How You Continue To Use Your Bought-In Mailing Lists After GDPR

If you buy business email lists, you can be forgiven for thinking that you can no longer use them after Friday 25th May 2018, when the new General Data Protection Regulation came into force. But you would be wrong…

Much rubbish has been stated suggesting GDPR is the end of email marketing.

It does mean some big changes, most notably the tightening up of how people consent to their personal data being used. But this does not rule out cold B2B email marketing or using bought-in business mailing lists to generate sales.

After 25th May 2018, a person must actively consent for their data to be processed and used by the actual company using it. This means that mailing list companies can no longer sell data that is “fully opted-in”. To opt in, people have to opt in directly with the company using the data. Unless your company name was mentioned when the person’s email address was collected, you can no longer rely on consent as a reason to process personal data.

But consent is not the only reason to process personal data. There are six lawful bases for processing data under GDPR legislation. You need to show compliance with one reason.

The most useful for business-to-business direct marketers and email marketers is known as Legitimate Interests.

Legitimate interests might be your own interests, or the interests of the third party receiving the data, or a combination of the two.

Latest guidance from the Information Commissioner says that legitimate interests may be the most appropriate basis when:

“the processing is not required by law but is of a clear benefit to you or others; there’s a limited privacy impact on the individual; the individual should reasonably expect you to use their data in that way; and you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.”

Crucially for marketers, direct marketing is described in the GDPR as an activity that may indicate a legitimate interest.

You need to carry out a simple legitimate interest’s assessment and document this assessment. Then update your Privacy Policy to state that you are relying on Legitimate Interests as a lawful basis on which to process personal data. And finally communicate that you are using Legitimate Interests to the people whose data you are processing.

Legitimate Interests is not a new concept and data brokers and email list providers have generally always relied on legitimate interest as a basis for collecting and processing data. What is new is that GDPR requires us all to document how we are using data and to communicate this to users and data subjects. Which on balance, seems quite reasonable.

The new GDPR (General Data Protection Regulation) rules that if your mailing list is opt-in, consent to opt-in to receive marketing communications must be be “freely-given, specific, informed and unambiguous”.

The good news is that ICO guidance also states that:

“You don’t always need consent. If consent is too difficult look at whether another lawful basis is more appropriate.”

Credible list brokers and email database providers all build and maintain their lists on the lawful basis of “legitimate interest”. If you have a business interest in contacting a person, you may contact them without gaining their prior consent to do so. This applies across mailing, telemarketing and email, with some key restrictions.

NOTE: There are no restrictions on postal mailing. Direct marketing with envelopes and stamps is swinging back into fashion. It is expensive compared to email marketing but compares well with other forms of digital advertising.

Email marketing for business-to-business marketing is only restricted by your own list of individuals who have unsubscribed from receiving emails from your company.

This is a key point of difference between consumer email marketing which definitely does require consent. The reason for the difference is that email marketing is governed by a different EU directive, known as the Privacy & Electronic Communications Regulations (PECR). PECR states that it is permitted to send emails offering business services to business people at their business email addresses, but if they ask you to stop emailing them, then you must remove them from your list and must not email them again.

So the bought B2C opt-in mailing list is dead. But email marketing for business-to-business communications lives on.

Let’s look in detail at this Lawful Basis For Processing Personal Data…

Consent is one of the six available lawful basis’, but Legitimate Interests is a more suitable reason for B2B sales and marketing.

You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.

However, in order to be a legitimate interest, the direct marketing must be legal: as it is legal for businesses to market to individuals at other businesses by post, by email, by text and by phone (as long as the number is not registered with the CTPS), many businesses will be able to use legitimate interests as their basis for processing personal data for direct marketing purposes.

Here’s what you must do if you decide to use legitimate interests as your basis for processing personal data for direct marketing purposes:

As with much of the new Data Protection Regulation, much of the work that you need to do revolves around writing policy documents.

1. Carry out a legitimate interest’s assessment. 
Assess each part of a three-part test and document the outcome so that you can demonstrate that legitimate interests apply. The three tests are:

Purpose test – is there a legitimate interest behind the processing? In the case of direct marketing, yes there is a legitimate interest for your business in using direct marketing in order to promote itself.

Necessity test – is the processing necessary for that purpose? You need to demonstrate that the processing is necessary for the purposes of the legitimate interests you have identified. This doesn’t mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving your purpose. In the case of direct marketing, yes, it is necessary to use direct marketing to promote your business.

Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms? With regard to business-to-business marketing the Information Commissioner says: “business contacts are more likely to reasonably expect the processing of their personal data in a business context, and the processing is less likely to have a significant impact on them personally”. In the case of direct marketing and email marketing to business contacts, the legitimate interest is not overridden by the interests of the individual, who as a business person with decision making and budgetary responsibilities can reasonably expect to be contacted with marketing material relating to his or her professional role.

You must carry out these assessments and document these three tests.

2. Update your privacy notice to clearly say that you are relying on legitimate interests as your lawful basis and say what your legitimate interests are.

3. Communicate that you are using legitimate interests as a reason to process personal data.

The Information Commissioner has not offered any guidance on what it would accept as sufficient communication to the data subject that you are relying on legitimate interest as a basis to process personal data, but an email with this updated privacy message in the footer should cover it:

“As a GDPR compliant company, we would like to explain why you have received this email. We believe that you have a legitimate need for XXXXXXSERVICEXXXXXX within your business. From our research, or from information that you have provided, we have identified your email address: NAME@DOMAIN.COM as being the appropriate representative to address within the organisation. We have deemed this to represent legitimate interest in line with the ICO’s guidance.”

While the advice on this page does not represent legal advice, you can read the Information Commissioner’s guidance on legitimate interests in full on the ICO website