Any GDPR experts?

[Penny31]

Hi

Posting here for traffic. I am trying to get my head around GDPR because I am helping someone do some marketing for their company. They haven't done any digital marketing at all and they have a database of contacts, with some of whom they last exchanged email comms with in 2010. Are we allowed to send an initial marketing email that says something along the lines of "we have worked with you before, lets reconnect" and ask them to confirm they still want to hear from us. Then if we don't hear from them we take them off the database?

Are we allowed to give them a sales call?

I know postal mail is OK, just need a bit of clarity on what to do with the emails.

Also, how do we contact prospects? Do we have to avoid emailing them altogether?

Thanks in advance for some advice

Penny

It is not black and white and there a couple of ways of approaching historical data but it's always a risk assessment. The way we have approached it in our business is to justify contacting historic mailing lists using legitimate interests with the aim of gaining consent over time, marketing can only be sent if it closely relates to the reason we have their data in the first place (ie selling a closely related product they have bought). There needs to be a clear opt out option and we are collecting data for marketing purposes more under consent than legitimate interests now, but relying on legitimate interests for historic data. You need a privacy statement explaining your approach.

You need an information asset register that lists the type of data you hold and specify the legal basis you are using to process that data (legitimate, consent, contract etc) with a clear retention schedule. If you are relying on legitimate interests you should be doing a legitimate interest assessment, weighing up the data subjects rights against your own.

There is guidance on the ICO website.

(Marketing under legitimate interests that should say in the second sentence)

Find the company 's generic email address. Send a "hello" email to The Marketing Manager - no names. Hope you don't piss them off too much. Maybe you will get a couple of successful ping backs.
GDPR and PECR aren't there to stop business, they are there to stop playing fast and loose with people 's information. Anyway, how many of the people on the list still work at the companies in question after all this time. An old database is a commercially useless database.

Hi @Penny31, I'm a Data Protection Officer and happened to stumble upon your question.
There are a few things that need to be considered, of which "lawful basis" is key. The Data Protection Act 1998, the new GDPR and the Data Protection Act 2018 that replaced the 1998 version all detail that an organisation or body needs to have a lawful basis to process data. Processing includes things like marketing, but also storage and reporting.
If your friend or yourself would like help with all of this, let me know.

I'm work in data protection. You can email B2B under legitimate interests, as long as the person you're emailing holds a position in the company which is relevant to your mail. You must tell them how to object to receiving more mail.

No. You needed to do this last year before GDPR came in. We emailed everyone before the deadline and if they didn't respond they had to be removed from the database.

I really appreciate the responses! Some conflicting advice though.

I want to do things 100% lawfully and sort out the database and marketing properly. I don't want to give too much away but its quite a niche business and other than picking up the phone or emailing directly, the types of businesses we are targeting are not going to find them.

It seems like its going to be difficult to contact old clients and I have no idea how we can contact prospects. I think I am going to have to contact the ICO.

Depends. Was the list collected under consent? Or was it compiled from publicly available info? If the latter, then I can't see why the list can't be used under LI. You're not switching purpose.