Since the changes in GDPR (The General Data Protection Regulation, May 2018) legislation came into force, it has forced changes to many business processes. The ICO (Information Commissioners Officer), the UK’s independent body set up to uphold information rights, has taken actions against many organisations resulting in millions of pounds in penalties and fines.
The ICO is combining GPDR along with PECR (Privacy & Electronic Communications Regulation 2003) to ensure organisations are taking appropriate actions to protect the privacy of individuals and behave within the guidelines.
One area that the ICO is regularly taking action against is Marketing, making it even more important to be aware of these regulations and conduct your activities in a compliant way.
More and more organisations are using the global social media platform LinkedIn for many marketing and awareness campaigns … and so the question arises.
Is prospecting through LinkedIn in breach of GDPR?
Here are some key points for you to consider:
- Business-to-business marketing is NOT exempt from GDPR – it’s a myth that it only applies to B2C (Business-to-consumer). If you trade with or engage with either, you must comply with GDPR.
- A business contact’s name, email address and mobile phone number are all considered personal data under GDPR. Therefore, using your LinkedIn contacts data must be done in accordance with GDPR.
- The legislation comes into play if you add a business card and its details to files, computer systems or databases. This will include downloading (digital or handwritten) a copy of your personal contacts from LinkedIn. It is important that your organisation’s policies and procedures cover this to ensure this does not undermine the organisation’s level of compliance with GDPR. All personal data (including B2B contact details) must be adequately protected from data loss and or breach.
- You must have a lawful basis for processing personal data; there are 6 available:
1. Consent
2. Legitimate Interest
3. Contract
4. Legal Obligation
5. Vital Interest
6. Public Task - The most common reason that applies to marketing is ‘consent’ or ‘legitimate interest’. You must have a clear and easy opt-out process at all times.
- Processing will include everything that the entity does with the data including receipt, collection, storing, amending, disclosure and destruction.
- You can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing.
- Legitimate Interest is easily demonstrated by using a legitimate interest assessment (LIA).
Therefore, when it comes to LinkedIn and compliance with GDPR you:
COULD – send an existing contact a message to seek an agreement to email, call or meet about a topic including the potential of their interest in goods or services for them or their organisation.
COULD – send a request to connect to someone you do not know expressing interest that you would welcome the opportunity to connect with them to explore potential interest in your goods or services.
COULD NOT – Use search finds of unknown contacts from LinkedIn to extract their email address or telephone numbers to issue company marketing.
In the last 12 months to June 2021, more than £3.4 million fines were issued by the ICO related to marketing activities. While the number of actions taken has reduced over time as marketing activities have changed to remain compliant with UK law only eleven companies make up the more than £1 million in fines imposed by the ICO.
