There is an old adage concerning B2B marketing which tells us, “business people are people too; it’s just that they are at work”. In many ways, the same principle applies to data protection law too and it becomes more relevant than ever with the arrival of The General Data Protection Regulation (GDPR).
This new law brings in a significant shake-up of the legal framework concerning “personal” data. And contrary to what you might have heard, it’s something that all marketers need to be aware of, even if your marketing list consists solely of business buyers.
Here’s a closer look at what the GDPR means for B2B marketing activities.
Personal data protection: why it matters for B2B
The GDPR governs personal data. It brings in new and enhanced rights for individuals, designed to give them greater control over how their data is used by the organisations who control and process it. It also places new obligations on data controllers in key areas such as consent and record keeping.
There’s a strong emphasis on consumer protection in all of this – and on first glance, B2B marketers would be forgiven for thinking that the new law doesn’t affect them. This would be a mistake.
As we’ll see, information relating to business buyers very often falls into the category of “personal data”. Failure to process it in accordance with the new rulebook could lead you to sleepwalk towards fines and other penalties (you can discover more about these here).
Is it personal? Categorising your data
The GDPR defines “personal data” as any information relating to an “identifiable person who can be directly or indirectly identified be reference to an identifier”. Here’s what this means in the context of some of the key categories of data likely to be held by your B2B marketing department:
- Your list of possible target companies. This includes general contact details (i.e. addresses, and ‘info@’ type email addresses) for those companies. Generally, no specific individuals can be identified from this data – so it wouldn’t be classed as “personal data” and is therefore outside the scope of the GDPR.
- Information relating to sole traders and partnerships. Unlike with corporate entities, with this information, it is possible to identify a recognised individual – so the GDPR applies.
- Data relating to named individuals. Examples include information relating to BANT-qualified leads. For instance, you’ve made contact with the head of IT procurement at a target company. You have her email address and records of communications. This would be classed as personal data.
For any organisation, an audit of existing data and processes is generally the first step towards GDPR compliance (read more about this in our guide to data mapping).
Your contact database: issues for B2B marketers
One of the purposes of data mapping and auditing is to help you draw a line between personal and non-personal data.
For companies that sell to businesses however, this line can sometimes be fuzzy. For instance, on your leads database is an email address ‘accounts@xcoltd’. On first glance, this doesn’t fall into the “personal data” category. But let’s say this is a startup. The accounts department consists of one person – and a quick look on LinkedIn reveals the identity of this individual.
Now let’s say your leads list is accessed unlawfully. The intruder takes this email address and uses it to mount a phishing attack on the addressee. This example helps to illustrate why GDPR covers any information relating to indirect as well as direct identification.
Bearing this in mind, B2B marketers should consider the following:
- It may be impractical to go through your entire customer contact list to separate personal from non-personal data. This is especially the case if your client base consists of a mix of larger corporates, SMEs, consultants and sole traders/partnerships.
- With this in mind, the most workable solution to ensure compliance may be to apply the same GDPR-compliant processes to all customer data across the board.
Lawful processing: consent and legitimate interest
Under GDPR, you must have a lawful basis for all data processing activities you conduct.
To illustrate this, let’s say firstname.lastname@example.org has just signed up to your SaaS service on behalf of her company:
- You need to retain her work email (which is personal data) as a general contact and to keep her updated in relation to essential information relating to your contract of service.
- In accordance with your business model, you intend to use her data to formulate tailored offerings for connected services and to determine pricings when it comes to renewal.
- You’d like to send her your weekly newsletter comprising a blend of promotional and general interest content.
- You would also like to forward her contact information (as a possible lead) to a partner organisation which is developing a plug-in for your product.
Each of these is a separate processing activity with a distinct objective. And for each activity, you need to establish and record the legal basis for carrying it out. For many of these activities (e.g. sending out promotional emails and other marketing materials) you will need to rely on the legal ground of “consent”. For other activities (e.g. data analysis for determining pricing), the appropriate basis is likely to be “legitimate interest”.
To help you get to grips with this complex area, here’s some additional help:
- GDPR tightens up the rules around consent – and effectively means that vague, catch-all opt-ins are now a thing of the past. Our guide to consent provides the lowdown on this.
- Our GDPR and marketing article further explores the difference between “consent” and “legitimate interest” and how do determine which legal basis to rely on.
Does the GDPR mean fewer leads?
GDPR requires you to verify that individuals have ‘opted-in’ – i.e. given positive consent to receiving communications from you before you contact them; something that’s especially relevant if you are targeting micro-businesses and sole traders. When it comes to lists of leads bought in from outside your firm, this is going to be a practical impossibility, so it’s highly likely that paid-for lists will now become a thing of the past.
If you currently buy lists of potential leads into your organisation, you will need to check carefully that the leads on that list have opted-in to communications from you before contacting them; something that’s especially relevant if you are targeting micro-businesses and sole traders.
The tougher rules on opt-ins and consents is likely to result in a leaner database of prospects for many firms. That said, this streamlining of your lead list could be beneficial – in that the leads who are left standing are likely to be more engaged – perhaps even leading to a boost in your click-through and conversion rates. More widely, GDPR may require a fresh look at your inbound marketing strategies, with a view to driving new audiences to your firm in the absence of ‘bought-in’ leads.
From your initial audit, through to record-keeping essentials, The Privacy Compliance Hub can offer everything you need for your B2B marketing department and wider organisation to get to grips with GDPR compliance. Take our free demo today – or contact The Hub direct for a chat!