GDPR: Don’t panic Mr Mannering B2B email marketing can continue

How does GDPR allow B2B email marketing to continue without consent?

Like WWII featured in Dad’s Army, the war on businesses who abuse data and take liberties with personal information is upon us, but this does not mean the end of B2B email marketing if you take a sensible approach.  As explained in this blog.

If you type GDPR into Google, you will find that there are 13.7M results.  Another search I have just done has 25.2M, the search was email marketing.  Which brings me to the point of this blog – email marketing does not need to stop just because of General Data Protection Regulation (GDPR).  The Information Commissioner, Elizabeth Denham, has said herself that there are a lot of myths out there about the new regulation – no doubt many of these are in the 13.7M search results on Google and doing the rounds in the industry that has shot up because of a) confusion and b) the much-highlighted big fines.

Denham wrote a blog where she busted some myths.  Here is the one I want to focus on and is central to my point regarding email marketing.  Below is an excerpt from the blog…

Please note that all italic text in this blog denotes quotes from the ICO or the Commissioner.


You must have consent if you want to process personal data.


The GDPR is raising the bar to a higher standard for consent.

Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.  The requirement for clear and plain language when explaining consent is now strongly emphasised.  This has understandably created a focus on consent.  But I’ve heard some alternative facts. How “data can only be processed if an organisation has explicit consent to do so”.  The rules around consent only apply if you are relying on consent as your basis to process personal data.  So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way.

So, what are these other ways to comply with GDPR?  There are five others, you can find out more on the Information Commission Office (ICO) website here.  However, I want to concentrate on, legitimate interests.

The ICO website states… You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object…You should avoid using legitimate interests if you are using personal data in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them.  It goes on to state… You must tell people in your privacy information that you are relying on legitimate interests, and explain what these interests are.

So, what can be classified as legitimate interests?

I was speaking to a Senior Data Operations & Compliance Manager at Lead Forensics recently.  This conversation came about as I happened to be at a marketing event in London in February where I beat a path to the Lead Forensics stand with a burning question.  How is your business going to survive post-GDPR compliance date? The reason for the question was that Lead Forensics operate a leading IP Look-up platform.  In simple terms, you place a piece of code on the back-end of your website and they report back on which businesses have visited your website and who it may have been.  So, they are providing personal data to you for a fee.  Following time on their stand and a subsequent conversation with my contact, my thoughts were solidified.  A business can use legitimate interest for email marketing and stay within the regulation.


If someone on your email marketing database has been sent marketing communications in the past and has opened it.  You, as with Lead Forensics, can evidence that the potential client or partner has shown interest in your solutions.  My senior contact explained that Lead Forensics had taken both legal advice and clarified with the ICO; someone visiting your website has entered your shop.  So, the same argument applies to those who have opened your email marketing, and you can provide the evidence of their interest if required – even Mailchimp can do this.

Furthermore, legitimate interest is not all about the individual you are sending email marketing to.  It is, in fact, much wider.  The ICO states… A wide range of interests may be legitimate interests. They can be your own interests or the interests of third parties, and commercial interests as well as wider societal benefits.

You see, GDPR is not about punishing businesses who want to grow, and let’s face it every business wants or indeed needs growth.  Marketing is vital to businesses of all sizes.  It is the lifeblood of growth.  In addition, specifically as an energy marketer, I would also argue that most of energy marketing has societal benefits.  Climate change is one of the most critical aspects in global; politics, economics and health.  Helping the UK Government, citizens and businesses become more engaged energy users on the road to reducing the impact of climate change is not just an interest, it is vital to society.

What else do I need to be aware of if using legitimate interest?

The ICO explains…There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:

  • identify a legitimate interest
  • show that the processing is necessary to achieve it
  • balance it against the individual’s interests, rights and freedoms

So, we have covered the legitimate interest part of the three ICO bullet points above.  Let’s quickly tackle the other two.

Processing is necessary.

The ICO states… The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.  Email marketing such as an email newsletter cannot be achieved in another reasonable way or less intrusively.  The cost of printing a newsletter (GDPR does not regulate traditional direct mail hence the reference) and posting it to say 10,000 individuals would be thousands of times more expensive than sending a targeted email.  Furthermore, it is much easier to unsubscribe from an email you are reading as an individual than it is to follow instructions from a paper newsletter.  Also, sending direct mail by post is no less intrusive than an email – both will be seen, and both will either be ignored or engaged with.  GDPR is about improving, not making life more difficult for individuals.

Balance against individuals’ interests, rights and freedoms.

The ICO states… You must balance your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual.

Sending email marketing to an individual who has received email marketing from you in the past and has engaged with the communication can expect to receive further information.  For example, the whole point of a newsletter is to regularly update individuals on a continuing basis. Also, marketing that aims to help for example an energy manager, to achieve their tasks and meet their goals cannot be described as harmful.

Final point

B2B email marketing exists for main two fundamental reasons; generate sales for a business and to offer something the recipient may find of value.  You can balance your needs and the needs of the individual by sending relevant information to interested parties and stay within the GDPR.  You just need to be sensible, proportionate and offer an easy way to unsubscribe.

I would also like to point out one more fact about GDPR.  The Commissioner Elizabeth Denham took the BBC Breakfast couch a few weeks ago and said “We need these higher stronger sanctions and higher fines to be able to take action against international companies and strong big global players.  Our focus will not be small businesses in the UK.  It will be on where there are real risks to personal data and citizens and consumers.”

Denham also stated that the GDPR date of 25th May is not a deadline but a start date.  Meaning the start of doing things in a better way.  So, long gone are the days of bombarding anyone and everyone on your databases with everything you had – that was never a good strategy anyway!

Energise Marketing 93 specialises in helping energy businesses with marketing campaigns that drive results.  Contact us today if you need help.