GDPR and Compliance

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection, storage, and processing of personal information from individuals who live in the European Union (EU).
In the UK, the GDPR is implemented alongside the Data Protection Act 2018 and complemented by the Privacy and Electronic Communications Regulations (PECR) 2003. The Information Commissioner’s Office (ICO) is the UK’s independent regulator responsible for upholding information rights and enforcing these laws.
For organisations operating in the EU or targeting EU residents, each EU Member State has its own supervisory authority tasked with enforcing GDPR. These authorities have the power to investigate breaches, issue enforcement notices, and impose substantial fines.
Whether subject to oversight by the ICO or an EU supervisory authority, GDPR and PECR compliance must be treated as a top priority.
It is important to take GDPR compliance very seriously, since the penalties for non-compliance are punitive and designed to be painful. You definitely don’t want to be on the receiving end of an ICO investigation or enforcement notice!

Most marketing formats have evolved to rely heavily on the use of customer data.
GDPR is a rule set governing the circumstances and manner in which data can be processed legally. It also introduces some scary consequences for falling foul of the law.
GDPR also sets out the framework for which types of data are considered Private and should be treated as such. The GDPR-savvy phrase used to describe private data is Personally Identifiable Information [PII].
Most businesses are surprised by the amount of Personally Identifiable Information (PII) stored within their systems, often without any specific intent or purpose.

The aim of GDPR is to provide data protection guidelines for companies that collect, store, or process personal data, this is of course almost every company! From an email outreach perspective, GDPR and PECR guidelines oblige businesses to ensure marketing emails are directed to the individuals who are likely to find the content useful and relevant in their working capacity within the target business. That is ultimately the test for designating each communication as B2B in nature, and as such qualifying for the PECR B2B exemption. On that basis we ensure that:

• We take all reasonable precautions to identify only the types of companies that meet the exact requirements of your campaign.
• The topic of the email is clearly identified.
• We carefully craft every email to ensure the topic is relevant to the business prospect.
• There is a clear way to opt out from future emails.
• Each email comes from a genuine email address.
• Our client’s identity is clear and within each email.
• We include a link to the privacy policy of our client which clearly describes how the data was collected, the GDPR lawful basis for processing, the data subject’s right to stop further

It’s true to say that GDPR is complicated and that when you add in PECR requirements the situation can be confusing. However, we understand that both GDPR and PECR apply and we take our obligations very seriously.
Our innovative prospecting approach is inherently GDPR and PECR compliant. We only target business customers with carefully crafted communication and ensure we meet PECR consent and opt-out requirements.
We acknowledge our GDPR responsibility and ensure we meet our obligations throughout the process and help our clients understand and meet their obligations.

We send millions of emails each year. Post GDPR, we’ve noticed that some prospects mistakenly believe that email marketing became largely illegal after May 25th 2018.
A: It didn’t. Why are we so sure? Because we have worked hard to ensure that we meet the regulations’ various guidelines on data protection, relevance, targeting, etc. It hasn’t been easy. In fact, it has taken many months of blood, sweat and tears for us to say with total confidence that every Sopro campaign is and always will be 100% GDPR compliant.
We can save you time and money with GDPR compliant prospecting
A: If you’ve been running internal prospecting campaigns and you haven’t changed your process to comply with GDPR then we can save you time and money. We’ve done all of the hard work. Our email outreach campaigns are 100% compliant. And we follow every one of the many data processing requirements too.
What have we changed to become GDPR compliant?
A: With a long history of supporting hundreds of clients, there are many technical and operational changes that we’ve had to make to ensure compliance. We’ve read the regulations, received legal advice and training, nominated a Data Protection Officer who has led our GDPR mission, adapted our Terms of Service and Privacy Policy, improved our database functionality and worked with our suppliers and clients in order to ensure every aspect of our operation is 100% GDPR compliant.

No.

Yes. The GDPR does not replace PECR in the UK, nor does it replace the EU ePrivacy Directive – although it has amended the definition of consent. Instead, these laws work alongside the GDPR to provide specific rules on privacy and electronic communications, such as marketing, cookies, and communications security.
For B2B marketing and other electronic communications, you must comply with both the GDPR and PECR in the UK, or the GDPR and the ePrivacy Directive in the EU. The EU is in the process of replacing the current e-privacy law with a new ePrivacy Regulation (ePR). However, the new ePR is yet to be agreed. The existing PECR rules continue to apply (with the new definition of consent) until the new ePR is finalised.

