Terrified of life after GDPR!

[AnnaLanz]

Hi folks.

I am a Recruitment Consultant of more than 25 years experience. Having always worked for small, privately owned agencies in London, (some excellent; some not so!) I decided to set up alone in July 2016. It’s been great so far but hard work obviously. I have some clients who have dealt with me for years and have remained loyal, but as they recruit one or two people a year I need to increase my client base. Whilst I don’t exactly ‘Spam’ people our industry depends on email marketing, be that of candidates or industry updates. I’m absolutely terrified now as I just cannot see how my business can survive!

All constructive advice gladly received!!
Anna

 

[Paul Murray]

The way I understand it is you can still send an unsolicited email to a business if what you are marketing is relevant to their business/industry and you give them the option of opting out, i.e. a 'soft opt-in'.

I've read various blog posts explaining this, though I've yet to find one that actually links to an ICO source. This is what the ICO has to say about B2B email marketing though:

Business-to-business texts and emails

142.These rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies eg limited liability partnerships, Scottish partnerships, and government bodies. The only requirement is that the sender must identify itself and provide contact details.

143.However, it serves little purpose to send unsolicited marketing messages to those who have gone to the trouble of saying they do not want to receive them.

144.Corporate subscribers do not include sole traders and some partnerships who instead have the same protection as individual customers. If an organisation does not know whether a business customer is a corporate body or not, it cannot be sure which rules apply. Therefore we strongly recommend that organisations respect requests from any business not to email them.

145.In addition, many employees have personal corporate email addresses (eg [email protected]), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.

Taken from page 39 of https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf :

 

[Hitesh Mistry]

Hi Anna

How do you currently collect personal data? / Email addresses. I'm aware that recruitment is done cold (sometimes).

Ideally you'll get consent first before sending an emails which can easily be done - especially if via Social Media such as linkedin etc.

Hitesh

 

[AnnaLanz]

Thanks for this Paul. The information you supplied is interesting and made me breath a sigh of relief for one second! I

I have read and watched numerous email marketing/GDPR articles and many say you have to get consent before sending, especially if you have been clever enough to get their personal email address from the internet. If its a cold approach how can you get consent Hitesh? Im attending a seminar next week specifically for agencies and GDPR so will run this past them!

 

[AllUpHere]

I'd look at this from a different angle. Spend your time formulating a proper marketing plan and your current problem will simply disappear. It may be the norm to use cold mailing in your industry, but it's certainly not the best approach (or actually, even necessary).

 

[Simon Knights]

Is that not breach of PECR?, If people have not consented to receive marketing emails I don't believe you can send them. Details on the ICO website say the following:

The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals, unless:

• they have specifically consented to electronic mail from you; or
• they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.

You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.

 

[fisicx]

IThe rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals....

Businesses are not individuals. You can send a marketing email to joe.bloggs at company.ltd but you can't send to joe.bloggs at hotmail.com

 

[Karimbo]

Nobody really pays attention to EU laws. Stick to UK laws. The stupid cookie law was so bad that small businesses just ignore it.

First they wanted a "without cookie" version of the site as an option. But all the big businesses said their websites just wouldn't work without it. Then it evolved into a notification where you have to click a button to accept cookies before entering the website. Now it's evolved down to just a notification. Completely pointless.

 

[thetiger2015]

Businesses are not individuals. You can send a marketing email to joe.bloggs at company.ltd but you can't send to joe.bloggs at hotmail.com

I don't believe you can. From what I've heard in various GDPR online conferences, that would be personally identifiable information e.g. [email protected] is a person, not a company. You can email [email protected] as that is generic but anything that identifies a person is covered by the new GDPR regulations.

You have to create a GDPR compliance document and understand where your personally identifiable information is stored e.g. MailChimp/3rd Party Server/Hosting provider (for eCommerce).

For us, it's a headache. We send emails to tens of thousands of people who have subscribed to our membership club but from May, we have to be able to prove that each person opted in, when they opted in, which emails they have opted to receive and proof that all emails contain an easy way to unsubscribe (they do already) but that when people to ask to unsubscribe, they can ask to be removed from ALL marketing...remarketing...emails..postal mail...personalised advertising...tracking cookies that carry personal data....every crumb must be deleted!

The problem has been the utter confusion around this. One minute it's another 'cookie law' that everyone has been ignoring but in the last few weeks it's turned in to armageddon, where people MAY receive fines for inadvertently spamming people on an old data list that they've never had a problem with in the past.

 

[thetiger2015]

Nobody really pays attention to EU laws. Stick to UK laws. The stupid cookie law was so bad that small businesses just ignore it.

This is going to be UK law...even after Brexit. They're just going to copy and paste it under a UK headline, rather than an EU one.

Any company that deals with EU subjects must conform to this. US and Canadian data companies are now working toward full GDPR compliance for dealing with UK ecommerce companies.

