GDPR and marketing into Europe
There was a lot of scaremongering when GDPR came into force – particularly following a couple of high-profile violations which incurred large penalties so understandably, organisations outside of Europe can be hesitant about initiating marketing campaigns in this region.
At The Call Business (TCB), we manage data for many of our business development clients, and so it is incumbent upon us to ensure that the work we do, across Europe, is compliant with the General Data Protection Regulation (GDPR) which came into force on 25th May 2018.
We are registered as a Data Controller with the UK Information Commissioners Office (ICO) under reference number ZA101281. The ICO are the regulatory authority for data protection in the UK.
We have produced this Guide to GDPR to help and advise companies wishing to market into the UK and Europe.
GDPR 101
Company information is not covered by this legislation as GDPR relates only to personal data. The impact of GDPR on those selling only B2B is therefore much less than for those working in the consumer space.
There are seven principles to GDPR which dictate how personal data must be handled:
Lawfulness, fairness and transparency – work within the law, treat data fairly, be transparent
Purpose limitation – only use data for the purpose it was collected for
Data minimisation – only collect what data you need
Accuracy – make sure the data you collect is accurate
Storage limitation – only store it for as long as you really need to
Integrity and confidentiality – keep it safe, treat it with integrity and keep it confidential
Accountability – take measures and keep appropriate records to demonstrate compliance
These are all basic common sense really, and not that difficult to adhere to, if your organisation has good information security in place and good working practices. Bear in mind that this only applies to personal data.
What is personal data?
Broadly speaking, personal data is information about a (living) person who is referred to as the Data Subject, specifically, anything that can be used to identify an individual. So anything about their home, their family, their health, their personal finances, their private life – these are all personal data. And those selling consumer products or working in healthcare or financial services obviously hold vast amounts of extremely sensitive personal data. So it is not unreasonable that they should be expected to be extremely careful how they handle and store and process that information.
For a B2B sales organisation, however, the amount of personal data that is collected about a data subject is often minimal and sometimes is simply the subject’s name.
Generally, if the subject’s work email address contains their name (eg john.smith@abc.com) that it is personal data.
If the subject uses their personal mobile phone for work, then that phone number is personal data.
So B2B does typically involve the processing of personal data, but it is most unlikely that a B2B database would have home addresses, personal bank details or other more sensitive data such as health on record.
What is processing
Pretty much anything you do with data is referred to as ‘processing’. This is the list the ICO use:
Collection
Recording
Organisation
Structuring
Storage
Adaptation
Alteration
Retrieval
Consultation
Use
Alignment
Restriction
Disclosure by transmission or dissemination
Erasure or destruction of personal data.
All of the activities TCB do in the process of making and/or managing a database, reaching out on behalf of our clients, establishing rapport, generating or qualifying leads sit somewhere in that list, but it is only the processing of the personal elements of the data that fall under GDPR.
Where a company works with an agency or specialist marketing company to do some of this work, they are described as the data processor. The company that is collecting and responsible for controlling this data is the data controller.
Six legal bases for processing
GDPR outlines six scenarios in which data processing is legally permitted. Unless the organisation can show that the processing activity fits within one or more of these scenarios, then it is deemed to be unlawful to process the personal data. The six legal bases for data processing are:
1) Consent
Also known as opt-in, the data subject has given consent to the processing of their personal data for one or more specific purposes. By ticking that they agree to receive those emails, subjects are agreeing to allow that company or its processor to use their data for outreach and marketing purposes. By unsubscribing, they revoke that consent. If you are relying on consent as the basis for processing, you must record when and how the subject consented, exactly what they consented to, and if and when they unsubscribe.
Consent is great but you have to reach the audience to get their consent and it is not the only legal basis for outreach.
2) Contract
Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
3) Legal obligation
Processing is necessary for compliance with a legal obligation to which the controller is subject.
4) Vital interest
Processing is necessary in order to protect the vital interests of the data subject. This is most used by the health industry, mainly in relation to emergency medical care.
5) Public Interest
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
6) Legitimate Interest
This is the most important from the point of view of business development.
“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
What this means in plain language is that in order to go about their legitimate business, the organisation, or their agency, need to process this data and that is OK, as long as this does not infringe the individuals rights, especially children’s rights.
This is generally the most flexible option. In order to rely on this, data controllers will have to identify the legitimate interest (legitimate being the operative term here), show that the processing is necessary for that purpose and then demonstrate that it doesn't infringe upon the rights and freedoms of the data subjects in question. If those rights and freedoms are impacted in some way, the controller must justify the processing activity.
Data Protection Impact Assessment
To properly rely on legitimate interest as the basis for processing, it is necessary to do a Data Protection Impact Assessment (DPIA).
A DPIA is a process designed to systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of our and our clients’ accountability obligations under the GDPR, and when done properly helps you demonstrate how you comply with all of your data protection obligations.
A properly carried out DPIA examines in detail what the processing activity comprises
It reviews what personal data is involved
It investigates and reviews all the risks to the data subjects whose personal data is being processed
It reviews what is being done to minimise those risks
And finally it assesses whether the legitimate interest of the business in processing the data outweighs any risk to the individual data subjects
Here is an extremely simplified example:
What is the processing activity? We want to email companies in Europe to tell them about our products
What personal data is involved? Names and email addresses, Personal mobile numbers if used for work, Working hours
Where is the data stored? In our CRM system and if we email the subject, then that is stored in our email system
What are the risks to the subjects? Someone could hack our email or get into our CRM system
What is being done to minimise those risks? Data protection policy, information security policy, and all processes arising from them
How substantial is the risk to the individual data subject? Minimal
On balance does our legitimate interest outweigh the risk to these individuals? Yes
The actual assessment process, when done properly, involves detailing out the workflow that will apply to the data processing, and establishing which (on or offline) systems are used to process the data and this will include:
The CRM system in which it is stored
The email system used to transmit it
The servers on which spreadsheets, reports etc are stored
The ring binder in which the printed copies are kept.
As part of the assessment, it is necessary to examine the security arrangements on each of those systems. We do this via a questionnaire and, if necessary, a series of short interviews with key stakeholders.
The assessment also needs to include a review of the data protection policies which are in force in the organisation – it is no good working with a high-security CRM system if staff don’t practise basic cyber-hygiene.
If the assessment shows that there is a substantial risk to the individuals whose data is being processed then the assessment must be referred to the Information Commissioners Office, or the regulatory authority of the territory concerned, else the processing should not be carried out. But assuming the risk is minimal – and we would only consider working on projects where that was the case – the document is kept on file as evidence of due diligence should it be needed.
Moving ahead
Having carried out a full DPIA and with the proper documentation in place, organisations can confidently move ahead with campaigns to open up new markets across Europe.
Carrying out a DPIA can seem daunting, particularly for organisations that don’t have in-house data protection or cyber-hygiene staff, but TCB can work with your team to carry out and document the assessment.
The assessment process will identify risk areas and TCB can help you to implement best practice and improve data security and cyber-hygiene.