Be compliant with data legislation

One of the most common misconceptions about the scope of Data Protection legislation is that it does not apply to the processing of business data. However, the definition of personal data in the Data Protection Directive is very wide: ‘Personal Data shall mean any information relating to an identified or identifiable natural person’. Identifying factors include not just personal characteristics but economic ones as well.

The arrival of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) covering email and SMS has brought another layer of possible confusion for B2B marketers. Only some classes of business contacts are within the PECR definition of an ‘individual subscriber’.  The definition includes those who work for sole traders or non limited partnerships, but not those who work in corporates or public service employees.

How can business data be fairly collected?

B2B marketers need to consider how they can collect personal data from their contacts to ensure that they have permission to market to them in the future. An opt-out must be offered to allow the individual to object.

When writing opt-out statements it must be clear:

  • Who is collecting the data
  • For what purposes it will be used
  • Whether it will be shared with other companies

A mechanism for the business contact to object – usually in the form of an opt-out box – should also be provided. If data is to be shared within a group of companies, the group should be named when the data is collected.

Persuading business contacts to allow use of their details for marketing purposes is undoubtedly getting harder. The proliferation of spammers and scammers means that B2B contacts are now much more cautious about the use of their information. Understanding why contacts opt-out is important if permissions are to be maximised.

As with the consumer world, permission statements should reflect the values of the business brand and have the same ‘tone of voice’ as the rest of the communication.

The drivers for opt-out may be channel driven e.g. the prospect hates telemarketing calls or thinks physical mail damages the environment. This argues for separating channels in the permission statement.

Collecting business data online

B2B websites offer multiple opportunities to collect data for future use and there is a huge temptation to gather information – especially email data – in order to maintain ongoing relationships with site visitors. But many sites serve up inadequate permission statements and ‘boilerplate’ privacy policies which inadvertently encourage opt-out.

In general, pre-checked boxes are frowned upon and certainly would not hold up as opt-in consent. Privacy policies are a great place to offer reassurance about processing but sole reliance on a privacy policy (i.e. the omission of a specific permission statement at the point of collection) is unlikely to fulfil the consent requirements of the Act.

Links to other sites are also now common. B2B sites should should include disclaimers to indicate that data surrendered post-link will be subject to a different privacy policy.

Badly written data collection screens and misleading privacy policies can really cost companies money. Getting someone to visit your website and then failing to engage them enough to give you permission is a huge waste of effort and money!

Collecting business data on the telephone

Collection of data – and permission – on the telephone can be more difficult than hard copy or web collection. It is a good idea to use an agreed form of words or a fully scripted statement when asking for permission. In some circumstances a recorded message at the beginning of an inbound call will suffice.

Using business data in telemarketing campaigns

It goes without saying that promotions should only be directed at business contacts who have by-passed opt-outs but PECR requires that numbers registered on the Corporate Telephone Preference Service are removed when making cold telemarketing calls to businesses.

Companies are required to maintain their own ‘stop’ lists of individuals who have objected to receiving marketing from them. These in-house suppressions must be applied before every campaign.

Unsolicited automated outbound calls (i.e. recorded messages) are illegal under the PECR regulations.

Using business data in email and SMS campaigns

Emails sent to individuals within corporates or public service employees are not covered by PECR consent rules but they are still governed by the Data Protection Act 1998. They must also abide by the requirement that states that the identity of the sender of an email must not be masked.

All unsolicited email communications need to include an unsubscribe option so that the individual can easily opt-out. If an unsolicited SMS message is sent, a shortcode should be added to the message, which will allow the recipient to opt-out.

Commercially available email/mobile lists can be employed so long as they have been collected with permission for third party use. B2B marketers need to ensure that they have proof from list owners that the relevant permission has been obtained.

What are the penalties for getting it wrong?

The Information Commissioner’s Office is in charge of enforcement of both the DPA and PECR and the office can serve notices to prevent illegal processing or prosecute companies for breach. There are around 25,000 complaints to the ICO every year.

The maximum fine in a Magistrate’s Court is £5000 but unlimited fines can be levied in higher courts and the Commissioner is about to be awarded much more significant fining powers for situations of significant data abuse.

What about data security and data losses?

Companies have a duty to protect the personal data they control and must take technical and organisational measures to secure it.  Security must be guaranteed by written contract when data is being processed by an external service company such as a mailing house or an email service provider.

Significant data breaches by Government departments have hit the headlines recently but there is no statutory requirement to notify breaches to either the ICO or to the individuals concerned. This would only be necessary if significant harm might result from the data loss or if the data was particularly sensitive.

Top data protection tips:

  1. Register your processing with the Information Commissioner’s Office                             
  2. Always get consent for marketing purposes
  3. Write opt-out statements carefully to encourage permission
  4. Employ a standard form of words to get permission on the telephone
  5. Use your privacy policy to reassure your customers
  6. Don’t market to objectors
  7. Include an unsubscribe option in all emails
  8. Check the origins of third party data
  9. Keep data secure especially when outsourcing
  10. If in doubt, take expert advice

 

Related content

Access full article

B2B strategies. B2B skills.
B2B growth.

Propolis helps B2B marketers confidently build the right strategies and skills to drive growth and prove their impact.