Any GDPR experts?

[Penny31]

Hi

Posting here for traffic. I am trying to get my head around GDPR because I am helping someone do some marketing for their company. They haven't done any digital marketing at all and they have a database of contacts, with some of whom they last exchanged email comms with in 2010. Are we allowed to send an initial marketing email that says something along the lines of "we have worked with you before, lets reconnect" and ask them to confirm they still want to hear from us. Then if we don't hear from them we take them off the database?

Are we allowed to give them a sales call?

I know postal mail is OK, just need a bit of clarity on what to do with the emails.

Also, how do we contact prospects? Do we have to avoid emailing them altogether?

Thanks in advance for some advice

Penny

No. If you have an old database collected in unclear circumstances, you wouldn't have been able to use it under previous data protection legislation. You also need to think of PECR.
Of course you can still market people under GDPR but with a decent database.
If you are helping people conduct marketing, I suggest you look at the ICO website first. Or contact them for advice.

Is this business to business or business to consumer?

Don't forget that [email protected] counts as personal information even if it is a work email.

Having said that, not sure if companies really care or worry about receiving unsolicited mail to be honest.

There was a while where we all tended to click unsubscribe last May, then it got a bit boring :)

The database is built up from old clients and bought data (from a while back).

Thanks for your advice, I will look up the ICO website.

Its business to business....

You can only use data such as this for the manner in which it was given/collected.

Are these contacts otherwise in public domain?

Highly unlikely unless you have evidence they gave consent when their details were first collected.

In fact it's much more likely you will be required to delete the entire database as you didn't contact them ahead of the deadline to ask them if you could keep their records.

I also work in marketing and my understanding is, if you have dealt with them before and they provided their information with the expectation to hear from you, it’s ok to make contact again with the option to opt out.
Lists that have been bought and individuals without prior dealings with the company should be deleted.

@LIZS yes email addresses can easily be found on associated websites

So old/existing customers I should be ok with, as long as I offer an opt out option..?

How do I go about targeting prospects? Email addresses are in the public domain but we haven't contacted them before.

"I also work in marketing and my understanding is, if you have dealt with them before and they provided their information with the expectation to hear from you, it’s ok to make contact again with the option to opt out."

Not quite, you have to be able to demonstrate that they consented, i.e. have a clear record of specific consent on file.

You will also have to demonstrate the data is held securely, with appropriate access restrictions and has been reviewed periodically.

How many records do you have?
L

Its a small business we only have about 150 records. I don't have clear consent from them, we have done business with them in the past that's all and I have old email conversations. We have never marketed to them.

How do I get in touch with them to get their consent? How do we drum up new business? I can get contact details easily from websites but as I understand it I cant just build up a list like that and send them a marketing email. Do I need to go back to the old fashioned way ad send something in the post!?

What we did was to email everyone and say that under the new GDPR regulations we needed to inform them that as a previous customer we held their data, what it may be used for and a link to our data protection/privacy policy and who to contact if they didn’t wish to be contacted in that way. However they were ALL previous clients, so there is an expectation you can use their data for legitimate business reasons. It is slightly different for bought data.

Ok so I think for previous clients I will email them and say we have worked with them before and provide an opt out, links to data protection and privacy policies etc. Can I just copy them from somewhere and add to our website? Its a complete minefield.

I will delete the old bought data, which is a shame because there are some good potential clients there. How on earth do I tap into those people then??

I went through the ICO website, looked up the guidelines and sample wording on there.

Our privacy notice

PRIVACY NOTICE
We process personal data including names, addresses, email addresses and phone numbers for legitimate business reasons which include the following:
To identify and prevent fraud; To enhance, modify or personalise our services/communications for the benefit of our clients; To inform customers when annual servicing or existing fixed term contracts are due for renewal; To enquire about tendering for future work.
We hold and securely store information in hard copy as well as electronic format. It is not passed to third parties except where we are legally obliged to do so by Gas Safe, NICEIC or other government regulations, or to our authorised sub-contractors.
Whenever we process data for these purposes we always take account of your Personal Data rights. You have the right to object to this processing at any time by emailing Xxxx

@Comefromaway - fab thanks I shall do that

Do read through the regs though to make sure you understand everything relevant to your particular situation.

Remember you need to consider the Privacy and Electronic Communications Regulations as well as GDPR.

Sounds like you need to develop your own privacy policy and data protection policy first. You can then link to them in an email. It should include what information is held, for what purpose, for how long and whether it is shared with any other organisations, and confirming that it is held securely , only accessible to those required to use it for the defined purpose . It may be pragmatic to eliminate those with whom you have had no active relationship for x years.The ICO has guidelines iirc.

Also work in marketing - my understanding is that it has to be within a reasonable time frame as well... so for example if the company hasn't had any touch point with the client within what is considered a reasonable time frame you wouldn't reasonably expect the customer to still be ok with you to contact them. The ICO wouldn't be much help as they give guidelines and like to leave grey areas for companies to interpret as they wish. You and your client will need to deem what is a reasonable time frame. I do however work mainly in b2c marketing, so not sure if this also applies with b2b. But if you do decide to go ahead with emailing them, just make sure it is clear where you got their information from and provide details/link to opt out.
Hope that helps 😊

@Penny31 , by post would be even worse- as well as more expensive.
If you want to take the risk of pissing potential customers off while trying to wheedle your way around the law with a dodgy old database, that is your client's call.
It is hard to believe that the client has never once done a targeted marketing exercise and is still in business, frankly.

If you are starting from such a low base it's probably worth getting external expert advice. With your current situation and approach you are HIGHLY likely to break the law.

You might be happy with that and tbh with 150 records of b2b contacts the likelihood of someone's reporting you to the ICO is low. Just be transparent with the company that's what you're doing.

Except that if companies knowingly break GDPR regs it attracts a higher penalty than a mistake...

Be very careful, I needed to transfer data for legitimate reasons, not marketing and my solicitor was VERY cautious about falling foul of GDPR. We had to word everything very precisely just in case, although I agree with other posters, the ICO website is quite vague and even the actual legislation can read as quite ambiguous. However there is an argument that that could work in your favour!

Could you perhaps find an alternative way to help your friend to improve or grow her business? E.g. better website/promotion that does not involve spam? I get loads and delete all mine unread. I wouldn't deal with a company that sends unsolicited email on principle. At least the postal stuff comes in handy for lighting the fire

I have to speak to ICO every now and then, have found them super helpful and very friendly to deal with.

Look on the website first, if you need any clarification after that then call them up