an individual.
Electric Marketing can help you get your data in shape so that you comply with GDPR. Take a look at our services to bring your b2b prospect lists up to date.
What About PECR?
The EU amended the Privacy & Electronic Communications Regulation (2003) in 2019 to include the new GDPR definition of consent and it is planning a new set of rules to be known as ePR (ePrivacy Regulation). However, as the UK has left the EU, ePR will not be applied in the UK.