Marketing is a key way to grow a business, but legal rules apply to it.
There is often a lot of confusion around business-to-business (B2B) marketing and how the UK GDPR data protection law rules apply to it. Alongside UK GDPR, there are also other legal rules which apply to direct marketing activities.
In this guide to the way UK GDPR and PECR impact your B2B marketing campaigns, we will look at the relevant rules and examine some of the issues our small and medium-sized business clients regularly encounter. This is a complex area of law which a lot of businesses get wrong. If you have any specific enquiries or requests, contact one of our data protection lawyers today.
- How does GDPR apply to B2B marketing?
- What is PECR and how does it apply to B2B Marketing?
- Identifying a lawful ground for processing personal data
- How do you obtain appropriate consent for B2B marketing?
- When can you rely on ‘legitimate interest’?
- What do you need to know about marketing calls?
- What do you need to know about marketing emails?
- Can we use publicly available data to send business-to-business marketing?
- What about buying and selling marketing lists?
- What if we fail to comply with the UK GDPR and PECR?
- What about the future?
How does GDPR apply to B2B marketing?
The UK GDPR and the Data Protection Act 2018 protect the personal data of individuals. If, during your B2B marketing, you can identify individuals (directly or indirectly) then generally the UK GDPR rules apply. You’ll therefore need to ensure your marketing activities are UK GDPR compliant.
You may wonder why these rules impact business marketing. Purely corporate information about commercial entities, (such as the names of limited company) are not covered by the UK GDPR. However, this does not mean you can ignore data protection principles altogether when engaged in activities such as B2B marketing. If you are using any personal data of individuals for marketing purposes (e.g. joe.bloggs@123Ltd.com), then the UK GDPR rules will apply to your activities. Names, addresses or other personal information about employees or directors of a company are classed as personal data. Therefore, you’ll need to make sure you are acting in accordance with the UK GDPR rules when targeting businesses. This also means the UK GDPR sanctions will be available to the regulator if you breach the rules.
For information on what personal data means, see our what constitutes personal data.
When processing personal data for B2B marketing purposes you still need to:
- Comply with the UK GDPR rules, such as the right for individuals to object to their data being used for marketing.
You should note that businesses can object to receiving marketing from you.
- You should not make marketing calls to businesses who have objected to this.
- You cannot use an individual’s personal data for marketing purposes if they have specifically objected to this. This also applies in the context of business.
It is important to understand these restrictions when engaging in B2B marketing campaigns.
See our guide for further information on compliance with the UK GDPR.
What is PECR and how does it apply to B2B Marketing?
The Privacy and Electronic Communications Regulations (PECR) limit the way businesses can use emails, texts and phone calls in their B2B marketing efforts. You also need to comply with the PECR rules when carrying out B2B marketing. PECR sits alongside UK GDPR, to bolster the regulation of unsolicited direct marketing by phone, email, text, or other electronic means.
Whilst UK GDPR is about protecting the rights and freedoms of data subjects, PECR is about protecting the recipients of electronic communications.
The Data Protection Act 2018 specifies that direct marketing is ‘the communication of advertising or marketing material which is directed to a particular individual’. In practice, the ICO notes that direct marketing includes a variety of activities such as:
- Promoting aims and ideals.
- Advertising products or services.
- Fundraising and campaigning.
When a business carries out direct marketing, the PECR rules apply and need to be complied with. The rules are less strict when you are targeting a company rather than an individual. You should also be aware that partnership and sole trader businesses are treated as individuals for the purposes of direct marketing.
Under both PECR and UK GDPR, different forms of marketing attract different rules. For example, this means when sending unsolicited emails to a corporate subscriber (e.g. a company) you don’t need consent (but you would need consent if sending such an email to an individual). Instead, identifying yourself and providing contact details within the email is sufficient for compliance purposes.
Identifying a lawful ground for processing personal data
If your B2B marketing communications are caught by UK GDPR and PECR (that is, you are processing personal data during your marketing activities) then you need to establish a lawful basis for processing the information.
There are six lawful bases for processing and it is up to you to decide which basis is most appropriate.
The UK ICO states that the most commonly lawful bases for direct marketing are consent and legitimate interests.
