Dealing with B2B data complaints under GDPR
Regulatory compliance has taken centre stage for every switched on marketing department.
Having worked so hard to ensure B2B data privacy rules are enforced at every stage of the marketing process, no one wants to experience that sinking feeling when a customer or prospect complains about receiving a marketing message. Inevitably however, it’s going to happen – so be prepared.
The introduction of the General Data Protection Regulation (GDPR) has not only raised marketing’s awareness of the need for good, compliant activity – individuals also now have a far better handle on their data privacy rights.
In addition to generic questions about data use or marketing plans, Subject Access Requests (SAR) are a standard component of GDPR compliance – so it is essential to have the correct processes in place.
Understanding B2B Data Requests
Under GDPR, if a business receives any question about the source of B2B data, it is essential to take note. However, there is a difference between an official SAR and a generic query about how personal data is being used, or how it was obtained.
A SAR is a specific request to be provided with a copy of the personal data being processed by a Data Controller and an explanation of the purposes for which personal data is being used. This is similar to the previous rights to information under the Data Protection Act 1998 (DPA); however, no fee can now be charged for complying with the request, unless it is ‘manifestly unfounded or excessive’. Furthermore, companies have just a month to respond, as opposed to the 40 days under DPA.
A good process that minimises the admin overhead and ensures deadlines are met is an essential step.
Clear Data Process
The best approach is to nominate one individual to be responsible for handling any data requests, whether generic queries or SARs. Before any information is shared, however, it is essential to verify the individual’s identity to avoid the fraudulent use of SAR to undertake identity theft.
It is also important to introduce robust and consistent processes for checking all relevant systems and data sources to ensure any information relating to the individual is included. The SAR will cover both digital data – including backups and archives – as well as some paper records; and the process must also ensure emails are checked for any identifiable reference to that individual.
Don’t overlook third party data: if the B2B data is owned by a third party, it is also important to check the process for requesting the information. How quickly will the data supplier respond?
It is also worth asking about the data supplier’s compliance processes – e.g. checking the frequency of routine regulation checks – to further reduce the chance of complaint.
Speed of Response
In many cases, a quick response with a clear explanation will allay the risk of any SAR being escalated to the regulator. Therefore, whether an individual has made a SAR or simply posed a question regarding marketing activity, ensure there is an immediate response. Even if this is a holding email, it will demonstrate that the business takes data privacy seriously.
While you have a month to respond to the SAR, any actual complaint about misdirected marketing activity, for example, should be acted upon more quickly. Make direct contact, explain how the B2B data was obtained and the deletion process, if that is requested. Most important, of course, is ensuring that record is immediately removed and added to an internal suppression file so any new data collected can be matched against it on a regular basis.
Compliant and Confident
To every marketing team within a business, the ability to quickly respond to any potential complaint is an essential part of compliance – and a strong, familiar process helps to rapidly alleviate that sinking feeling.