GDPR Compliant Data
Marketscan holds one of the largest, legally-compliant data feeds in the UK.
What does the UK GDPR and DPA 2018 mean?
The Data Protection Act 2018 (DPA 2018) is the UK’s implementation of the General Data Protection Regulation (UK GDPR) and came into force on 25th May 2018.
The DPA 2018 sets out the framework for data protection law in the UK and sits alongside, and supplements, the UK GDPR – for example by providing exemptions.
The UK GDPR is a UK law which came into effect on 1st January 2021. It sets out the key principles, rights and obligations for most processing of personal data in the UK. It is based on the EU GDPR which applied in the UK before that date, with changes to make it work more effectively in a UK context.
How will UK GDPR affect my business?
The UK GDPR applies to organisations processing and holding personal data within the UK. You may need to comply with both the UK GDPR and the EU GDPR if you operate in Europe, offer goods or services to individuals in Europe or monitor the behaviour of individuals in Europe.
Personal data means any information that can be used to directly or indirectly identify the person. This could be anything from a name, computer IP address, bank details or location data.
Depending on the severity of non-compliance, the Information Commissioner’s Office can impose fines of up to £17.8m or 4% of global turnover – whichever is greater – for infringements. Importantly these rules apply to both controllers and processors.
Who can I call?
You can cold call corporates and sole traders/partnerships provided the telephone numbers have been suppressed against the Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS) registers every 28 days as well as any in-house suppression files you hold. You must always offer them the opportunity to opt out of future calls.
Our online Telephone Checker can flag your data for matches against TPS and CTPS.
Who can I mail by post?
You can send postal mailings to corporates and sole traders/partnerships. There is a misconception that postal mailings to businesses (including sole traders and partnerships) must be matched against the Mailing Preference Service. They don’t, just ensure the data has been matched against any in-house suppression files you hold.
Who can I email?
Email marketing is currently governed by the Privacy and Electronics Communications Regulations (PECR). The UK GDPR still applies as it covers the processing of personal data in a general sense (note PECR is due to be replaced by the ePrivacy Regulation but this has been delayed and there is no date yet as to when this is likely to happen).
Licensed (bought-in) data
An email address at work is personal data, whether that email address is a corporate one or that of an employee of a sole trader/partnership. The UK GDPR applies to the processing of the email address. The difference between sole traders/partnerships and corporates comes when you look at PECR.
PECR deals with gaining permission to send marketing by email. The general rule is that you must gain prior consent to send a marketing email. However, in a B2B environment, there is an exemption for employees of corporates, and you can send a marketing email to these individuals without their prior consent.
Confusion often arises over the meaning of B2B marketing in relation to email campaigns. In an email environment, B2B marketing does not include sole traders and partnerships. You need to gain consent for your organisation and your products/services in order to email sole traders and partnerships, as these are treated in the same way as consumers. Be very careful not to get caught out by this when licensing third party data by making sure your supplier is only providing emails for B2B marketing.
In summary, email addresses of corporate employees can be licensed for third party email campaigns. Legitimate interests can be used to process this personal data as long as all the following criteria are fulfilled:
- A corporate is defined as a limited company, public limited company, limited liability partnership or government departments and can be emailed without prior consent (eg. email@example.com).
- Employees of corporates must be given the option to easily unsubscribe or opt-out from receiving email marketing.
- The product or service being promoted can be purchased by the recipient in a professional capacity.
- The sender must identify itself and provide contact details.
Marketscan holds one of the largest, legally-compliant email feeds in the UK. The emails supplied by Marketscan for third party direct marketing are all corporate emails and meet the requirements of the UK GDPR.
1) Corporate bodies
Any existing customer OR prospect that is a corporate body (a limited company, public limited company, limited liability partnership or government departments) could be emailed using the legitimate interest route.
When emailing a corporate, you must a) give them the option to easily unsubscribe from receiving further communications, b) the product or service being promoted must be able to be purchased by the recipient in a professional capacity and c) you must identify your company and provide contact details.
It is also good practice, and good business sense, to keep a ‘do not email’ list of any businesses that object or opt out and screen any new marketing lists against it.
Further guidance on legitimate interest and whether it’s right for your business can be found on the ICO’s website.
2) Sole traders and partnerships
There are 2 options for emailing sole traders and partnerships (ie. a non-corporate body):
- A) You can email existing customers if they bought a similar product from you in the past and didn’t opt out from marketing messages when you gave them that chance. This is known as the ‘soft opt-in’ but does not apply to non-commercial promotions (eg. charity fundraising or political campaigning). You must include an opt-out or unsubscribe option in each message and you must identify your company and provide contact details.
- B) You can email existing customers OR prospects if they have specifically consented to receiving emails from you – for example, by ticking an opt-in box. You must include an opt-out or unsubscribe option in each message and you must identify your company and provide contact details.