RGPD in B2B: between myths and realities

Having come into force on May 25, the RGPD (General Data Protection Regulation) has caused sleepless nights for more than one B2B marketer. Panic on board! The RGPD was on everyone's lips. The question kept coming up: how can we comply with the requirements of the RGPD regulations? To help professionals prepare, articles on the subject multiplied. But between truths and preconceived ideas, the prevailing cacophony contributed to sowing confusion. With a few months' hindsight, it's now time to set the record straight and bust the few remaining myths about the RGPD in B2B.

Myth #1: "The RGPD forces us to switch to double opt-in in B2B"

Not true! The RGPD does not change the rules applicable to email prospecting. At no point does the text mention the obligation to use double opt-in when subscribing to your emailing lists.

The prevailing principles remain those of prior information and the right to object. When we collect an e-mail address from an Internet user, we must therefore :

• Tell the person what we are going to use their data for.
• Ensure that the recipients of our messages are able to object to this use at any time.

In addition, the subject of communications must always be related to the recipient's professional activity. As a result, unlike the B2C emailing regime, explicit consent is not yet mandatory in B2B. Opt-out is still tolerated.

We can send messages to professional recipients as long as they have been informed that their data will be used, and as long as they do not object.

However, while opt-in remains optional in B2B for the time being, the possibility of future harmonization cannot be ruled out.

In any case, opt-in offers a better guarantee that Internet users are genuinely interested in receiving our messages. Even more so, double opt-in will ensure better database quality and greater precision in the results of our email campaigns.

Received idea #2: "The Privacy Shield is 100% compliant with the RGPD"

Again, this is false. But, by the way, what's this Privacy Shield thing all about?

Co-responsibility with subcontractors at the heart of the RGPD

The RGPD regulates the collection and use of Internet users' personal data within the European Union.

But beware! When we work with service providers who host our data, we must ensure that these companies comply with the RGPD... even if they operate outside the EU.

We need to be vigilant, because the regulations impose a principle of co-responsibility between the subcontractor and us.

However, many software publishers (emailing solutions, marketing automation, CRM) operate from the United States. They are not directly subject to the RGPD but to the Privacy Shield, the local legislation on data processing.

Admittedly, several provisions of the Privacy Shield converge with European regulations. This is the case, for example, with the purpose principle. The Privacy Shield, like the RGPD, specifies that data may be collected and processed exclusively for specified, explicit and legitimate purposes.

The differences between Privacy Shield and RGPD

But, contrary to popular belief, the US Privacy Shield is not 100% compliant with the European RGPD.

What are the differences?

• The Privacy Shield is a self-certification mechanism: only companies that have signed up to the scheme undertake to comply with good practices in terms of personal data processing. We therefore have to check that our American service providers are on the list of adherents. In addition, we still have to check for what type of data the processor has self-certified.
• Unlike the RGPD, the Privacy Shield does not impose a time limit on data retention.
• The Privacy Shield provides for targeted access to data by US government agencies.

In short, the Privacy Shield is less restrictive than the RGPD. To remain compliant with the RGPD, we must therefore ensure that our US providers commit to going even further than their national legislation requires.

Myth #3: "The RGPD is the end of prospecting"

Obviously, if by "prospecting" you mean "buying a contact base and dousing it with mass emails or cold calls", the RGPD isn't good news for you.

But, let's be honest: does this type of prospecting still bring results?

What if we took the RGPD, not as a constraint, but as an opportunity to improve our prospecting practices?

The principle of consent, which is one of the key points of the RGPD invites us to ask an Internet user for permission to collect and use their data?

Were we really going to continue to throw out messages in pure waste to Internet users who haven't asked for anything and have no interest in our services?

The RGPD means the end of forceps prospecting and the generalization of reasoned prospecting.

From now on, we're going to attract target customers to us and maintain the relationship by adopting inbound marketing techniques.

To attract contacts, we use forms that explicitly request the Internet user's consent.

We then move our target customers forward by offering them content tailored to their position in the buying cycle.

We track prospects with a marketing contact tracking platform. Once the prospect is ready and able to buy, he or she is passed on to our sales teams.

Based on the data collected, sales staff contextualize their contact and their pitch. In this way, the customer experience becomes fluid and harmonious throughout the entire process.

Rightly perceived as a major issue for marketers, the RGPD also fuels several misconceptions.

In any case, the constraints generated by the regulations represent an opportunity to evolve our prospecting methods towards practices that are more respectful of Internet users and their wishes.

In this respect, companies that adopt inbound marketing appear to be best equipped to prospect effectively in the RGPD era.