Broadly speaking, data privacy in the UK and EU is covered under the General Data Protection Regulation (GDPR) and the forthcoming ePrivacy Regulation (ePrivacy). Understanding how they work together within B2B marketing is essential.
In this article, I will attempt to briefly explain what each regulation covers and the connection between them. Be aware that The Information Commissioner’s Office (ICO) is responsible for enforcing both GDPR and ePrivacy.
An outline of GDPR
GDPR was published in 2016 to harmonise data privacy laws across all EU countries (including the UK). Note that it’s called the ‘Data Protection’ regulation, not the ‘Data Marketing’ regulation – it was created primarily with the protection of personal data in mind, marketing just got swept in with the tide.
The GDPR is focused on defining and protecting all kinds of personal data, anything from medical data to marketing data – whether it’s on paper or electronic.
Before GDPR, each member of the EU had slightly different data privacy laws, and Germany had some of the strictest. It was decided that every member should raise their benchmark to the German level, rather than Germany lower their standards.
Key elements of the GDPR are as follows:
a) Right to be Informed
You need to make sure individuals understand who and why their personal data is being collected, as well as details about how the data will be used. This should be contained in an updated Privacy Notice, and the GDPR extends these rights to any database that stores information on EU citizens – even if the database is outside the EU.
b) Legitimate Interest Assessment
Organisations need to prove they have a legal basis for using (processing) personal data. There are six legal ways you can process data, but for B2B marketing they are most likely ‘contract’, ‘legitimate interest’ and ‘consent’. I predict many marketers will use legitimate interest, but you need to conduct a Legitimate Interest Assessment and store the results.
c) Privacy Impact Assessments
Businesses will need to carry out a Privacy Impact Assessment where the processing of personal data is likely to result in a significant risk to the rights and freedoms of individuals. Data Controllers are also now required to report personal data breaches to the ICO within 72 hours if the breach is likely to result in a high risk.
d) Right to Erasure (Right to be Forgotten)
The Right to Erasure enables individuals to request that all the data you hold about them be removed from your CRM (if you have passed their data to a third-party processor, they will also need to remove the information). You can refuse if you need the data for accounting, tax or other regulatory purposes.
e) New Data Protection Officer (DPO)
If you employ more than 250 staff or process large amounts of personal data, you are required to appoint a DPO to help you comply with GDPR law.
f) Increased obligations for Data Processors
The old Data Protection Act 1998 placed burdens only on Data Controllers. Under GDPR, Data Processors will also have obligations. For example, they will have a responsibility to implement appropriate measures for the security of personal data during its processing.
An introduction to the ePrivacy Regulation
The ePrivacy law has been drafted (but not finalised or enforced yet) to broaden the scope of the current Privacy & Electronic Communications Regulation (PECR) and ePrivacy Directive (Cookie Law) across the EU and UK.
While GDPR is finalised and scheduled for implementation on 25 May 2018, the text for the ePrivacy Regulation is still being approved and could change.
Some optimists believe it could be finalised by the end of 2018; I think it will be 2019 based on the time it took for GDPR. And then there will be a grace period before it is enforced. My prediction is 2020 will be the year for any prosecutions under the new ePrivacy law.
The reason for two laws is because they are derived from two different rights in the European Charter of Human Rights.
The GDPR covers the right to protection of personal data, while the ePrivacy Regulation encompasses a person’s right to a private life.
The ePrivacy Regulation covers all forms of electronic communication. Specific areas of interest are unsolicited marketing, cookies and confidentiality.
a) Unsolicited Marketing
The regulation will make it illegal to send any electronic communication to an individual without their consent (including telephone, emails and text messages). Marketers will not be able to send emails or texts without prior permission from each email or mobile account holder. This is the case under the current PECR law for B2C marketing, but it may be extended to B2B under the replacement ePrivacy Regulation. It’s possible you will be able to telephone B2B prospective customers as long as their number is not on the TPS* or CTPS* lists.
Cookies will now be tracked within software and the user’s browser settings. This will do away with the annoying banner pop-ups on websites that request consent for cookies. Each user will be able to change the cookie consent in their browser/software to suit their needs.
Online communications providers, such as Gmail, Skype, Facebook Messenger and WhatsApp, will be required to provide the same level of customer data safety as traditional telecommunications providers.
Providers of any electronic communication service are required to secure all communications through the best available techniques. This creates a need for websites to stay technologically in sync with the best safety features available on the market.
The ePrivacy Regulation will likely require additional compliance and will probably have supremacy over GDPR. How can companies comply with two laws when one is not yet finished? All you can do is adhere to the law as written, conform to GDPR since ePrivacy is still up in the air.
* TPS and CTPS are UK ‘do not call’ lists. You can be fined for calling numbers on the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS).