The Impact of GDPR on B2B Email Outreach
Businesses have been reminiscing back to the good old days of marketing and advertising when life was more straightforward. We’re talkin’ about the pre-GDPR days.
GDPR made its mark in May 2018, and along with it, a series of new rules and regulations came aboutt. For those who aren’t fully aware, GDPR is a regulation adopted to strengthen and standardize the data protection rights of EU citizens.
In short and plain language, it gives people of the EU more rights over how their personal information is processed by businesses and other entities. Unfortunately, for many businesses, especially those outside of the EU, uncertainty around rules and regulations continues to be the dominant theme. As a result, most businesses, especially those based in North America, struggle to understand if and how GDPR applies.
This uncertainty has led many to take a wait-and-see approach before committing their resources toward compliance initiatives. But in recent years, fines faced by businesses like WhatsApp, Amazon, and Facebook have surfaced, causing people to finally take email compliance more seriously. A better alternative to the wait-and-see approach, in our opinion, is to have a broad understanding of GDPR so you can begin thinking about how to implement better controls to lower your risk of non-compliance.
Best place to start? Well, of course, this blog post. We'll explore the implications of the GDPR for B2B businesses and offer some tips to help you move closer to an optimal state of compliance.
The GDPR gray area
Until GDPR, personal data for marketing and advertising depended on national law. Laws would either prohibit certain activities or leave them open to interpretation.
That resulted in a lot of a gray area - which was actually a pretty good thing…for a while.
That's because laws and policies are much slower to change than the spread of technology. As a result, marketing and sales teams were able to embrace the digital shift, swapping cold calls and direct mail for email outreach as the channel of choice. And why wouldn't they? The B2B buyer is spending most of their time in their inbox. Email is the best tool to communicate targeted and personalized messages at scale with readily available customer data.
Besides that, new technology solutions have made it a breeze to collect a vast amount of personal data and, in some instances, provide a sheer bottomless keg of valuable leads. And that's where things get a little complicated.
If your business engages in any form of email marketing and email outreach, by law, you are required to maintain your customer data. In addition, under GDPR, most businesses are obligated to follow new standards for collecting, storing, and using personal data. For example, if your business interacts with EU citizens, you're likely already familiar with GDPR and have been working to ensure that you move towards a state of compliance. But don't forget, even if your business doesn't have any European customers or contacts, the GDPR may apply to you.
So, let's keep moving forward, shall we?
The following section will discuss the basic requirements needed to comply with GDPR, specifically the data processing agreements — what they are and why you'll need to have them.
Every company collects and processes personal data. That data could be name, address, telephone, email address, photos, gender, etc. And virtually every company in the modern world relies on third-party solutions or vendors to process their customer's personal data - an example of that could be an email client, a cloud storage service, or marketing automation platforms like HubSpot or Mailchimp, or a CMS like Salesforce.
Under the GDPR, a company must have a written data processing agreement with its data processors.
What is a Data Processing Agreement?
A data processing agreement basically regulates the transfer of personal data and authorizes the service provider to receive and process recipient data for the agreed purpose. The content of this processing agreement should comply with the data protection requirements and legal provisions. This agreement alone is the bare minimum requirement for all who use a 3rd party to store, analyze or communicate personal information.
Article 28 of the GDPR covers data processing agreements under Section 3:
Processing by a processor shall be governed by a contract or other legal act under Union or Member State law that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
What is a Data Subject Access Request?
In addition to data processing agreements, the GDPR mandates rules and regulations for archiving and storing personal data. For example, all B2B companies must provide information if their recipient wants to know what data is held about them ("Data Subject Access Request").
This fundamental right allows the general public to know precisely what kind of information your company knows about them and how you intend to use that information. Any person can submit a data subject access request (DSAR) to your company, and once received, you must provide that information.
Article 15 of the GDPR covers the right of access to the data subject under Section 1:
- The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved and the significance and the envisaged consequences of such processing for the data subject.
Let's talk about B2B email and what to look out for
Once you've got the basics nailed down, you'll want to follow best practices, mainly how you engage in email. Your company relies on email to connect with clients, partners, and other contacts. But how will GDPR impact your ability to send out email communications?
Best practices for building trust & transparency
Double-Opt In: Legally, anyone who wants to send a promotional email needs the recipient's consent. This should be obtained via a double opt-in (DOI) mechanism to be on the safe side.
In a double-opt-in process, your recipient actively confirms their email address in their own inbox. This is the only way to prove consent at a later date. Incidentally, the opt-in email must not yet contain any advertising. The only exception is if a business relationship already exists and your recipient has not objected to receiving emails from the provider.
Managing Consent: If you genuinely want to go above and beyond and future-proof your email compliance efforts, you should regularly ask your customers for consent. That means having an active email preference center that allows customers to update their preferences and details of what communications they've opted into.
Let's break down an example. A construction machinery manufacturer sells excavators and cranes. The company offers a newsletter for both product lines.
If a recipient is interested in learning more about excavators, they will subscribe to the excavators mailing list, but this subscription should not automatically be applied to the crane newsletter. A separate consent for the crane newsletter is necessary. If that recipient wants to opt out of the newsletter down the road, they should not have to jump through hoops
Withdrawing Consent: You've got to make it easy for people to withdraw consent—and show them how to do it. So in the footer of every email leaving Opensense, we include an option for recipients to opt out of our communications.
Adding an easy and clear unsubscribe link to your emails, marketing, and one-to-one emails can help you move closer to an optimal state of compliance with email spam laws, including GDPR, CASL, CCPA, and more. It's also good practice. By making it easy for your customers, prospects, and general email recipients to unsubscribe, you respect their right to privacy and choice. Without it, you risk experiencing issues with email deliverability, spam reports, and frustrated contacts.
Take a proactive step to email compliance.
Recent headlines about data and privacy infractions from some of the biggest brands in the world have led to growing consumer sensitivity to data protection and fear of data misuse.
Yet, most customers continue to unknowingly disclose their data, while others no longer remember giving consent in the first place. And so, there is an opportunity for customers and businesses to both gains something from GDPR. First, customers gain more control over the use of their data. Businesses gain a chance to set an example that they're willing to take the necessary steps it needs to show customers it values their privacy. This alone has a positive effect on a long-term trust-based customer relationship. Taking a proactive step to email compliance and parting with the good old days' mindset can help businesses reap the rewards of compliance much sooner than those who don't.
Are you concerned about GDPR and email compliance in 2022?
We're here to help! At Opensense, we're on a mission to help businesses comply with their corporate email in style. We enable sales, marketing, and privacy teams to take control of their corporate email channel and ensure all employees are compliant with their communications.
Get in touch with Opensense to see how we can enforce universal email compliance across regions.