Compliance Questions B2B

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by DeveloperPerson, Dec 19, 2017.

  1. DeveloperPerson

    DeveloperPerson UKBF Newcomer Free Member

    5 0
    Hi all, I hope I'm posting in the right area.

    We're trying to conform with the new GDPR legislation in time. While we follow basic principles, I'm a little confused about a few things and haven't got a response from the ICO. I apologise in advance for all of the questions, but it's important to me that we get this right and conform properly. I really appreciate any advise you can give.

    1. Cold calling, we can still do this by acquiring names/telephone numbers/email addresses from business websites? I only ask because the legislation states that we should now expect users to explicitly opt in to marketing. With this being business to business only, is it OK? I thought at the end of a cold call or email, we could ask the question of "is it OK if I schedule a callback or a time to email you in X amount of time?" and on our system to have a checkbox to say they opted out. Would this be OK?

    2. There should be a way for customers to opt out e.g. a link in an email, this is still acceptable? What if they are an existing customer?

    3. The TPS, should we still use this for B2B? We haven't used it before but I'm sure I could integrate this into our systems.

    4. Old records, whilst old data is not of much use to us, there still needs to be something for us to go back to with regards to sales/invoicing etc. Are we still OK to hold all basic contact info?

    5. Opting out of future communications, am I correct in thinking if we're chasing a debt that this is OK even if they opted out because of a contract they entered into?​
     
    Posted: Dec 19, 2017 By: DeveloperPerson Member since: Dec 19, 2017
    #1
  2. Jason Edge

    Jason Edge UKBF Contributor Full Member

    50 3
    There does seem to be a lot of uncertainty around GDPR but I think the focus is on what data you are holding and why you are holding it.
    1. I would have thought that there would be no issue in using contact details published on a website as they are there for the purpose of enabling contact.
    2. I think that the emphasis is on opting in rather than opting out, I don't think that you can assume that it is ok until you hear otherwise under GDPR
    3. If you have acquired a data list then it is worth checking against the TPS and CTPS
    4. If you genuinely need the old data and can demonstrate why then you might be ok but it might be an opportunity to get in touch with old client to see if you really do need it. Most databases are full of data you'll never use again anyway so you could have a clear out.
    5. Opt outs usually refer to marketing rather than genuine communications about an ongoing business arrangement like an unpaid debt
     
    Posted: Dec 19, 2017 By: Jason Edge Member since: Dec 19, 2017
    #2
  3. DeveloperPerson

    DeveloperPerson UKBF Newcomer Free Member

    5 0
    Thanks that makes sense. So business-wise, if we cold contact a business who then become a customer, where do we stand from a marketing point of view? Our business is newspaper advertising, would it be classed as marketing if we scheduled a call-back for advertising in the next edition of a newspaper for example, or would that be classed as communication between clients and therefore wouldn't need to offer the opt-out?

    Further, if we cold contact a business who doesn't reply, they haven't explicitly opted in. As long as there is way for them to opt out, are we free to contact them again?

    Thanks again.
     
    Posted: Dec 19, 2017 By: DeveloperPerson Member since: Dec 19, 2017
    #3
  4. Jason Edge

    Jason Edge UKBF Contributor Full Member

    50 3
    Continue to give people the opportunity to opt out is probably good practice. In your line of business I assume that it is a bit of a numbers game but I'm guessing if people don't respond to you after a couple of attempts then the likelihood that they ever will is quite small so probably worth not holding on to their data.
     
    Posted: Dec 28, 2017 By: Jason Edge Member since: Dec 19, 2017
    #4
  5. ffox

    ffox UKBF Regular Free Member

    1,125 193
    Posted: Dec 28, 2017 By: ffox Member since: Mar 11, 2004
    #5
  6. deMesquita

    deMesquita UKBF Newcomer Free Member

    4 2
    This is clarified under the ePrivacy act (extract and link below) . The 2 regulations are interlinked and the ePrivacy was updated to conform with GDPR and will also come into effect on the 25th of May 2018.

    I currently blog weekly about the topic about items to be taken into consideration. You've just given me my topic for next week :) Feel free to have a look coffeeandprocess

    Extract from regulation (Link is messy and I'm not allowed to post links yet sorry)

    Article 16

    Unsolicited communications


    1. Natural or legal persons may use electronic communications services for the purposes of sending direct marketing communications to end-users who are natural persons that have given their consent.


