GDPR is, fundamentally, all about the protection of personal data; basically it’s about an individual’s right to privacy. As such, most of the literature around it has tended to focus on what businesses need to do to protect customer data and to ensure that all marketing communications are compliant with these new rules.
While this is understandable, it is important that companies realise that business-to-business communications may also fall under the remit of GDPR.
Whether employer / employee relationships constitute business-to-business communication is not entirely agreed upon, but they most certainly do come under the remit of the GDPR.
The key point to note here is that, in terms of a relationship between an employer and an employee, consent on its own is likely to be a very weak justification for either requesting data or sending unsolicited communications.
The reason for this is that the law has a tendency to view the employer as being in a position of strength and essentially able to bully employees into giving consent, which they might reasonably have wished to withhold.
Because of this, it is highly recommended that employers look at the other five grounds for requesting data and/or sending communications (contract, legal obligation, vital interests, public task and legitimate interests) and see if one of these more accurately reflects their reason for requesting the data and/or sending the communication.
This is where life gets interesting. Cutting through the legal jargon, “personal data” basically means any data by which an individual can be identified. An individual remains an individual and therefore (potentially) a data subject even when they are acting in their capacity as an employee (or business owner).
In other words, sending an email to email@example.com or a physical letter to “Head of Purchasing, Company X. PO Box 12345, AB1 2CD” would be outside the scope of the GDPR since the former is a generic email address and the latter is a job title. By contrast, sending an email to firstname.lastname@example.org would come under the remit of the GDPR because that is an email address that identifies a particular individual at Company X.
This brings us back to the issue of why you are requesting the data or sending the communication in the first place. The good news is that consent is likely to have much more strength in this situation than it does in an employer/employee context, however it’s important that it is informed consent.
Always remember, however, that there are a total of 6 acceptable reasons for gather data and/or sending communications, of which consent is just one. It is up to each company to make sure that the right reason is used and, if necessary, communicated.
As specialists are still digging through the details of GDPR, and establishing the facts and legal basis of the legislation, some facts remain unclear at this stage. Taking care with your B2B communications makes sense, even if some experts disagree, because caution is better than jumping in with both feet and breaking the law.