A Guide to GDPR for Marketing in the B2B Technology Sector

In May 2018, the General Data Protection Regulation (GDPR) officially came into force. The regulation was the culmination of years of work, designed to set out a bold new vision for European data protection standards in the 21^st century. Though set by the European Union, the legislation has far-reaching effects across the world – since they apply, in effect, to any company that processes the data of EU citizens.

The new laws are strict, and the consequences of breaching them are severe. Fines can be as much as €20m or 4% of global turnover – which companies like British Airways and Marriott have discovered to their severe misfortune. Companies must take the necessary steps to comply with the legislation – whether they work in B2B or B2C sectors.

In this blog, we look through some of the most important principles that today’s B2B technology providers need to know about GDPR for marketing.

GDPR and personal data

The full GDPR is an enormous piece of legislation with many different chapters, clauses and categories. The main crux of the legislation, however, is to govern how organisations interact with personal data. As the name would suggest, this refers to data about individuals rather than organisations. Crucially for B2B companies, the rules still apply to individuals in a professional as well as personal capacity. That means B2B technology providers have to pay attention to the GDPR just the same as consumer-facing companies – though there are a few minor differences in the regulations.

The Information Commissioner’s Office (ICO) is charged with monitoring and regulating the GDPR, and they define personal data as ‘any information related to an identified or identifiable individual’. As a definition, that’s pretty loose. However, most organisations process personal data at one point or another, such as:

• Names
• Email address (work and personal)
• Age
• Date of birth
• Billing and shipping information
• Contact information
• National insurance information
• Cookies and IP information

The last of these will be of the most importance – many will be surprised to learn this counts as personal data. In practice, this means that any organisation that tracks their website traffic using platforms like Google Analytics will need to pay attention to the GDPR and create a fully compliant privacy policy.

Key principles of the GDPR for marketing

The GDPR is a long and complex document. But for most organisations, it applies to two main areas.

1.     Data consent

One of the key tenets of the GDPR is to establish a set of clear rules for when organisations are legally allowed to process personal information. In total, there are six legal bases in which an organisation can process personal data. Of these, two situations will apply to most companies:

If you need to process the data to complete a service or sale

If you do business with somebody, at some point you’ll likely need to communicate with them; whether that’s an e-commerce platform sending an email confirmation, or a technology provider getting in touch to exchange a signed contract. In these situations, it’s important to remember that the contact information can only be used for the purpose it was collected. In practice, that usually means you can’t send marketing emails to a customer from whom you obtained contact information under this clause.

If the data subject gives consent

If a data subject has given consent for their data to be processed, for whatever reason, that becomes legally valid. This clause is the basis of how organisations can build email marketing lists and remain compliant. One of the most publicised changes of GDPR was that it required opt-in consent to be given, meaning marketers couldn’t simply tick the consent box by default. Luckily, however, this rule doesn’t apply to B2B businesses.

This means that, while organisations still require consent to build their email marketing lists, the bar is lower for B2B than B2C companies.

2.     Data Access

The second key principle of the GDPR is designed to give people access to the information about their personal data. In short, the ‘right of access’ is designed to ensure that people can find out whether you process their personal data, as well as a range of other related information.

Under this clause, which B2B and B2B companies are both held to, an individual is given the legal right to confirmation of whether you process their information, as well as a copy of it. This request can come in any form, and, in most cases, should be complied with without charge. There is a range of other information that you should provide to individuals in this situation, as well as a copy of the data itself. This includes:

• The purpose of the data being processed
• The category of data
• The recipient
• How long you intend to retain the information for
• Reminding them of their right to lodge a complaint
• If the data is being shared with a third party

Luckily, if you’ve got a fully-compliant privacy policy, you should already have all this information recorded. That means complying with this clause should only require confirmation of data being processed, along with a copy of that data, and your company privacy policy.

Demystifying compliance

When GDPR first became enforceable, there was confusion and plenty of worry for marketers that they’d waste valuable resources staying compliant. And with such steep punishments for non-compliance, it was certainly a troubling time. Since then, the post-GDPR world has been somewhat plainer sailing than many have anticipated.

That doesn’t mean you don’t have to pay attention to the rules, however. With the right legal advice and guidance, adhering to the GDPR and other data protection regulations can be effortless.

At Law365, helping to protect your clients’ data is one of our top priorities. And with legal knowledge tailored specifically to the demands of Microsoft Partner B2B technology companies, you can’t find better advice anywhere else. As a Microsoft Partner themselves said:

“There was a significant amount of added value working with an organisation that works with other Microsoft Partners. This is because they understand, more than any other legal firm I’ve had experience with, the complexities of contracting for products and services directly – and they understand having a dependency on the provider – which is Microsoft.”

Carl Grieves, CEO at SilverBear LTD.

If you want to find out more about legal services for Microsoft Partner companies, check out our full range of legal solutions right here.