Haven’t you heard of GDPR?
It’s been 838 days since GDPR came into the force in the UK, and we still get asked daily from clients, and recipients, how we “get away with it”!
“How can you still send emails for us with all that GDPR stuff?”
“Why have you sent me an email? Haven’t you heard of GDPR?”
The short answer is there’s nothing to “get away” from.
The long answer is (get comfy for this one):
GDPR does not (repeat, DOES NOT) regulate marketing emails
The only time “email” is used in the entire document is Recital 23, which isn’t even about email marketing! The GDPR isn’t designed to deal with marketing by electronic means because there’s already a law in place to deal with that, The Privacy and Electronic Communications (EC Directive) Regulations 2003, commonly known as “PECR”.
The GDPR applies to personal data
Personal data is so explicitly defined in the GDPR, in such detail, but with rather a wide scope, that it’s hard to get it wrong — if you actually read the law. It only applies to data that identifies or could be used to identify, directly or indirectly, a living human being. Those living human beings are called data subjects, and they have rights. Those rights include the pre-existing right of access to data held about them, along with some new ones under the GDPR, and the famous one, the Right to Be Forgotten (which is really called “erasure”). But I can’t exercise my neighbour’s data subject rights, nor can I insist they be applied to data that isn’t personal data. That’s why asking for data held about a company has no basis in law, and why data controllers have to take steps to verify that it really is the data subject who has made a request.
Consent is one of SIX lawful bases of processing
Handily presented in Article 6, consent is the first of six in a list of acceptable reasons for a government, company or other organisation to process personal data. “Processing” is also rather explicitly defined, and very wide in scope. Even storing data is a form of processing. The other five are often neglected because consumers don’t get asked about them. That’s the point with not being consent — you won’t be asked — but you still have rights and the GDPR overall still applies.
Business email addresses ARE different, even the “personal” ones
Some of the most heated disagreements we have are with people asserting their rightness while ignoring the fact that PECR Regulation 22, which makes consent mandatory for marketing emails to “individual subscribers”, simply does not apply to business email addresses. The rules are a little more nuanced, but they are the rules. As the definitions in Regulation 2 aren’t crystal clear, the ICO has published guidance to clarify that sole traders and unincorporated partnerships are considered “individual subscribers”, while government bodies, public and private limited companies and limited liability partnerships are “corporate subscribers”. Recipient email addresses operated by corporate subscribers are not subject to the consent requirement or its exemptions in Regulation 22.
Email marketing is processing, but processing isn’t email marketing
Not needing consent to send marketing emails to an address identified as operated by a “corporate subscriber” within the meaning of PECR and the ICO’s clarifications, doesn’t mean that now “the GDPR doesn’t apply”. If the email address constitutes or is associated with an individual, then it is something that directly or indirectly identifies a living human being, and that personal data needs to be protected. Just not necessarily with consent. There are 5 other valid ways to store and use that data, remember. So, the processing of personal data and the delivery of marketing emails are different things, that in the case of individuals, require the same remedy: consent. But in the case of business addresses, they do not. That is how business-to-business prospective email marketing works. Otherwise people wouldn’t do it, and the ICO would be coming down like a ton of bricks on everyone who is trying to stimulate the economy by marketing their products and services to companies they don’t yet have a relationship with. Which would obviously be absurd.
It’s hard to prove what isn’t
When something is written, if someone doesn’t believe you, you just have them look and read it. But when something isn’t, and someone insists that it is, what are you supposed to do?
Write this blog!
Drop us a line if you’re interested in some uber compliant email marketing to generate leads!
9th September 2020