    2. Where a natural or legal person obtains electronic contact details for electronic mail from its customer, in the context of the sale of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection and each time a message is sent.

    3. Without prejudice to paragraphs 1 and 2, natural or legal persons using electronic communications services for the purposes of placing direct marketing calls shall:
    (a) present the identity of a line on which they can be contacted; or
    (b) present a specific code/or prefix identifying the fact that the call is a marketing call.

    4. Notwithstanding paragraph 1, Member States may provide by law that the placing of direct marketing voice-to-voice calls to end-users who are natural persons shall only be allowed in respect of end-users who are natural persons who have not expressed their objection to receiving those communications.
     
    Posted: Jan 5, 2018 By: deMesquita Member since: Jan 5, 2018
    #6
  7. Andrew Smith Corpdata

    Andrew Smith Corpdata UKBF Newcomer Free Member

    10 6
    Agree with deMesquita generally - however ePrivacy will almost certainly not enter force on 25th May 2018 - it was due to do so, but is still only in draft form and is likely to be 6-12 months late. Assume the end of the year.
     
    Posted: Jan 12, 2018 By: Andrew Smith Corpdata Member since: Jan 12, 2018
    #7
  8. DeveloperPerson

    DeveloperPerson UKBF Newcomer Free Member

    5 0
    Thanks all.

    From what I can gather, we're OK to use a soft opt-in approach with businesses and can cold call if we are offering a service that they may genuinely be interested in which in our case I would say counts for anybody we contact. We need to provide a way to opt-out. To do this, we're adding unsubscribe's to our newsletters and asking at the end of each call if it's OK for us to schedule a call-back as our basis for ongoing consent.
     
    Posted: Jan 12, 2018 By: DeveloperPerson Member since: Dec 19, 2017
    #8
  9. Andrew Smith Corpdata

    Andrew Smith Corpdata UKBF Newcomer Free Member

    10 6
    Hmm several points there . .
    1. try to avoid phrases like soft opt-in - they are confusing - either use "consent" or something else.
    2. You seem to suggest you are calling - if so, even after ePrivacy arrives, so long as you screen against TPS & CTPS, "Yes" you can cold call. Do respect peoples wishes to stop though.
    3. You may have misunderstood the Legitimate Interest basis for processing - its not referring to their interest in you - its about YOUR legitimate interest (marketing and finding new clients is you interest, and in so far as you are not selling illegal stuff, its legitimate. But you must conduct the Legitimate Interest Assessment too before you start processing on this basis.
    4. Adding unsubscribes to newletters (assuming they are emailed) is going to be inadequate when ePrivacy arrives - if emailing you will need CONSENT. Fuill, proper GDPR calibre, provable, CONSENT or no emailing to people . . . unless they are existing customers with whom you have a contract.
    Hope this helps
     
    Posted: Jan 12, 2018 By: Andrew Smith Corpdata Member since: Jan 12, 2018
    #9
  10. DeveloperPerson

    DeveloperPerson UKBF Newcomer Free Member

    5 0
    Thanks for the added pointers.

    We don't send newsletters, we email individually to existing clients and to email addresses that are on business websites to pitch for new business (newspaper advertising). It was this that I read that made me think we can use a soft approach to consent:

    And from the ICO website:
    Sorry I would normally link to the article but I don't have enough posts to put a link in.
     
    Posted: Jan 12, 2018 By: DeveloperPerson Member since: Dec 19, 2017
    #10
  11. Andrew Smith Corpdata

    Andrew Smith Corpdata UKBF Newcomer Free Member

    10 6
    Hi
    Its a minefield isnt it ! :) Even sending 1 email is processing and you need to consider it - (I would add that the email addresses on websites were probably not put there to enable you to send them advertising, but rather for you to contact them about THEIR services - accordingly you are not gaining the data fairly) However that is a second issue . . .
    PECR is being replaced sometime over the next year - PECR does permit B2B emailing on an opt-out basis (it wasnt meant to, but it kind-of does) so for the next year you are OK to do as you describe.
    Once ePrivacy arrives that wont be good enough though. I should emphasise that there is no such thing as a soft approach to consent - Consent is either real GDPR consent or invalid. There is however the chance to send emails on the basis of fulfilling a contract, and you might be able to argue that with your clients you are doing this. Definately not with the random folks you found elsewhere though.
    You probably need to call them (after TPS / CTPS screening the phone numbers), gain their consent properly, and only then commence emailing. Very expensive, so target well.
     
