“Work email addresses don’t count as personal data, right?” We’ve heard this a lot recently. The simple answer is that individuals’ work email addresses are personal data. If you are able to identify an individual either directly or indirectly (even in a professional capacity), then GDPR will apply.
A person’s individual work email typically includes their first/last name and where they work. For example, firstname.lastname@example.org, which will classify it as personal data. However, if it is a general business email address (e.g. email@example.com) that is not personal data.
So, do you need to obtain consent for business-to-business marketing? No, not always. There are six lawful bases for processing data under the GDPR which cover your business interests. These are:
2. legitimate interest
3. public interest
4. protection of vital interest
5. legal obligation
Recital 47 of the GDPR states that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. However, if you intend to rely on legitimate interest rather than consent, you will need to apply the following three-part test:
1. The purpose test: Are you processing personal data in pursuit of a legitimate interest?
2. The necessity test: Is the processing proportionate to achieving your aims?
3. The balancing test: Is your legitimate interest overridden by the rights of the person whose data you’re processing?
The rules around business marketing emails arise from around the Privacy and Electronic Communications Regulations (PECR). As the GDPR deals with consent, you will need to comply with both the PECR and the GDPR when it comes to business-to-business marketing.
Just to throw a spanner in the works, the EU is in the process of replacing the current e-privacy law with a new ePrivacy Regulation (ePR). It is yet to be agreed but will eventually replace the PECR.
The GDPR can seem to be a bit of a grey area so if you have any queries, it is best to seek advice rather than hearing from the ICO! For further information please take a look at our GDPR services.