 

[Hitesh Mistry]

Thanks for this Paul. The information you supplied is interesting and made me breath a sigh of relief for one second! I

I have read and watched numerous email marketing/GDPR articles and many say you have to get consent before sending, especially if you have been clever enough to get their personal email address from the internet. If its a cold approach how can you get consent Hitesh? Im attending a seminar next week specifically for agencies and GDPR so will run this past them!

Typically I get approached on LinkedIn first in regards to a role or recruitment services. I was suggesting that you obtain consent at that point via an online form for example.

 

[fisicx]

[email protected] is a person, not a company.

Unless joe.bloggs at company.com is published on the website as a contact address. That would make the email the property of the business not joe bloggs.

 

[ffox]

Unless joe.bloggs at company.com is published on the website as a contact address. That would make the email the property of the business not joe bloggs.

Sorry @fisicx , but the currently enforceable PECR rules state -

The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals, unless:

• they have specifically consented to electronic mail from you; or
• they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.

You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.

See - https://ico.org.uk/for-organisation...elephone-marketing/electronic-mail-marketing/

There is no distinction regarding how the email address is displayed on corporate advertising including websites.

Under the existing PECR regulation anyone trawling the internet for email addresses and using them for marketing can find themselves liable for legal acted.

Hope this helps.

 

[fisicx]

However, if joe.bloggs published their email address on the website as the primary contact then you would probably be ok in sending a marketing email. I’ve sent an email to the ICO asking for clarification.

 

[Simon Knights]

Do you mean someone has published their email address on your website and you take that as consent and send them marketing emails? or you have taken their email address from a website they have published it on? Either way I believe you need to consider what would stand up in court as consent. From what I have seen from PECR and GDPR seminars, unless the data subject has specifically checked a box providing consent or something similar it could be tough to prove. That's just my thoughts though.

 

[TODonnell]

To: Anna

Isn't the way to get more clients is to see who's advertising on sites like Indeed, then think up a way of getting through to the actual company which wants new recruits e.g. search for the same phrases in other postings online.

Mere emails, with no prior notification, will be binned. You might also get on a spam blacklist if you do enough of them.

I would look at ads in the niche I'm interested in, backtrack to the actual company, then call them to find out who I should really contact.

Do 100, and see what % actually results in a sale.

 

[ffox]

However, if joe.bloggs published their email address on the website as the primary contact then you would probably be ok in sending a marketing email. I’ve sent an email to the ICO asking for clarification.

When a business publishes an individual's email address on a web site it is almost invariably meant to invite potential customers to make contact and not to invite unknown sales people to attempt to sell.

Even so, how long before all those individual email addresses get changed to more generic info@, admin@ addresses?

PECR has been around since 2003 and there is still confusion surrounding what is and what is not acceptable. When GDPR comes in May 2018 there may well be a flurry of new actions, but much will depend on what the regulators and law courts decide.

As I wouldn't want myself of my customers to become a 'test case' I tend towards sticking to the letter of the regs. That wouldn't do for everyone though as there are many who make their living by, or depend greatly, on cold calling and cold emailing.

 

[fisicx]

Do you mean someone has published their email address on your website and you take that as consent and send them marketing emails?

No. What I mean is a company has a website and on their contact page has an email address: joe.bloggs at company.ltd. There is nothing to suggest joe bloggs is even a real person - they could be some who left the company years ago and it's now just used at the primary email account.

On one of my websites the email address is mail at mywebsite.com. It doesn't have a name but it still ends up in my email client.

If an email address is published on a business website does GDPR suggest you cannot ever send marketing material until consent has been granted? Would it mean HMRC can never send anything to finance at somthing.com until they get consent? Or the parcel force send details about a new scheme to post at thing.com? You cannot rely on the name part of the email address being a person or a mailbox.

 

[ffox]

If an email address is published on a business website does GDPR suggest you cannot ever send marketing material until consent has been granted? Would it mean HMRC can never send anything to finance at somthing.com until they get consent? Or the parcel force send details about a new scheme to post at thing.com? You cannot rely on the name part of the email address being a person or a mailbox.

No. Under these circumstances the Lawful Basis for Processing would not be Consent. In the case of HMRC it would probably be Legal Obligation or Vital Interest.

 

[cjd]

No fisicx, just because someone foolishly put their personal email address on a website doesn't give you the right to spam him.

It's best to stop looking for loopholes and start trying to work within the spirit of the regulations. You either need specific and provable consent or to have a custome/client relationship. Once that relationship ends, you must assume the consent has ended or specifically ask for it to continue.

 

[MCL]

From what has been written in this thread, and from what I have read elsewhere, I understand that in order to send marketing emails to an individual, you either need consent or you need to have established a customer/client relationship, but can anybody direct me to an ICO document that details this? Many thanks.

 

[Businessquotes]

Hi
Email marketing will definitely be risky under GDPR, even in the B2B arena. Especially if you can't prove consent or legitimate interests or one of the other bases under which you can store/use personal data. There is a lack of guidance from the regulators when it comes to specifics on B2B and the rules don't help those with data trails specific to their industry. There's also a lot of panicking by people because of this lack of clarity. The endless experts that have appeared can therefore only offer guidance and not fact. In your case I'd advise revising how you network - despite GDPR cold email is one of the most fruitless activities you can do with typical response rates of less than 1%.