    Posted: Jan 12, 2018 By: Andrew Smith Corpdata Member since: Jan 12, 2018
    #11
  12. DeveloperPerson

    DeveloperPerson UKBF Newcomer Free Member

    5 0
    Thanks again, it's making me wonder how business will ever take place adhearing to everything.

    Anyway, what you've just said about ePrivacy, I did a quick search and found this:

    This is from an article on DMA dated 10th Jan 2018. Sorry, I can't add hyperlinks yet. The article is titled "Worst ePrivacy B2B Fears Averted" if that's any help.

    The article goes on to say:
    We have never followed anything or had any policies in place. We're a good family run company and don't use any sketchy practices, but wow getting my head into it is really giving me a head ache.
     
    Posted: Jan 12, 2018 By: DeveloperPerson Member since: Dec 19, 2017
    #12
  13. Andrew Smith Corpdata

    Andrew Smith Corpdata UKBF Newcomer Free Member

    10 6
    I am sorry to be the bearer of bad news . . but . . the DMA article is 10th Jan 2017, not 2018 and i'm afraid it isnt still the case. It is still not in final form (and it might never happen at all) but it is clear that the draft definitely intends to prevent all email prospecting without Consent.
    You can download the current version from me on my dept679(dot)com (in the about section)

    As an aside, I have done 40 or so youtube videos about GDPR - search "Corpdata" & "GDPR" in youtube and you should find them all if they are of any help.
     
    Posted: Jan 12, 2018 By: Andrew Smith Corpdata Member since: Jan 12, 2018
    #13
  14. ffox

    ffox UKBF Regular Free Member

    1,125 193
    The proposals are not so much a minefield. The rules are there to be read and my reading of them is that almost all cold calling and email marketing is about to be outlawed. It seems though, that the main concern business has right now is asking the question '...how can I get round it?'.
    The answer that I can see is that the only way to continue cold calling etc. is to ignore the regulations and risk heavy penalties.

    It will be interesting to see how heavily it is enforced. I understand that HM Gov have already started the process of building the inspectorate.

    But, marketing is only one aspect. What will most business do when an audit shows that they have names, email addresses and physical addresses all over their computer systems. Some in address books, some in spreadsheets, some in word processor documents and some in databases.
    How many businesses run systems where they can check what data they have, locate the data on demand and either redact or delete it as required?
     
    Posted: Jan 12, 2018 By: ffox Member since: Mar 11, 2004
    #14
  15. Andrew Smith Corpdata

    Andrew Smith Corpdata UKBF Newcomer Free Member

    10 6
    I agree wholeheartedly that one should not be looking to sidestep, but instead to comply . . . the rules are there for a reason, and to be honest the world needs to do this type of thing better.

    I should just say however, that the ePrivacy (draft) regulation gives a national derogation to operate voice calls differently i.e. manage it on an opt-out basis using TPS & CTPS. This is the likely outcome here in the UK, so cold calling / telephone selling is likely to be OK so long as the preference files are regularly re-screened.
     
    Posted: Jan 12, 2018 By: Andrew Smith Corpdata Member since: Jan 12, 2018
    #15
  16. mel laz

    mel laz UKBF Newcomer Free Member

    1 0
    Hello, can someone clarify this for me?

    I want to start a B2B email list. Is it ok under GDPR to send an initial email to companies listed in the Yellow Pages so that I can follow up with those who express interest in our product/services?

    Thank you!!
     
    Posted: Jan 29, 2018 By: mel laz Member since: Jan 29, 2018
    #16
  17. Andrew Smith Corpdata

    Andrew Smith Corpdata UKBF Newcomer Free Member

    10 6
    Probably better to create that interest and get consent via the phone rather than by email (screen against TPS / CTPS before calling). Technically YES you could do as you describe for now - but . . ..
    1. Once ePrivacy arrives it is likely that it wouldnt be OK and you will need consent
    2. Some people will complain (you are legally OK, but they are confused by vague reporting)
    3. In the future, the data you have gathered might not be able to fulfill the requirements for consent, and so might be worthless. Hence - better to ask consent on the phone at stage 1.
    4. If you have to change your process and even your business model - might be better to do it sooner rather than later.
    All of the above is only true for Ltd / PLCs - not for sole traders / partnerships - for those you cant send the initial email without consent even now.

    Hope that helps
     
    Posted: Jan 29, 2018 By: Andrew Smith Corpdata Member since: Jan 12, 2018
    #17