Prospectiv GDPR Compliance Statement
Last Updated: 21st October 2023 16:44 GMT
This statement sets out the operating procedures Prospectiv undertakes to ensure GDPR best practices are observed to the greatest extent possible at all times.
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection, storage, and processing of personal information from individuals who live in the European Union (EU).
The Information Commissioner's Office is the UK regulator dealing with the Data Protection Act 2018 and the General Data Protection Regulation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 across the UK.
The ICO acts as the data protection authority and it is crucial for us to maintain a positive relationship with them. Our commitment to achieving 100% GDPR and PECR compliance ensures we stay in compliance with their regulations.
It is vital to take GDPR compliance seriously since the penalties for non-compliance can be severe and have significant consequences. We aim to avoid ICO investigations or enforcement notices by strictly adhering to GDPR best practices.
Prospectiv and GDPR Compliance
In addition to appointing a compliance officer to oversee our adherence to the rules, Prospectiv has engaged third-party compliance expertise to audit and advise on best practices. This investment enables us to assure clients that we strictly observe GDPR best practices wherever possible at all times.
Prospectiv's Relationship With You
To put this in the language of GDPR and the ICO:
We are Joint Controllers. Yes – Joint Controllers. Even though, as a service provider, we essentially work for you, it is important to recognize that we are both responsible for deciding who to target, what data to collect, how the data is processed, what messages we send them, and how their data will be collected, processed, and stored. This decision is fundamental to how we operate, so if you have any questions, let's discuss them!
To streamline our collaboration and ensure clarity, we have incorporated a comprehensive Data Sharing Agreement within Prospectiv's standard Terms of Service. This document outlines how we work together as Joint Controllers and how we support each other in the event of receiving a GDPR request.
Is Prospectiv's Marketing Activity Compliant?
Let's examine this carefully.
Prospectiv's services are designed and offered solely to assist businesses in promoting to other businesses, specifically B2B marketing. In the case of B2B marketing, PECR allows email marketing as long as the material is relevant, and recipients are provided with the option to opt-out of future emails.
Therefore, Prospectiv naturally aligns with PECR requirements. As for GDPR, it applies to all aspects of data collection, storage, and processing. Prospectiv has been designed to be compliant, employing technical and operational systems to ensure adherence. Before launching new client activity, Prospectiv conducts a thorough assessment to determine if the product or service, combined with the proposed targeting, meets the criteria for GDPR and PECR compliant B2B marketing.
An essential part of this assessment is the Legitimate Interest Assessment (LIA). We have completed a LIA for ourselves and also have a standard LIA for each of our clients. Additionally, we have created a standard Privacy Policy update for client use as needed, which includes all the relevant clauses and references to Prospectiv to ensure transparency to the data subjects. Let us know if you require a copy of any of these documents.
Interested in Learning More About How Legitimate Interest Applies?
If Prospectiv determines that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR or if your approach would breach any other part of the regulations (including PECR), we cannot support the activity within regions subject to GDPR.
Regarding our Services, Legitimate Interest serves as the relevant lawful basis for processing, as defined in GDPR. GDPR outlines various permissible circumstances or categories under which Personally Identifiable Information (PII) can be stored and processed. The most applicable category for most B2B marketing is Legitimate Interests.
This link explains the Legitimate Interests basis for storing and processing PII: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/.
To ensure client activity falls into this category, we conduct a comprehensive Legitimate Interests Assessment (LIA) with each new client. The LIA is a questionnaire containing a series of questions about your specific scenario. There are three areas that need to be satisfied for Legitimate Interests to be used as a basis for processing PII:
Identify a legitimate interest: The legitimate interest can be your own interests or the interests of third parties. These can include commercial interests, individual interests, or broader societal benefits. The data processing is generally in your interests, such as increasing market share, brand awareness, or engaging business leaders.
Show that the processing is necessary to achieve it: Can the same result be achieved differently? Core to the Prospectiv service is the efficiency and constant drive to be the most cost-effective sales channel, which we believe cannot be replicated using other methods.
Balance it against the individual's interests, rights, and freedoms: Would the individual expect their data to be used in this way? For example, would an individual who publicly lists their role within a company expect to be contacted about services that may benefit that company or their department within the company? No data processing may replace or infringe upon the individual's interests or cause unjustified harm.
LIA Failures
If Prospectiv determines that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR or if your approach would breach any other part of the regulations (including PECR), we cannot support the activity within regions subject to GDPR.
Rights of Individuals
Privacy Policy: All messages sent will contain a link to a privacy policy that explains to the user their rights and the type of data held about them, as well as the entity responsible for the data. Prospectiv will provide a template privacy policy or review your existing one to ensure it meets the required standards. A link to our Privacy Policy, which is based upon this template, is here: https://www.prospectiv.io/privacy.
This standard privacy link would typically be included in the email signature of any outbound messaging. In the case of messaging as part of client campaign activity, the privacy link will be that of our client's own privacy policy.
Opting Out & Exclusion Lists: All recipients are able to easily opt out to prevent further email communication. All replies to prospecting emails are logged, and those prospects are added to your campaign exclusion list within 24 hours. Prospectiv allows for the import of existing exclusion lists before campaign activity. Exclusions can be submitted in the form of individual email addresses or full domains and will prevent communications from being issued to those email addresses or domains listed.
Subject Access Requests: All individuals have the right to request a copy of all data held on them. To support this, data subjects can email any Subject Access Requests (SAR) to [insert appropriate email address], and we will provide the requested data within 72 hours.
Right to be Forgotten: All individuals have the right to have some or all of their data removed (to be 'forgotten') at any time. However, a conflict arises when removing or forgetting an email address while simultaneously keeping it on an exclusion list to prevent future mailings. In such cases, where we have removed data, we will move the email address to a separate exclusion list encrypted using a one-way hashing algorithm (SHA1). This ensures that we can prevent any future messages being sent to the customer while still honoring their right to be forgotten.
PECR and Sending of B2B Messages
While GDPR controls the storage and processing of personal data in the UK, the sending of messages is regulated under the Privacy and Electronic Communications Regulations (PECR). PECR provides clear requirements on business communication. "You can email or text any corporate body (a company, Scottish partnership, limited liability partnership, or government body). However, it is good practice—and good business sense—to keep a 'do not email or text' list of any businesses that object or opt out and screen any new marketing lists against that.
https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/
Prospectiv Employees
All Prospectiv employees undergo GDPR, PECR, and general compliance training. This training covers the GDPR ruleset in detail, the relevance and impact of those rules on Prospectiv and our clients, and the steps we take to ensure best practices are observed at all times. We also emphasize the consequences, including penalties, associated with failing to meet strict GDPR standards.
Client Responsibility
While Prospectiv takes extensive measures to ensure best practices with respect to GDPR and PECR compliance across all client activities, clients should note that compliance responsibility is shared between both parties. Prospectiv cannot be constantly aware of the evolving regulatory frameworks in all countries at all times. Therefore, it is important for you as the client to have knowledge of your local regulatory climate and ensure your business operates within the relevant regulatory frameworks.
In Summary:
Prospectiv has worked diligently to develop a compliant platform providing innovative marketing services and technology for our clients while respecting the rights of the data subjects whose information we collect. Compliance is now an integral part of our operations, and ongoing due diligence is embedded in how we conduct our business. Compliance is central to our identity as a B2B lead generation agency.