How do you obtain appropriate consent for B2B marketing?
When processing any data under UK GDPR or PECR, including personal data used for B2B marketing (if required) you must obtain consent that’s freely given, specific and informed. So before sending texts or making marketing calls you must ensure you have obtained valid consent (if needed for those marketing activities).
You must record what an individual has consented to and be able to demonstrate (if requested by the ICO) how you obtained consent. If you engage in marketing without obtaining proper consent you may face regulatory scrutiny and punitive fines so it’s important to have the right procedures in place to ensure compliance.
You should check the relevant ICO guidance to determine when consent should be used for B2B marketing purposes.
For example, consent should be used to carry out the following types of marketing activities:
- Sending marketing emails to sole traders and certain types of partnerships, where the ‘soft-opt in’ exemption doesn’t apply.
- Making automated marketing calls.
When can you rely on ‘legitimate interest’?
A lot of B2B marketing can be justified under the legitimate interest basis for processing personal data.
You will need to establish:
- A specific interest for the processing.
- The processing of the data is necessary to achieve this purpose.
- On balance the processing doesn’t outweigh the interests of the individual.
The legitimate interest ground for processing data is often preferred because it is flexible and gives you greater control over your processing. That said, there is a considerable amount of work involved in identifying a legitimate interest, demonstrating the necessity of the processing, and then subjectively undertaking a balancing exercise to ensure the interest isn’t undermined by the rights of the individual.
You will need to carefully consider if legitimate interest is the correct lawful basis. For example, you may argue that legitimate interests would apply to marketing to existing B2B customers – because those customers would reasonably expect to be contacted by you for marketing purposes.
What do you need to know about marketing calls?
Protecting consumers is at the heart of the UK GDPR/PECR data protection regime. The ‘cold-calling’ of potential customers and scam calling has long been a concern of regulators. UK GDPR and PECR in large part are aimed at addressing issues like this.
The two main things to bear in mind about B2B marketing calls are as follows:
- If a company has explicitly agreed to receive calls from you, through an opt-in box on your website for example, you can contact them for marketing purposes.
- Businesses can register with telephone preference services to indicate they do not wish to receive unsolicited marketing calls. By checking these registers to ensure the business you wish to call has not registered with them, you may call them without breaching the data protection rules.
You also need to remember to comply with the rules under UK GDPR. Make sure you consider and document your lawful basis for processing personal data when making telephone marketing calls.
Businesses should take note that the ICO regularly intervenes in relation to marketing calls made in contravention of the rules, imposing significant financial penalties on organisations found to have breached the rules.
What do you need to know about marketing emails?
Email is one of the most common marketing tools.
There is no bar on emailing or texting a company, but from a reputational point of view it’s always good practice to carefully monitor any email campaign you embark on. Many of our clients maintain an up-to-date register of companies that have objected to being contacted in the past to ensure they aren’t contacted by email or text in future.
However, email marketing rules are extremely complicated and can be difficult to navigate. This is partly because different rules apply, depending on who you are emailing. Under the PECR rules, sole traders and simple partnerships are classed as individuals under the rules. Therefore, you will need consent to email them unless they have purchased something from you before or used your services and didn’t opt out of receiving marketing messages (known as ‘the soft-opt in’).
However, you can email corporate subscribers without obtaining their consent. The rules in PECR do not apply to electronic marketing to corporate subscribers, i.e. companies and LLPs, Scottish partnerships, and government bodies. However, you need to ensure that the individual receiving the email at the corporate organisation has the right to unsubscribe from email marketing.
In practice, it can be difficult for businesses to keep on top of the rules and who they need from consent from. Read our guide to email marketing compliance for more information on obtaining consent for email communications. Remember that when you are relying on consent to carry out direct marketing, consent should not ‘last forever’. How long consent remains valid depends on the circumstances, such as the context in which consent was given and the expectations of the individual who gave consent.
You should always remember to document your lawful basis for sending B2B emails, e.g. record if you are relying on legitimate interests to do so and carry out a legitimate interests assessment.
When you are sending marketing emails, the ICO’s guidance states that you must ensure you:
- Don’t disguise or hide your identify.
- Give a valid contact address for people and businesses to opt-out or unsubscribe.
