GDPR and Prospecting

Transcript of the Video

Good evening everybody. Suzanne Dibble here, a data protection law expert, coming to you raw and uncut. Today, I wanted to address the question that's been raised in the group that lots of you seem to be interested in, and that is the question of GDPR and prospecting. Are we still okay where we've identified people that we think might be interested in our products and services, and we email them as maybe a one-off, not as part of a funnel or an automated email sequence, but you reach out to someone whether it's in an individual email or on LinkedIn or some other platform and say hello, introduce yourself and ask them whether they would like any further information on your products or services.

That's the question that I'm going to answer today, and it's a very interesting one, actually. Not least because there's a number of regulations that come into play in answering that question. But let's talk about GDPR first because that's what this group is about.

Now, if you are prospecting and you are reaching out to somebody that you've identified as being likely to want your product or service, then the first thing to ask yourself with the GDPR is, are you dealing with personal data? Remember that the definition of that is either that an individual has been identified or is capable of being identified and if you're processing personal data, then GDPR applies.

Now, GDPR does not distinguish between B2B marketing and B2C marketing. If you can identify individual then you're caught by GDPR. Now, remember that consent is just one ground of legitimate processing, and another ground is a legitimate interest. I've already done a video all about legitimate interest, but I just want to once again draw your attention to recital 47 that states that, "The processing of processing data for direct marketing purposes may be carried out as for a legitimate interest." Again, I've covered that in a different video.

For direct marketing particularly, and I'll come on to it in a little bit more detail, the recitals are specifically saying that legitimate interest is a lawful ground of processing. Now, remember that full legitimate interest is important to carry out a legitimate interest assessment. Number one, what is your legitimate interest? Number two, establish whether the processing is necessary for those legitimate interests. And three, perform a balancing test to ensure the interest of the individual don't override your legitimate interests.

So really I think, although the guidance doesn't specifically say this, I think that what that is leaning towards is where you have an existing customer and chances are they're going to be interested in your products and services. So a little bit like the Soft Opt-Out rule that we have already with the current regulations.

There has got to be a relevant and appropriate relationship for a legitimate interest. An individual has to reasonably expect to get the marketing. That's the question that you've got to ask yourself when you're prospecting. Is there a relevant and appropriate relationship, and would that individual reasonably expect to get that marketing information? Now if we take it back one step further, in current Skidmore's question in the group about this, she phrased it so that she would initially make an introduction and then ask them if they would like to know more about for example an event, a webinar or a freebie pack, an information pack or something like that.

That is in theory, the first contact. If you can't fit that into legitimate interest because there isn't that relevant and appropriate relationship and the individual wouldn't reasonably expect to get that marketing. If you can't fit that into legitimate interests then yes that initial introduction email, you might not have a legitimate ground for sending that. But if you're just saying hi and asking them if they are interested, then I'm sure that in the Information Commissioner's Office eyes that's going to be a lot less open to sanctions than if you go in with a full-blown marketing email. You are at least asking them if they would like that information, and at that point, there is certainly an element of consent when they say yes they would like that information for the purposes of GDPR.

Thus, I think actually the answer to this question is not so much GDPR that governs prospecting but PECR, the Privacy and Electronic Communications Regulation. And as I've said on previous videos this is going to be amended too, this regulation. And European Commission was hoping to have it done in time to mirror GDPR and come into force at the same time, but it's now looking like it's going to be 2019 before that comes into force. But the PECR does distinguish between corporate subscribers and individual subscribers. Currently, on the PECR, you can't send unsolicited direct marketing to individual subscribers. You can send unsolicited direct marketing to corporate subscribers.

Sole traders and partnerships, because they are not separate legal entities, other than in Scotland actually. Partnerships in Scotland do fall under the definition of a corporate subscriber. But certainly, partnerships in England and Wales are treated as individual subscribers. So you have to be particularly careful if you're emailing what you think is a corporate because partnerships and sole traders are classified as individuals and you can't email those people without consent. As I referred to before, there is this thing called the, the soft opt-in which is where you have obtained contact details in the course of sale or negotiations to that recipient, that the direct marketing is in respect of similar products and services only and that the recipient is given a simple means of opt-out at the time his or her details were collected and on each subsequent communication. Now that's the current rules. You've still got to identify yourself and provide your contact details on corporate emails in the same way that you do for individual attending to individuals, but for B2B, under the current PECR, you can send unsolicited marketing communications.

Now, under the new PECR that they hope is going to come into force in 2019, it looks like an email to corporate subscribers will also require consent. But watch this space. I have read something that says that it will be up to individual member states as to what the scope of the restrictions will be, but you've got at least a year to worry about that. So I think we need to be working at the moment on the basis of the current regulations. Now that is the general backdrop. Now you asked specifically about direct mail by post, phone calls and emails. Now post, actually let's deal with the phone calls first because that's probably the easiest one.

