B2B sales and marketing operations’ compliance ‘exemption’ shattered by the ICO
Article by Steve Sullivan
Head of Regulatory Compliance
Contact Centre Panel
Time to re-assess your risk profile, data and operational management
First, some history
The Information Commissioner’s Office (ICO) ‘never said’ that charities were exempt from all or most of the data privacy and protection rules that govern sales and marketing, however many people in the charity sector thought they had an exemption. Plus there were never any enforcement cases or fines of charities, so there was no evidence that the ICO did care about charities’ rule-breaking.
Then, from 2015 and 2016, in the wake of the death of Bristol poppy seller, Olive Cook, charities’ fundraising techniques came under a lot of scrutiny and criticism. Inevitably, the ICO became involved and its investigations culminated in fining the following big-name charities in 2017 – see more.
The International Fund for Animal Welfare, Cancer Support UK, Cancer Research UK, Guide Dogs for the Blind, Macmillan, the British Legion, NSPCC, Great Ormond Street, WWF, Battersea Dogs & Cats Home and Oxfam.
This was a ‘shot across the bows’ of the whole charity sector, specifically highlighting the charities’ undeclared, hidden sharing of supporters’ data and income profiling (wealth screening). The total amount of the fines levied – £138,000 – wasn’t that great, but the reputational damage of what should be some of the most trusted organisations in the country was considerable. And the knock-on impact on charities’ fundraising business models contributed to millions of lost revenue for their causes.
Incidentally, the ICO’s focus on charities’ marketing practises has diminished, but it’s not gone away as evidenced by this recent fine of a charity sending SMS appeals without consent.
That was and is a very challenging experience for charities, but most of us don’t work in the third sector. So, why the brief history lesson? Because commercial B2B sales and marketing may be about to go through a similar experience.
B2B’s wake up call
Again, the ICO has ‘definitely’ never said that B2B sales and marketing isn’t covered by the data protection rules, though some aspects of the regulations are less stringent for business communications. However, a lot of B2B players certainly act like they’re excluded from the compliance considerations of their informed and professional B2C peers.
Why? Well, partly because the ICO never fines organisations for B2B marketing failings. Or at least not until now.
We all aspire to do the best for our prospects and customers, treat them with respect and in accordance with the law. But, inevitably, when these questions seem to be rather nuanced and not simply black and white, rational organisations will apply a risk assessment to guide their degree and prioritisation of compliance with regulations. So, if you operate B2B and the regulator seems to ignore your sector and business area then it’s reasonable to think that the level of regulatory risk you are exposed to is a lot less than in B2C.
A fine imposed by the ICO in late December suggests that things have changed. This case, described here, not only created considerable disruption to the operations of Northern Gas & Power, a business energy brokerage company based in Gateshead, it’s resulted in negative publicity, reputational damage and a £75,000 fine.
Northern Gas & Power largely sells its brokerage service to businesses through outbound calling to businesses from its two contact centres in Gateshead and Leeds. Northern operates – or operated – at scale, with over 4 million calls attempts made in the year from May. However, irrespective of volume there are a couple of clear lessons we can all draw from Northern Gas & Power’s experience.
- Northern failed to screen its calling data against the Telephone Preference Service (TPS) or the TPS’s little-known business number equivalent to the Corporate Telephone Preference Service (CTPS). As you will probably know, the TPS is the national ‘opt out’ register which needs to be referenced before undertaking any ‘cold’ or unconsented sales and marketing calling. Most B2C organisations are very aware of the TPS, B2B firms often less so – and the CTPS is largely forgotten by nearly everybody.
That will need to change.
- When the GDPR arrived here (as the 2018 Data Protection Act in the UK) there was a lot of talk about the fuzzy lines between individuals and companies. You can email email@example.com and that’s a business address, but firstname.lastname@example.org is my personal data. Similarly, the Contact Centre Panel office number 0114 2096120 isn’t anyone’s personal data (though it could be registered with the CTPS and thus off-limits), but my mobile number is. And for many companies, personal email and mobile will be the only way of making contact.
All these aspects need to be thought through, understood and managed.
- Northern purchased prospect data, but did not undertake appropriate due diligence of its suppliers to ensure they were compliant and reputable. It failed to ensure robust, defensible contracts were in place with its suppliers and didn’t test or audit the data supplied.
Buying third party data is now one of the most potentially fraught and risky activities an organisation can undertake and needs to be handled with deliberation and care.
- As the ICO’s enforcement notice makes clear, Northern’s operational management, internal controls and processes were poor. Added to which its contact management systems – and Northern’s team’s ability to manage them – was very deficient, directly leading to poor data management and ensuring suppression requests were actioned.
Northern Gas & Power has experienced considerable growth and apparent success, but without sound operational, data and technology underpinnings, continued success is increasingly difficult to sustain
Whether you exclusively market to businesses or do so in combination with targeting consumers, the ICO’s latest move strongly suggests that B2B has lost any real or imagined status as a data protection compliance exception.
Contact Centre Panel boasts many years of collective experience in B2C and B2B customer targeting, acquisition and service, supplemented by a deep but pragmatic understanding of how to design and operate business models compliantly. Contact Centre Panel can offer clients
- Tested relationships with a variety of B2B specialist customer experience and contact centre service providers
- A selection of best in breed technology solution providers to help meet customer contact and data challenges
- A select group of both B2C and B2B data providers, identified after an extensive process of legal, financial and compliance due diligence
Lesson 3 – Who’s calling?
About a quarter of all ICO fines – and half of the phone-based enforcement cases – involve the incorrect use of Caller Line Identification (CLI) numbers. As you probably know, there are the numbers presented on the customer’s phone when you call them.
Again, it’s Ofcom that sets the rules and regulations about the use of CLIs, but it’s the ICO who are pushing fines and enforcement. Misusing CLIs is a red flag to the regulator.
Simply put, CLIs should clearly identify the recipient of the call, be dialable, consistent and not confuse or mislead the consumer. In addition, if the customer rings the CLI number back you need to be able to inform the customer who you are and why you were ringing them.
That probably sounds very straightforward and you may be very confident about your use of CLIs. But that might not always be the case even when you feel you are being reasonable and fair:
- You could have several different offices or locations. Would it be wrong to cycle a variety of those numbers when calling to maximise answer rates?
- Or you might use the local office number when calling people who you know live nearest to that area. Is that ok?
- You know your customers or prospects are less likely to answer a call from a geographic, landline number. Can you use a mobile number CLI instead?
- What if for reporting or inbound call handling reasons it makes sense for you to use a different CLI for each campaign you run. How many different CLIs are too many?
- Or what if you’re running a collections campaign and know that your most hard-to-reach debtors will recognise and not answer your CLIs. Surely, it’s ok to vary the CLIs then? Isn’t it?
Sadly, the answers to these questions aren’t always clear, but you need to work out your approach and justification if you want to avoid damaging legal action and fines. Need a hand? Let us know.