It is recommended that businesses appoint a Data Protection Officer to oversee adherence to the rules for certain types of processing however it is not a legal requirement.
At a minimum, you should have nominated an individual able to act as your compliance officer on an immediate basis when needed. That person can be employed directly (I.e. perhaps a CTO or managing director) or employed through a compliance support service.

If you are a business conducting in-house marketing activity to help sell a product or service, then you are the data controller with respect to the data associated with that campaign. [Article 24]
If you are a provider (business entity or freelance) of marketing services, employed to help a business sell a product or service, then the client is the data controller and you are more than likely employed as the processor. [Article 28]
For the outreach marketing services we carry out on your behalf, we act as a Data Processor, strictly following your instructions and only processing personal data as necessary to deliver the service.
This structure allows us to tailor outreach precisely to your requirements, delivering messages that reflect your brand while ensuring compliance with GDPR. To support this relationship, we have developed a clear and comprehensive Data Processing Agreement, which outlines our respective roles and responsibilities – particularly in our capacity as as a Processor for outreach.

With respect to data protection laws, B2B marketing campaigns are perfectly legal when conducted in a compliant manner and we recognise that both GDPR and PECR apply.GDPR defines just six lawful basis on which you can process personal data. Our primary lawful basis is ‘legitimate interest’. We have completed a full blown Data Protection Impact Assessment to ensure our approach meets GDPR requirements in full.
To ensure that your marketing is conducted in accordance with all relevant regulatory frameworks we recommend you conduct your own assessments and of course complete your own GDPR preparations.
Just in case you need help with this we’ve prepared a Legitimate Interest Assessment (LIA) which can be undertaken on your behalf.

Not necessarily. GDPR is concerned with how we collect, store and process personal data.
Under GDPR, Consent is one lawful basis for processing personal data, but there are alternatives. In particular, you may be able to rely on ‘legitimate interests’ to justify collecting, storing, and processing personal data.
However, when it comes to sending marketing communications, especially by electronic means (e.g. emails, texts, calls), the relevant rules come from privacy-specific legislation. In the UK, this is the Privacy and Electronic Communications Regulations (PECR). In the EU, the equivalent is the ePrivacy Directive (often referred to as the “Cookie Directive”).
B2B marketing (to corporate email addresses) is generally less restrictive – prior consent is not required, provided the content is relevant to the recipient’s role, and an opt-out is offered. Our approach is fully compliant with GDPR, PECR, and the ePrivacy Directive, ensuring your marketing campaigns are targeted, effective, and legally sound—whether you’re engaging with prospects in the UK or across the EU.
For more info on the relevant regulations, here is a link to the UK ICO’s Guide to PECR, detailing when you need consent for electronic marketing, among other topics https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/

GDPR heavily regulates the storage and processing of Personally Identifiable Information (PII).
You should map your business systems to determine the data fields you store and categorise these in terms of their GDPR status. Generally speaking, company information is not considered PII and can be stored and processed freely, as needed. This means you do not need to obtain consent to store a database of target companies.
Personally Identifiable Information may include fields such as prospect name, email, phone number, job titles and social profile URLs.

GDPR sets out a number of permissible circumstances under which PII can be processed, the most appropriate category for B2B marketing in this case is Legitimate Interest, although other categories may apply.
This link further explains the Legitimate Interest basis for processing PII https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/legitimate-interests/

To ensure any marketing activity falls into this category, prior to commencing, you should carry out a full Legitimate Interest Assessment (LIA) for any marketing campaigns that you intend to run. In order to help you with this, we have prepared a Legitimate Interest Assessment on your behalf, found here
[new LIA link]

If you determine that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR you may not be able to conduct the activity within any regions subject to GDPR. However, this is very unlikely, and you should definitely talk to us before you abandon all hope!