 

[fisicx]

There is a lack of guidance from the regulators when it comes to specifics on B2B.

Actually there is a lot of good guidance form the ICO. for example:

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

https://ico.org.uk/media/for-organi...neral-data-protection-regulation-gdpr-1-0.pdf

 

[Paul Carmen]

We are working with several online clients on this process and are helping as much as possible about opt in, simple unsubscribe processes, being able to prove consent to marketing, privacy and cookie policies etc.

The big grey area appears to be outreach and the expectation that cold calls and emails will go away: -

• The GDPR industry that's sprung up appears to say no you can't do it, as you don't have consent.
• I've spoken to a few companies and seen several articles quoting EU GDPR sections around the whole "Legitimate interests" area, which essentially balances an individual or companies rights to carry out trade against causing "cause unjustified harm" to the 3rd party/individual.

This seems ripe for abuse, or a court case deciding the outcome at some point in the future. As essentially as long as you've carried out an LIA, then companies may well continue with outreach.

What are your thoughts and why, is this going to be another Cookie policy that ends up changing nothing?

 

[fisicx]

I've spoken to a few companies and seen several articles quoting EU GDPR sections around the whole "Legitimate interests" area, which essentially balances an individual or companies rights to carry out trade against causing "cause unjustified harm" to the 3rd party/individual.

The legitimate interest is the one that's going to cause the most controversy. If I sell widgets then a legitimate interest would be for a widget supplier to make contact. A courier company offering to reduce my costs might be legitimate interest but it's a bit iffy. An SEO company offering to improve my ranking wouldn't be legitimate interest in any shape or form.

 

[Paul Carmen]

@fisicx I agree, but I'm not sure I agree about the SEO company bit. On the basis that I've seen this argument made the other way around by a legal firm arguing that anything in "your legitimate interest" that could be of interest to a 3rd party is legitimate (your example of SEO could be of interest to them). They based this on the EU GDPR details below: -

• The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

 

[fisicx]

Which could mean my widget seller being sent an marketing email for nappies because it's in the legitimate interest of the supplier. If this is the case then it makes the whole thing a waste of time.

 

[ffox]

but can anybody direct me to an ICO document that details this? Many thanks.

Sure. But it is not in the GDPR regulations, it is in the PECR regulations -
https://ico.org.uk/for-organisation...elephone-marketing/electronic-mail-marketing/

Where it states -
The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals, unless:

• they have specifically consented to electronic mail from you; or
• they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.

You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.

The PECR regulations are not 'coming soon', they are here now and they are currently enforceable.

GDPR regulations cover the holding and processing of data, which includes processing for the purposes of marketing, PECR regulations cover Privacy and Electronic Communication.

PECR is NOT superseded by GDPR. It sits along side the current Data Protection laws and will, after May 2018, sit alongside GDPR. The two need to be read and complied with together.

 

[cjd]

Which could mean my widget seller being sent an marketing email for nappies because it's in the legitimate interest of the supplier. If this is the case then it makes the whole thing a waste of time.

You're still trying to find a loophole - you really do need to stop trying.

The reason I say this is that if you've got a list of 10,000 names that you got from god knows where and you spam them all, you're guaranteed to get some that didn't want it and amongst them will be one egit that knows his rights and reports you to the ICO.
JUST BECAUSE HE CAN.

You then have to prove that you comply. If you can't you're in trouble. The penalties for non-compliance are high - they probably won't be pursued too strongly initially but the real sanction isn't the fine, it's a block on you processing data - any data. Which closes your business.

Just do it properly.

 

[fisicx]

You're still trying to find a loophole - you really do need to stop trying.

I'm not trying to find a loophole. It's other's who will be trying to do this.

I'm busy expunging all sorts of things and updating my plugins to help those using them to be compliant.

 

[Alan]

to individuals

A key word here, data protection applies to individuals.not businesses. What starts to get complex is where an individual trader has an email address [email protected] - can that be considered an individual? Yes / maybe. Whereas [email protected] is clearly not an individual.

 

[ffox]

A key word here, data protection applies to individuals.not businesses.

Not really @Alan . PECR regulations state -

"PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication. The rules are generally stricter for marketing to individuals than for marketing to companies.

You will often need specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you."

Lots of business are being advised to use generic addresses - info@, admin@ etc and tie them back to individuals in a separate and Independant link list. But, the practice is 'iffy' at best and risky in general.

The key phrase is 'unsolicited marketing...'. If the subject has responded to your advertising, web site, blog, or whatever, you are okay. If not - forget it.

One of the main aims of the new regulations, GDPR and PECR, is to force business to look at what data they collect, keep and process (including marketing) and document what they have, why they have it and what their policies regarding data use and retention are. Effectively this means that every contact must be reviewed, categorised and controlled.