With calls, you can make live unsolicited marketing calls, and again, what I'm saying from now on end is current regulations that are due to be changing, but it'll be at least a year before they do. So let's go with what we've got at the moment. The general rule is that organizations can make live unsolicited marketing calls, but you can't call any number registered with the TPS unless the subscribers specifically told you that they don't object to your calls. So in effect, TPS registration acts as a general opt out of receiving any marketing calls. There's a separate service for corporate subscribers. What's the name of that? I've never used it myself because I don't do marketing calls out, but let me just find it so that I can give you the right name. Where's it gone? Business calls.

Here we go. So business to business calls, yep, the same rules apply to marketing calls made to businesses. Sole traders and partnerships may register then number with the TPS in the same way as individual consumers while companies and other corporate bodies registered with the Corporate Telephone Preference Service. So that's called the CTPS. That was fairly straight-forward for phone calls, and really, you just need to check whether a number is registered with the TPS and if it is then you can't phone them. However, the information commissioners ... It's too late. The ICA does say the opt-in consent is always the best. And I'd have to say that I personally get very, very, very, very frustrated, in fact, it's probably the thing I object to most  unsolicited phone calls. They always have that knack of phoning at exactly the wrong time when I'm just putting the kids to bed or on the loo and you dash for the phone and I find them very, very annoying.

There are few other rules that go around that, but that's in summary where we are with phone calls. And so emails, as I said before, it's pretty black and white really with the current regulations which are that if you've got an individual subscriber, you can't send unsolicited marketing emails. If you're sending it to a business that is B2B then you can. Let me just see if there's anything else that I need to tell you about that. Okay, I think that's probably it for now.

Yeah. So with mail, PCER doesn't cover mail because that's not electronic, but individuals can register addresses with the Mail Preference Service, which works in a similar way to the TPS. The current data protection act doesn't specifically require organizations to screen against the Mail Preference Service, but it's good practice to do so and will save time and money. Yes. Again, all my flyers go straight in the bin. I think with a lot of these rules you can look at the letter of the law and think, "Oh yes, we can do that." But in reality, what's a more effective marketing campaign for me is certainly not sending me crappy flyers in the post. Okay, so what I'm going to do is I'm going to post in the group, there's a really handy little table that the information commissioner's office has put together for direct marketing via various channels and the distinction between B2B and B2C. So I'll post that with this video as well.

But I think in summary, GDPR is not the main driver really of how you send unsolicited emails, phone calls, and post. The thing to think about with GDPR is just to make sure that you have a legitimate grounds for processing that data. If it's personal data, which it probably will be, because even if you've got a name and an email address that doesn't even mention the person in the name, that person is arguably still capable of being identified if you match that email address and the company that they work for with the individual. So you've got to make sure that you've got the legitimate grounds for processing for GDPR. And then really it's a question of looking at the PECR, which as I say is changing. And I did a video the other day about how that's changing, but that's going to be a year, a year and a half down the line. So let's not worry about that just at this moment in time.

So I hope that's answered the questions. If you've got any more please do post because I know this is a really hot topic, particularly within GDPR, and I want everybody to have clarity on that. So in summary, email marketing under the current PECR, you can't send unsolicited emails to individual subscribers, which include sole traders and partnerships unless you've got their consent or you've got the soft opt-in, which is that three- stage test, which is first, you've obtained their contact details in the course of a sale or negotiations to a sale, you're sending them information about something similar to what you sold them, and thirdly, at the time that you collected their information, you gave them the right to opt-out and you've subsequently given them the right to opt-out on every communication that you send since then. So that's it for emails.

Then, Post Preference Service checks that. Phone Preference Service, check that. My opinion as someone who gets marketed to and who markets is permission-based marketing is so much more effective than not. And I take the point that with prospecting, you do sometimes have to contact people out of the blue. I think there are sensitive ways to do that and certainly if you're going to them and asking them, you know, introducing yourself and having that sort of introductory conversation along the lines of, "What's in it for each of you?" rather than you just trying to push your services on them and asking them if they would like to receive further information, then I think that is a different prospect to just a full-on unsolicited marketing campaign.

So I think I'll leave it there, I'm a bit weary tonight. But again thank you all for sharing in the group. Thank you all for buying ... The GDPR Pack is flying off the shelf, can't keep up with all the orders. So thank you so much for trusting me to keep you compliant. I'm really excited to be getting that out to you later this week. If you only bought it then the details are in the pinned post at the top of the Facebook group, there's also the recording thereof the two-hour training session that I did. Upcoming videos that I'll do, I'm going to be doing one for photographers and I'm going to be doing one on data processing if you're a data processor and I've got a number, I've got a whole list I can't remember right now, but I've got enough to keep me going for my one video a day through to the 25th of May.

If you have any further ideas as to what you'd like me to do a video on, then post in the group and I'll be really pleased to do that for you. All right. Thank you so much, guys. Thanks for the continued support. Thanks for being engaged. Thanks for asking brilliant questions that are exercising my gray matter. And keep sharing the group, I think together we're helping lots of people make sense of what can be quite a daunting and complex regulation. So thank you and I'll see you tomorrow. Good evening.