We strongly advise that you complete your GDPR preparations regardless of whether you engage Sopro or not! The UK ICO and other EU supervisory authorities can impose significant fines and enforcement actions for non-compliance.
We have produced a template Privacy Policy and Legitimate Interest Assessment to help get you started and to allow you to start your Sopro adventure.
Your key document is your Privacy Policy.
Any marketing messages should contain a link to a privacy policy explaining exactly what the user’s rights are, as well as the type of data that is held about them, by whom, and how the data was collected. You shouldinclude Sopro’s details in your Privacy policy, just to keep us both covered.
(If needed Sopro can provide a template privacy policy or check your existing one to ensure it meets the required standard.). The rest of the documentation is just the standard GDPR set. Probably most importantly, you need to know how you will manage any sort of request from a data subject. We can also help with, but for example:
Managing Opting Out & Exclusion Lists
All recipients must be able to opt out easily to prevent further email communication from being received. This is typically handled with an “unsubscribe” link.
Managing Subject Access Requests
All individuals have the right to request a copy of all data you hold on them.
When you receive a SAR you must have an efficient process to supply all personally identifiable data that you hold in connection with a data subject if necessary.
Managing Right to be Forgotten Requests
All individuals have the right to have their data removed (to be ‘forgotten’). You must have a reliable, repeatable process to remove all personally identifiable data that you hold in connection with a data subject.

Whilst GDPR controls the collection, storage, and processing of personal data in the UK, sending messages is regulated under the Privacy and Electronic Communications Regulations (PECR). In the EU, the same principle applies: the GDPR governs how personal data is processed, but marketing communications fall under the ePrivacy Directive (often called the “Cookie Directive”). Both the PECR and ePrivacy Directive sit alongside the GDPR and include rules on unsolicited marketing, cookies, and communications security. This is very clear as to the requirements on business to business communication. As the UK ICO states:
“You can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out and screen any new marketing lists against that.”
This is where the Sopro approach really works – we only target business customers that are likely to be interested in your products and services.

Great question – the ICOs direct marketing checklist is a great set of guidelines, here it is:
https://ico.org.uk/media2/migrated/1551/direct-marketing-checklist.pdf

You should ensure all employees undergo GDPR and general compliance training, covering the GDPR rule set in detail and the relevance and impact of those rules on your business. This training should set out the steps you take to ensure best practice is observed at all times and make clear the consequences associated with failure to meet the strict standards.

We take data security VERY seriously. We have completed a Data Protection Impact Assessment and ensure that all appropriate security measures to protect our data and your data at all times.

Where marketing activity is conducted to target non-EU nationals these campaigns are generally not subject to the same data privacy laws and GDPR does not apply.
Just be careful and remember that GDPR applies to EU nationals that now live outside the EU. This is quite a tricky aspect so please talk to us if you are unsure.
Naturally, we cannot be abreast of the constantly evolving regulatory frameworks in all countries at all times, as such it is important that you have knowledge of your local regulatory climate and ensure your business operates within the relevant regulatory frameworks and manage your campaigns accordingly.

We have collated the most useful links available to UK businesses researching the GDPR framework, key areas, timelines, scope and likely impact on B2B marketing.
Please note that GDPR rules are implemented at an EU Government (multinational) level. Each state is separately responsible for developing it own appropriate rule set ensuring, as a minimum, compliance with the EUs GDPR framework.
The UK Government has appointed the Information Commissioner’s Office (ICO) as the official body charged with ensuring national compliance with the GDPR. In light of this the ICO has released several handy guides.
Here are the most useful links from the key official bodies, including the UKs ICO, the UK Government, the European Legislation archives and the UKs Direct Marketing Association (DMA).
We suggest you put the kettle on:

• GDPR final text (English)
• GDPR Checklist 1 (UK ICO) – Data Controllers
• GDPR Checklist 2 (UK ICO) – Data Processors
• PECR text (UK Gov)
• PECR B2B Exemption – (ico.org)
• ePrivacy Directive text
• UK Direct Marketing Association (DMA) – 7 key points for B2B Marketers
• Direct Marketing Guidance – FULL VERSION (UK ICO)
• Direct Marketing Checklist – TLDR VERSION OF ABOVE LINK (UK ICO)