Confusion, frustration and anxiety surround GDPR which comes into effect on 25 May 2018. Most companies rely on email marketing and services such as Oxyleads, hunter.io, etc. to obtain the email addresses of the relevant decision makers. Will it be possible to use them after 25 May 2018? Do the businesses based outside of the EU need to bother at all?
Does GDPR apply outside of the EU?
In some circumstances, GDPR does apply to companies based outside of the EU but not to everyone. It is applicable if your company monitors the behavior of or sells to ‘’data subjects’’ in the EU. To determine if this is your case, answer the questions below:
Do you have an established presence in the EU?
Is your processing of personal information related to the offering of goods or services to data subjects in the EU?
Are you monitoring the behavior of data subjects in the EU?
If you have provided a positive answer to any of the questions above, GDPR applies to you. Be aware of the fact that ‘’personal data’’ as defined by GDPR as ‘’ Any information relating to an identified or identifiable natural person”. Most marketers perceive ‘’personal data’’ as ‘’sensitive data’’ and this may easily lead to being in breach.
So how to be in compliance if email marketing is one of your primary channels?
There are a number of lawful bases to process information under GDPR ( This article by Elizabeth Denham, UK Information Commissioner and one of the authors of the GDPR may also be of interest).
If you have an extensive database of prospects, potential partners, etc. one way to comply is to ask them to ‘’opt-in’’. It is a simple and inexpensive exercise – send an email to all contacts asking them for permission to stay in touch. However, it is important to provide an ‘’opt-out’’ option as well.
Performance of a contract
It is allowed to process the information of the parties you have entered into a binding agreement with. These include your clients, vendors, affiliates, etc.
Protection of vital interests
It is safe to process information if it is processed to protect the vital interests of the data subject.
Performance of a task carried out in the public interest or official authority
Put simply, if an official authority has requested the processing of data in the public interest such as prevention of fraud, money laundering, data theft, etc., you are not only allowed to but, in most cases, you have an obligation to process data.
The data controllers (business organizations, etc.) are allowed to process data for purposes of the “legitimate interests” pursued by the controller or by a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject
For the B2B marketers, the last one is fundamental to determine the balance of interest and ensure that your “legitimate interest” is not overridden by the interests or fundamental rights and freedoms of the data subject.
Does this mean that you are free to process the business email and telephone of a person s/he uses daily and are part of her/his signature and appear on her/his business cards?
Well, it’s a grey area. To stay on the safe side, you have to comply with the ‘’Notice Requirements’’.
First of all, under GDPR, you have to notify the data subject that you posses their data and inform them what do you intend to do with it.
- How you got the data – purchased email lists, business cards, online services, etc.?
- Do you intend to transfer it to third parties?
- What purposes are you going to process the data for?
- Do you intend to transfer the data outside of the EU and to which countries?
- How will you address the person’s rights to amend the data or erase it (RTBF)?
- Are you using automated profiling (especially valid for recruiters and HR-software providers) and decision-making algorithms?
- What is the legitimate interest that allows you to process their data under GDPR?
- Include an ‘’Unsubscribe’’ link and inform the data subject that unsubscribing equals data erasure (and make sure that you actually erase their data!)
- Depending on the technology solution you have in place, you may provide an access to the profile you have created on behalf of the data subject so the data subject can amend or erase the data at any time.