What is GDPR?
GDPR (General Data Protection Regulation) is legislation devised the the European Union, which was introduced in 2018 to ensure a consistent level of data protection, easing the flow of data within (and between) EU Member countries.
Domestically in the UK, the Data Protection Act 2018 is an interpretation of the GDPR regulation, other EU Member countries have their own too.
The GDPR sets out requirements for companies and organisations on how they handle the data for individuals, along with what they can and can’t do with that data with (or without) permission.
What is PECR?
PECR (Privacy and Electronic Communications Regulations 2003) is the UK law derived from the EU’s E-Privacy Directive 2002.
Elements of PECR have a strong association with GDPR, especially with regards to website ‘cookies’ and electronic marketing.
Where EU member countries are required to write a law, consistency is lacking as each member state has the freedom to interpret the law differently.
The existing E-Privacy directive will soon be replaced by the e-privacy regulation, however, no date has been confirmed at the time of publishing this guide.
PECR alos covers security of electronic communication services and also the privacy of customers using communications networks.
What is Consent?
Companies need a legal basis to process personal information,m and there are 6 legal basis’ in which a company can do so.
- Performance of a contract
- Legitimate interest
- Vital interest
- Legal requirement
- Public interest
Consent (opt-in) in particular must be freely given to be valid, and must also be as easy for the indivudual (data subject) to withdraw (opt-out) should they decise to do so.
Your opt-in message must be clear and transparrent, so the indivudual can understand exactly what they are giving consent to, and to must be a positive confimrmation. e.g. ‘tick this box to receive marketing’ is ok, but ‘tick this box to not receive marketing’ is not compliant.
How Does GDPR and PECR Impact B2B Marketing?
Let’s clear up one of the most common misunderstandings… At the time of publishing this guide, opt-in is NOT required for B2B Marketing in the UK. In this scenario, a “business” can be defined as a limited company or PLC that is registered with the official government register, Companies House. With this, you can process information and conduct marketing based on legitimate interest, which means you can promote products and services that are directly relevant to the target executive based on their job function and / or responsibilities (e.g. selling laptops to IT Managers).
That said, if you are targeting your campaign to businesses that are either a “Sole Trader” or “Partnership”, then the rules are more strict, realigning them to B2C regulations where a personal opt-in is required. The twist in the tail here is that consent (opt-in) isn’t necessarily required for all forms of marketing. For example, you need an opt-in for email and telemarketing to a sole trader or partnership, however, you do not need the opt-in for direct mail (postal) as long as you offer an option to opt-out.
With email being one of the most popular channels for marketing these days, it’s important to understand where the regulations can differ between different countries. You can check out our GDPR Spring Recipe to learn more about EU Data Compliance and which Member countries are opt-in / opt-out.
Terminology Cheat Sheet:
- ICO – Information Commissioners Office (UK regulator)
- B2B – Business to Business Marketing
- B2C – Business to Consumer Marketing
- PII – Personally Identifiable Information
- Legal Basis – Your legal reason to be processing that piece of information
- Data Processing / Processing – Any action performed upon data
- Data Subject – An Individual
- Data Processor – An organisation processing personal data
- DPA – Data Protection Act or Data Protection Authority
- DPO – Data Protection Officer
- DPIA – Data Protection Impact Assessment