GDPR: Can you email an individual at a business?
- 13 Sep
As the live date for the General Data Protection Regulation (GDPR) gets ever closer, people are beginning to realise the scale and the impact it could have on their business. On the face of it, the GDPR is quite clear - you must get the explicit consent of individuals in order to communicate with them. However, in the B2B world, this isn’t quite as clear. Many are still wondering whether they can email businesses that haven’t explicitly opted-in, after 25th May 2018.
Back in January 2017, it was revealed that B2B marketers could indeed email businesses, thanks to a rare U-turn from the EU. However, “the change of heart” still left those in the B2B community wondering if they were allowed to email individuals at a business, e.g. email@example.com, or just the business email address, e.g. firstname.lastname@example.org?
The first thing to make clear is that a business email address does fall within GDPR. In response to a specific request made to the ICO last September, a case officer said: “If a business email address includes the name of an individual it can be considered personal data. It would identify them as an individual i.e. email@example.com. Therefore, any email address with an individual’s name listed within it in this way must be handled under DPA legislation, and the GDPR as of May (2018).”
That doesn’t mean, however, that you can’t send an email to an individual’s business email address without prior consent. Direct marketing is recognised as a legitimate interest under Recital 47 of the GDPR and is deemed a legal basis for processing the data. This effectively means that GDPR defers to the existing Data Protection Act in respect of B2B, with the principal requirements being to identify yourself as the sender and to provide a clear and easy way for the recipient to opt-out.
The ICO, which is responsible for upholding GDPR in the UK, say this in its direct marketing guidance: “These rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ …… The only requirement is that the sender must identify itself and provide contact details."
Furthermore, the ICO’s direct marketing checklist reveals that as long as “individual employees can opt out” than you can email them, without a confirmed opt-in.
Lead Forensics, a B2B lead generation software tool, have also confirmed that it’s their understanding that you can continue to email individuals at a business.
As GDPR draws closer, more and more questions are going to be asked about exactly what you can and cannot do, and we’ll be answering them. If you have a burning GDPR question, but can’t find the answer through the minefield of information already out there, tweet us @themarketingeye and we’ll do our best to answer it for you.
Note: The ability to email an individual at a business, as outlined in this blog post, does not apply to sole traders and some partnerships. If you are unsure about how to market to these types of businesses, please refer to the ICO website.