RGPD in B2B: between myth and reality

The General Data Protection Regulation (GDPR), which came into force on 25 May, has given more than one B2B marketer sleepless nights. Panic on board! The RGPD was on everyone's lips. The question kept coming up: how can we comply with the requirements of the RGPD regulation? To help professionals prepare, articles on the subject have proliferated. But the prevailing cacophony of truths and preconceptions has helped to sow confusion. With a few months' hindsight, it's now time to set the record straight and dispel the few myths that still exist about the RGPD in B2B.

Myth #1: "The RGPD forces us to switch to double opt-in in B2B".

It's not true! The RGPD does not change the rules applicable to email marketing. At no point does the text mention the obligation to use double opt-in when subscribing to your emailing lists.

The prevailing principles remain those of prior information and the right to object. When we collect an Internet user's email address, we must therefore :

• Tell the person what we are going to use their data for.
• Ensure that the recipients of our messages are able to object to this use at any time.

In addition, the subject of communications must always relate to the recipient's professional activity. As a result, unlike the B2C emailing regime, the explicit consent of Internet users is not currently mandatory in B2B. The opt-out is still tolerated.

We can send messages to professional recipients as long as they have been informed that their data will be used and as long as they do not object.

However, while opt-in remains optional in B2B for the time being, the possibility of future harmonisation cannot be ruled out.

In any case, the practice of opt-in offers better guarantees that Internet users are genuinely interested in receiving our messages. Even more so, double opt-in will ensure that our databases are of better quality and that the results of our email campaigns are more accurate.

Myth #2: "The Privacy Shield is 100% compliant with the RGPD".

This is also false. But what exactly is the Privacy Shield?

Co-responsibility with sub-contractors at the heart of the RGPD

The RGPD regulates the collection and use of Internet users' personal data within the European Union.

But be careful! When we work with service providers who host our data, we must ensure that these companies comply with the RGPD... even if they operate outside the EU.

We need to be vigilant, because the regulations impose a principle of joint responsibility between the subcontractor and us.

However, many software publishers (emailing solutions, marketing automation, CRM) operate from the United States. They are not directly subject to the GDPR, but to the Privacy Shield, the local legislation on data processing.

Admittedly, several provisions of the Privacy Shield converge with European regulations. This is the case, for example, with the purpose principle. The Privacy Shield, like the RGPD, specifies that data may be collected and processed exclusively for specified, explicit and legitimate purposes.

The differences between the Privacy Shield and the RGPD

Contrary to popular belief, however, the US Privacy Shield is not 100% compliant with the European RGPD.

What are the differences?

• The Privacy Shield is a self-certification mechanism: only companies that have signed up to the scheme undertake to comply with good practice in the processing of personal data. We therefore have to check that our American service providers are on the list of signatories. We also have to check for what type of data the processor has self-certified.
• Unlike the RGPD, the Privacy Shield does not impose a time limit on data retention.
• The Privacy Shield provides for targeted access to data by US government agencies.

In short, the Privacy Shield is less restrictive than the RGPD. To remain compliant with the RGPD, we therefore need to ensure that our American service providers commit to going even further than their national legislation requires.

Myth #3: "The RGPD means the end of canvassing".

Obviously, if by "canvassing" you mean "buying a database of contacts and spraying them with mass emails or cold calls", the RGPD is not good news for you.

But let's be honest: does this type of prospecting still bring results?

What if we took the RGPD not as a constraint, but as an opportunity to improve our prospecting practices?

The principle of consent, which is one of the key points of the RGPD, requires us to ask Internet users for permission to collect and use their data?

Are we really going to continue to send messages to Internet users who have asked for nothing and have no interest in our services?

The RGPD means the end of forceps canvassing and the generalisation of reasoned canvassing.

From now on, we're going to attract target customers to us and maintain the relationship by adopting inbound marketing techniques.

To attract contacts, we use forms that explicitly ask for the Internet user's consent.

We then move our target customers forward by offering them content tailored to their position in the buying cycle.

We track prospects using a marketing contact tracking platform. Once the prospect is ready and able to buy, he or she is passed on to the sales teams.

Based on the data collected, the sales team contextualise their contact and their pitch. In this way, the customer experience becomes fluid and harmonious throughout the entire process.

Rightly perceived as a major challenge for marketers, the RGPD is also fuelling a number of misconceptions.

In any case, the constraints generated by the regulations represent an opportunity to shift our prospecting methods towards practices that are more respectful of Internet users and their wishes.

In this respect, companies that adopt inbound marketing appear to be the best equipped to prospect effectively in the RGPD era.