<img alt="" src="https://secure.hiss3lark.com/170025.png" style="display:none;">

How to: GDPR – communicating with your existing business contacts

This article was originally posted on Conformitas.com. We're sending a huge thank you to Cathy Brode for producing such a great, easy-to-read, no-nonsense approach to understanding the do's and don't's of sending emails to existing contacts. 

When thinking GDPR, a few questions to ask yourself are:

  • What lawful basis do you use for Business to Business marketing communications?
  • Should this change to meet the requirements of GDPR?
  • Have you not considered it before?

GDPR best practice

At the end of March, the ICO released detailed guidance on collecting, storing and processing of personal data, on a lawful basis. The guidance includes a section on ‘Use for marketing activities’, which will be the most helpful for those in this industry.

For those of you who used this lawful basis under the DPA 1998, the main change under GDPR concerns the requirements for accountability and transparency.
If you haven’t considered this before then read on below to find out how it could affect you.

Email address of a person within a business

You may well find that a lot of your business contacts fall into the ‘do not need to seek consent’ category when using ‘Legitimate interest’ as the lawful basis for your marketing e-communications. The balance test mentioned on the first page of the ICO guidance is the key to determining this, including:

  • Would the individual receiving your email think it is reasonable?
  • Take a step back and ask yourself if they would be surprised to get your email?

The basis of ‘Legitimate interest’ can be used when clients and prospects you are actively engaged with have already bought or received your products. They will not be surprised or think it is unreasonable to receive communication about the products/services they have purchased or expressed interest in.

For other business to business contacts you have been e-marketing to for a while you could also use ‘Legitimate Interest’ as your lawful basis. Check by undertaking a Legitimate Interest Assessment (LIA) using one of the many templates available. 

Note – take care how you word an email in Business to Business marketing communications, especially in an initial email. Their email address includes ‘personal data’ whether it is firstname.lastname@companyname.com or initial.lastname@companyname.com  or other variants. If you make the communication too personal, then it might be viewed as failing the balance test and hence require consent from the individual. Avoid using words such as ‘personally’ in your emails, (as in a phrase such as ‘I would like to personally invite you...’).

Private email addresses (hotmail, gmail, yahoo etc):

Sending marketing emails to these email addresses falls into the business to consumer communication category and, should you wish to include them, you need to delve further into the Privacy and Electronic Communications Regulations (PECR) (which have been in place for a number of years)as well as undertaking a LIA. You can look at using ‘soft opt-in’ as the basis for using Legitimate Interest when communicating with clients who have provided their personal email address. Where this does not apply, you will need to get, and manage, ‘consent’.


Suggestion: Search for all such email addresses in your CRM system and either delete them or work out how to engage on a business basis using their business email address. Look out for Sole Traders or Partnerships who use personal email addresses for business purposes as part of this task.

LinkedIn and other social media platforms

Just because a person has linked/followed you on one of these platforms does not mean that you can automatically add them to your marketing email list.

You will need to get their permission to do so. How you get this will determine whether you use ‘Legitimate Interest’ or ‘Consent’ as the lawful basis.

The rest

If you are not sure where a contact came from, treat them in the same way as the suggestion for Private Email addresses above. Work out if you wish to re-engage with them or remove them from your mailing list.

Your resulting mailing list might be lower on quantity but will be higher in quality, and compliant with GDPR.

Learn More

This article was originally posted on Conformitas.com.

About the Author: Cathy Brode

Cathy Brode

Cathy is an Information Security Compliance and Data Protection Consultant and the Managing Partner of Conformitas Consulting.

Related Posts

Leave A Comment

RECENT BLOG POSTS

Subscribe to Email Updates