23rd May 2018
In light of the EU GDPR, many B2B marketers don’t understand when to use ‘Consent’ as a “legal basis” our Co-Founder and CEO, Richard Hibbert explains.
In the week running up to the GDPR launch date (25th May 2018), I received a lot of emails from B2B organizations asking for my consent to receive their marketing communications – all in the name of EU GDPR compliance. The GDPR does not actually require B2B organizations to use ‘Consent’ as a legal basis for electronic marketing to their business contacts; even though they will be processing personal data.
B2B marketing professionals need to understand that the key regulations governing electronic marketing messages in the UK are “The Privacy and Electronic Communications Regulations” (PECR). PECR sits firmly alongside the EU GDPR, and states that as long as you provide a convenient method for “Opting Out,” it is perfectly legitimate for the business to make marketing calls, and send emails, texts, and faxes to business contacts, without prior ‘Consent.’
So, where does GDPR fit in? Well, under GDPR, if we are sending electronic communications, we are clearly processing “Personal Data.” For this to be legal we must do two things: a) identify a legal basis; and b) be transparent – as well as of course complying with the rest of the regulation.
Recital 47 of the regulation states “The processing of personal data for direct marketing purposes may be regarded as carried out for a “legitimate interest.” This means we do not require “Consent,” as the legal basis. The second part of the regulation we then need to consider is transparency. This is where we need to look at Article 14, governing “Information to be provided where personal data have not been obtained from the data subject.” Here the regulation lists information we need to communicate to the direct marketing recipient, as part of the communication, such as the ‘purpose for processing’ and ‘legal’ basis.
So there we have it, ‘Consent’ does not have to be the ‘legal basis’ for B2B direct marketing. Of course, this does not mean obtaining affirmative consent isn’t a worthy thing to do, but taking this approach could mean losing the right to communicate with a significant portion of your contact database, as many people will not provide the consent you are requesting. Is this what you really want? There is an alternative approach!
Learn about our GDPR Suite here.
About Richard Hibbert
Richard is responsible for the SureCloud vision, strategy, and execution. Richard also oversees the continuous innovation of the SureCloud Platform and advises enterprises on GRC practices.
Previously, Richard held executive positions at UK, European and North American tech companies, where he led sales, marketing, and market development functions.
Connect with Richard on Linkedin here.
SureCloud provides Governance, Risk & Compliance (GRC) applications and Cybersecurity solutions that give our customers certainty – of risk management/compliance, of cybersecurity, of having answers today and tomorrow. Established in 2006, SureCloud is headquartered in the United Kingdom and has offices in the United States. SureCloud has more than 400 customers throughout the UK and US from the Retail, Financial Services, Government and other sectors.
This article does not constitute legal advice and I recommend that readers seek legal clarification before acting. This is only my personal interpretation of most B2B Marketers understanding of ‘Consent’ as a “legal basis” for electronic marketing to their business contacts under GDPR. Please feel free to comment if you have your own interpretations.