GDPR: Do Business Emails Count as ‘Personal Data’?
As we approach closer to the GDPR deadline, we’ve been getting a lot of questions regarding whether business email addresses and contact details will come under the GDPR as ‘personal data’. We have been waiting on a guide to fully explain this, and last week IASME – Certifying Body for Cyber Essentials alerted us of this guide produced by the Information Commissioner’s Office (ICO); ‘The rules around business to business marketing, the GDPR and PECR’.
We’ve decided to publish the full content of that guide in this article. But you can also read it on the ICO website here.
This article summarises what the rules are when it comes to applying GDPR in Business to Business marketing and should hopefully answer some questions you might have. See the ICO’s guide to this below…
Does the GDPR apply to business-to-business marketing?
Yes. The GDPR applies wherever you are processing ‘personal data’. This means if you can identify an individual either directly or indirectly, the GDPR will apply – even if they are acting in a professional capacity. So, for example, if you have the name and number of a business contact on file, or their email address identifies them (eg firstname.lastname@example.org), the GDPR will apply.
The GDPR only applies to loose business cards if you intend to file them or input the details into a computer system.
You can find more information on when GDPR applies in the key definitions section of our Guide to GDPR.
Does the GDPR mean we need consent for marketing?
Not always. Consent is one lawful basis for processing, but there are alternatives. In particular, you may be able to rely on ‘legitimate interests’ to justify some of your business-to-business marketing.
However, sometimes you will need consent to comply with the Privacy and Electronic Communications Regulations (PECR). See our Guide to PECR for more on when you need consent for electronic marketing.
When can we rely on legitimate interests for marketing?
You can rely on legitimate interests for marketing activities if you can show the way you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing – but only if you don’t need consent under PECR.
You can find more detail in the legitimate interests section of our Guide to GDPR. We have produced some specific detailed guidance on:
-legitimate interests for marketing activities; and
-legitimate interests for business-to-business contacts
Does PECR still apply?
Yes. The GDPR does not replace PECR – although it has amended the definition of consent. You need to comply with both GDPR and PECR for your business-to-business marketing.
The EU is in the process of replacing the current e-privacy law with a new ePrivacy Regulation (ePR). However, the new ePR is yet to be agreed. The existing PECR rules continue to apply (with the new definition of consent) until the new ePR is finalised.
You can find more information in our Guide to PECR and our direct marketing guidance.
What are the rules on marketing emails or texts?
Sole traders and some partnerships are treated as individuals so you can only email or text them if they have specifically consented, or if they bought a similar product from you in the past and didn’t opt out from marketing messages when you gave them that chance. You must include an opt-out or unsubscribe option in the message.
You can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice, and good business sense, to keep a ‘do not email or text’ list of any businesses that object or opt out, and screen any new marketing lists against that.
You may also need to consider the GDPR if you are emailing employees at a corporate body who have personal corporate email addresses (eg email@example.com).
For further information, see our guidance on direct marketing.
What are the rules on marketing calls?
You can call any business that has specifically consented to your calls – for example, by ticking an opt-in box.
You can also make live calls to any business number that is not registered on the Telephone Preference Service (TPS) or the Corporate TPS (CTPS), but only if they haven’t objected to your calls in the past.
You should remember that some businesses (sole traders and some partnerships) register with the TPS, and others (companies, some partnerships and government bodies) register with the CTPS. For business-to-business calls, you will therefore need to screen against both the TPS and the CTPS registers, as well as your own ‘do not call’ list.
The rules on automated calls are stricter. You must not make an automated marketing call – that is, a call made by an automated dialling system that plays a recorded message – unless the business has specifically consented to receive this type of call from you. General consent for marketing, or even consent for live calls, is not enough – it must specifically cover automated calls.
For further information, see our guidance on direct marketing.
What counts as consent?
Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
You must make it easy for people to withdraw consent at any time they choose.
You can find more detail in the consent section of our Guide to GDPR.
What else should we consider?
You must tell people what you are doing with their information. This includes your purposes for processing their personal data, your lawful basis for processing, how long you plan to retain the data, and who it will be shared with.
You can find more information in the right to be informed section of our Guide to GDPR.
If you are relying on legitimate interests for direct marketing, the individual’s right to object is absolute and you must stop processing when someone objects. See the right to object section of our Guide to GDPR.
If you are relying on consent, there is no right to object as such, but the individual has a right to withdraw their consent at any time. You must stop the processing when they withdraw consent.
Will you be producing more guidance on marketing?
We are in the process of producing a new statutory code of practice on direct marketing, and will consult on its content in due course.
In the meantime, we have already added GDPR updates to our direct marketing guidance.
Our legitimate interests guidance also includes some advice on how legitimate interests applies to marketing.
Our Guide to PECR remains in place, but we will shortly update it to clarify that the GDPR now specifies that any third parties who rely on consent must be specifically named.
The above is taken directly from the ICO’s article ‘The rules around business to business marketing, the GDPR and PECR’. For more information on the topics mentioned, see the ICO website.
If you need any other help with cyber security, GDPR or other aspects of data security, get in touch with one of our Cyber Security team on 0808 164 4142.