GDPR – the impact on business

Now 2017 is well under way, the question of what the impact of the General Data Protection Regulation will be when it comes into force in May 2018, suddenly seems to loom large for most businesses.

GDPR Impact On Business The ICO (Information Commissioner’s Office) is due to issue the next set of key guidance on consent and profiling in the coming weeks. This guidance on GDPR is eagerly anticipated by businesses who are feeling increasing uncertainty on what the impact of the General Data Protection Regulation will actually be in these areas. The DMA have provided several guides and articles on GDPR and their recent article (Dec 2016) seeks to clarify the rules for B2B Marketers: “The only difference between B2C and B2B marketers now is in connection with email and text marketing to employees of corporate organisations. When dealing with sole traders or partnerships, the rules governing B2C marketing will apply to B2B marketers so the general position for email and sms will be that you will need opt-in consent. For telephone and direct mail, you need to offer an opt-out. When dealing with employees of corporates, that is limited companies, LLPs, partnerships in Scotland and government departments, the rules for telephone and direct mail are the same, opt-out However when emailing or texting, you do not need the prior consent/opt-in from the individual. You can therefore send them a marketing email/text as long as you provide an easy way to opt-out of future communications from you.” To be clear, the rules for email and text messaging are defined within PECR (the Privacy & Electronic Communications Regulations) – and these are currently being reviewed. The ability to opt out of future email or text communications must always be provided to corporate employees, as stated in the Data Protection Act; again this is not new. Marketing in the B2B sector continues to be about communicating information on products and services that are relevant to the recipient. The key obligations under GDPR that businesses (and anyone who holds personal data) must adhere to, relate to the collection and storage of personal data, the ability to provide clear evidence of consent, simplicity of opt out, the right to be forgotten, and an audit trail of where the data came from – which means for most businesses a review of their current processes and privacy statements. As mentioned above, there are other changes afoot – the ePrivacy Directive which forms PECR is currently being reviewed and this may well have further impact on how B2B marketeers communicate. There is a draft version of this and the aim is to have this agreed for May 2018 – given how long GDPR took, this might be a stretch!