As a lead generation, email marketing and data processing service provider, Growthonics has been set up for the changes to GDPR legislation in May 2018 and has taken steps to ensure that both we and our clients are fully compliant.
There is an abundance of material already online about GDPR, and so this article will focus on how the legislation affects Growthonics and our clients, and what steps we are taking to ensure that our processes conform to the new regulations.
The European Union’s new privacy law, the General Data Protection Regulation a.k.a GDPR, comes into effect on the 25th of May 2018. Companies need to work to meet the new standards they set for privacy and security or face intensive fines.
The new regulations seek to enforce accountability of data controllers and data processors for their practices – meaning companies will now have to demonstrate how and why they have collected data, that they have processed it lawfully, and that they have stored it securely.
I will briefly outline what is meant by ‘Data Controller’ and ‘Data Processor’ in relation to our practices and our client relationships:
A Data Controller “determines the purposes and means of the processing of personal data”, which means anyone collecting data and determining how it will be processed. All companies in the EU who even hold information about their own employees will fall under this category, however in the relationship you have with Taskeater, you will also be categorised as a Data Controller.
A Data Processor “processes personal data on behalf of the controller”, which means any third party gathering or processing information on behalf of the data controller. Taskeater falls into this category when doing lead research or processing data on behalf of our clients.
The GDPR will come into force before the UK leaves the EU, meaning these regulations will affect British businesses and our privacy practices long before Brexit takes effect. In addition to that, a British Data Protection Bill is currently in the process of being passed, expected to come into effect in 2018, which will transpose the obligations under the GDPR into the domestic legislation.
As providers of both lead generation and email marketing services, Growthonics has taken steps to ensure that our processes are compliant with the changing regulations.
While the GDPR does not make specific distinctions between B2B and B2C companies, the Privacy and Electronic Marketing Regulations (PECR) of 2003 do make this distinction. With a lot still left unclear by the GDPR, this offers useful distinctions between business and individual data processes for B2B salespeople and marketers – however be aware they will also be updated (most likely within the year), so we will be keeping you informed of any developments.
The email marketing and lead generation service that we provide comes under the PECR’s definition of electronic marketing.
According to the PECR, if you are marketing to individuals (and that is the key distinction here) and you don’t have a pre-existing business relationship with them then you need their consent. The GDPR demands a hard opt-in in these cases, unambiguous consent given through an affirmative action. B2C companies sell to individuals – therefore must be able to demonstrate clear and active consent to contact them.
However, if you are marketing to businesses, provided you aren’t contacting sole traders but solely business email addresses, a soft opt-in, which GDPR discards for individuals, still works, as long as contacts have the ability to opt-out easily at any time.
* With existing customers, provided there was an opportunity to opt-in to marketing information, you can market future products to them on the basis of your existing relationship.
Growthonics already provides a clear opt-out in any emails we send on our own behalf or on behalf of our clients. In contacting anyone, individual or business, this is the critical step to ensure compliance when sending your own email campaigns in-house.
The fact that we only send B2B sales and marketing communications to businesses, not sole traders or individuals, does mean that we, and our clients, do not need a GDPR level of consent (yet). We also have a legitimate interest in contacting the recipients of our campaigns – which is one of the 6 lawful reasons GDPR gives to process a subject’s data. The GDPR specifically mentions marketing as a legitimate interests – so our email campaigns for example would fall under this.
Key to note with legitimate interest is that you must have a clear idea of why your interest is legitimate (ICO’s ‘Purpose Test’), why it requires the processing of data (ICO’s ‘Necessity Test’), and whether that interest balances out an individual’s right to privacy (ICO’s ‘Balancing Test’).
This is a difficult task without much precedent for companies, which is why PECR’s distinction between business and individual data is so vital.
We build and verify lists for ourselves and for our clients – which means that we can ensure compliance in every step of the process and ensure that only the relevant and necessary data is collected. What we mean by relevant and necessary is we collect the data needed for our own or our client’s legitimate interests – which according to GDPR Recital 47 includes direct marketing.
As the data Growthonics collects is both public and B2B, GDPR consent or a hard opt-in is not legally required as long as a clear opt-out is provided (although again – this may change when the new Privacy directive is passed). Any data collected outside of these explicit reasons will require lawful and knowing consent from the data subject.
Taskeater will be transparent about our collection of and use of any data – and provide a detailed record of means of and reasons for collection to any customer exercising their right to have access to their data.
Because we build our lists from scratch for each of our clients, we are able to provide accurate records of how a lead has been collected, why it has been processed (legitimate interest or consent) and how long we have held it for. We will also ensure data is immediately deleted on request of any of our contacts.
Growthonics will ensure the appropriate security for any data collected and stored for our own sales purposes or for our client services with strong password protection, access controls, and industry standard technical security measures. Further to this, we will also only use GDPR compliant CRM storage such as Pipedrive and Hubspot, which as data processors also carry a responsibility to protect against cyber threats.
Any data subject that rescinds consent and asks not to be contacted again, or who remains unengaged throughout attempted communications, will be removed from our system.
For our data processing clients, we are lawfully permitted to process personal data on your behalf on the basis of our contractual relationship. The specifics of this are outlined in our Service Agreement, Data Processing Agreement and Terms & Conditions with you – so for further questions refer to this or contact your account manager.
We process personal data on your (the customer’s) behalf. It is your responsibility as a data controller to ensure the data you have provided is compliant.
We process the data provided to your instructions, delete any data upon request, and ensure the data remains confidential. We have also taken steps to ensure that every employee is trained to comply with GDPR standards of privacy and confidentiality.
We will maintain and enforce the technical and organisational measures we have in place, which include physical access controls, system access controls, data access controls, transmission controls, input controls, data backups, and data segregation.
In order to best protect your personal data throughout our business relationship, we will take steps to ensure the data we are provided with is appropriately secured. That includes encrypting and pseudonymising personal data in case of a breach, ensuring timely data restoration is possible in the event of a physical or technical incident and regularly testing and improving our security measures and protocols.
As is our responsibility as your data processor, if a data subject asks for information about how and why their data has been processed, we will provide them with the identity and contact details of you (the Controller) or a representative, and your company’s Data Protection Officer. We will also provide them with the legal basis we have to process their data,
Please take into account that for cases where legitimate interest is given as the legal basis for processing data, the data subject is a child or the data in question is personal or confidential, your legitimate interest may not outweigh the data subject’s right to privacy.
Our teams are trained to keep detailed records of how processing has been carried out – which can be used to provide data subjects with detailed records in the case of a data subject request.
We will notify you within 5 working days if we receive a data subject request, and have already taken steps to ensure we can provide any information that might be necessary quickly and efficiently. We will never disclose any personal data to any data subject or third party other than at your request for as long as we have access to the personal data provided.
If for whatever reason our relationship is prematurely terminated, we will relinquish access to all data and delete any data we may have stored throughout the processing procedure.
So to summarise for all clients and potential clients of Growthonics, the main changes we are making to ensure compliance with the GDPR are:
Data Minification – only collecting the relevant and necessary data for your legitimate interest, and removing it from our systems when consent has been removed or when it no longer serves that legitimate interest.
Record Keeping – k