This applies whether or not the marketing emails have been requested.
Can we use publicly available data to send business-to-business marketing?
The ICO notes that personal data could be sourced online from public sources such as Companies House, a business website or social media. The ICO has made clear in its guidance that PECR rules need to be followed when you are using information from public sources to:
- Make marketing calls.
- Send marketing emails including social media messages.
- Sending marketing faxes.
Despite personal data being in the public domain, you still need to comply with data protection laws when using it. It is important to keep this in mind throughout your marketing campaigns and ensure that you are always acting in compliance with the applicable legal rules.
What about buying and selling marketing lists?
Accurate mailing lists are a hugely valuable tool for B2B marketing: their uses include providing a way to track a customer’s use of your products and services and testing out new commercial offerings. But with the backdrop of UK GDPR and PECR you must ensure that you use the personal data on marketing lists in a way that fully complies with data protection rules.
You should consider the following:
- Buying marketing lists: You can legitimately use information contained in marketing lists you acquire from a third party. But before calling companies on the list, you should ensure you follow the rules about checking call-screening registers and, where contacting a sole trader or partnership, ensure that they have given specific consent to marketing calls. In relation to emailing contacts on a bought-in list you must check that organisations have agreed to receive the type of message you intend to send. A blanket agreement to receive texts or emails from third parties will not normally be sufficient to meet UK GDPR requirements.
- Selling your mailing lists: It’s possible to sell marketing lists you have compiled internally. However, the details you sell will only be of use to third parties if the organisations listed have given specific consent to receive the type of message the purchaser of your list intends to send. As seller of the list, UK GDPR requires you to keep detailed records of how you obtained consent and the purpose for which that consent was given.
What if we fail to comply with the UK GDPR and PECR?
The UK ICO can apply various penalties for non-compliance.
The rules around B2B marketing are complex, and the ICO takes breaches of the rules seriously, imposing fines regularly on many relatively small and medium-sized businesses. It’s essential therefore that you have systems in place to ensure compliance with UK GDPR and PECR and that there is regular staff awareness training.
Fines for breaching the UK GDPR can be up to £17.5 million or 4% of total worldwide annual turnover, whichever is the higher. Breaching PECR is also extremely serious, with fines of up to £500,000. PECR sanctions also include criminal prosecution, enforcement action and audit powers.
Senior management may be held directly responsible if the business is non-compliant. You may also find companies and consumers losing trust in how you look after their personal data. Supervisory authorities not only impose fines, but they also name and shame. People will not be willing to put their personal data at risk with a business that cannot prove to comply with data protection laws and instead move on to the next competitor that can show compliance.
What about the future?
When engaging in B2B marketing, you should be aware of possible changes in the pipeline. The EU is in the process of agreeing a new ‘ePrivacy Regulation’, which could change marketing law rules if the UK lawmakers decide to adhere to the rules. The new ePrivacy Regulation intends to change financial penalties for breaching its rules to the same level as prescribed by the EU GDPR. This means that businesses breaking the rules could be fined up to 4% of annual global turnover for the preceding financial year or 20 million euros, whichever is the greater, for the most serious breaches. As mentioned in our article, there are also potential changes in UK legislation. The proposed ‘Data Protection and Digital Information Bill’ could also amend UK data protection laws. This new law, if implemented, could change the rules around direct marketing. As such, it is important for businesses to watch this space and keep up to date with any changing rules around B2B marketing.
As you will note from this guide, there are several legal rules to comply with when engaging in B2B marketing.
Individuals are far more aware of their rights following the implementation of the UK GDPR. The ICO has regularly acted against companies who have breached the legal rules around direct marketing. Therefore, it is vital to make sure your B2B marketing campaigns are compliant. It doesn’t matter what the size of your company is, as even a few complaints from individuals could result in an investigation from the ICO. Further, for brand image purposes, you will not want your business to be seen as a nuisance by contacting individuals in breach of the legal rules.
UK GDPR compliance is an ongoing process and one that cannot be put in place immediately. However, our data protection solicitors are on hand and ready to assist in making this a swift and easy process.
Please contact us if you would like support with complying with the UK GDPR or PECR rules.