This statement sets out the operating procedures bSpec undertakes to ensure GDPR best practice is observed to the greatest extent possible, at all times.
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs a GDPR compliance strategy.
There are two different types of data-handlers the legislation applies to: ‘processors’ and ‘controllers’. The definitions of each are laid out in Article 4 of the General Data Protection Regulation.
A controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while the processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller”.
bSpec and GDPR compliance
In addition to appointing a compliance officer to oversee our adherence to the rules, bSpec have engaged 3rd party compliance expertise to audit and advise on best practice. This investment enables us to assure clients that GDPR best practices are strictly observed wherever possible, at all times.
bSpec services
bSpec’s marketing activity
bSpec’s services are designed to help other business do promotional activities to other businesses – B2B Marketing Services. bSpec has designed technical and operational procedures that follow all aspects of GDPR – collection, storage and processing of data.
Join Controllers
Even though, as a service provider, we are essentially working for you, it is important to recognise that we are both responsible for deciding who to target, what data to collect, how the data is processed, what messages we send them and how their data will be collected, processed, and stored.
Just to make all our lives easier we have incorporated a comprehensive Data Sharing Agreement within bSpec’s standard Terms of Service. This sets out how we work together as Joint Controllers and how we support each other if we ever receive a GDPR request.
Legitimate Interest
What is LI
Legitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.
The key elements of the legitimate interests provision can be broken down into a three-part test.
1. Purpose test – is there a legitimate interest behind the processing?
2. Necessity test – is the processing necessary for that purpose?
3. Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
Legitimate Interest Assessment
Legitimate Interest is the relevant lawful basis for processing as defined in GDPR. GDPR sets out a number of permissible circumstances (or categories) under which Personally Identifiable Information (PII) can be stored and processed, the most appropriate category in the case of most B2B marketing is Legitimate Interests.
Before every marketing activity, bSpec always conducts Legitimate Interest Assessment (LIA) to establish if the product or service, combined with the proposed targeting, meets the criteria for GDPR compliant business to business (B2B) marketing. We have completed a LIA for us and also a standard LIA for each of our clients.
Purpose test
The legitimate interest can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits. The data processing is generally in your interests – whether it be to increase market share, increase brand awareness, or engage business leaders.
Necessity test
Can the same result be achieved differently? Core to the bSpec service is the efficiency and constant drive to be the most cost-effective sales channel which we believe cannot be replicated using other methods.
Balancing test
Would the individual expect their data to be used in this way? Would an individual who lists publicly their role within a company expect to be contacted about services that may help that company or their department within the company? No data processing may replace or infringe the individuals interests or cause unjustified harm
LIA Failures
If bSpec determines that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR or if your approach would breach some other part of the regulations [including PECR] then we cannot support the activity within any regions subject to GDPR.
Rights of Individuals under the GDPR
The right to be informed
The right to be informed states how the information you supply about the processing of personal data must be, typically in a privacy notice: concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.
All messages sent will contain a link to a privacy policy that explains to the user exactly what their rights are as well as the type of data that is held about them and by who. bSpec will provide a template privacy policy or review your existing one to ensure it meets the required standard.
The right of access
The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to request a copy of any of their personal data which are being ‘processed’ (i.e. used in any way) by ‘controllers’ (i.e. those who decide how and why data are processed), as well as other relevant information (as detailed below). These requests are often referred to as ‘data subject access requests’, or ‘access requests’.
All individuals have the right to request a copy of all data you hold on them. To support this data subjects can email any SAR requests to [email protected] and we will return this data within 72 hours.
The right to rectification
Individuals are entitled to have their personal data rectified if inaccurate or incomplete and you must respond to a rectification request within one month if not deemed complex. You must inform related third parties where possible if the personal data is disclosed to them also.
All individuals have the right to request a copy of all data you hold on them. To support this data subjects can email any SAR requests to [email protected] and we will return this data within 72 hours.
The right to erasure
‘The right to be forgotten’, or right to erasure means you must have procedures in place for removing or deleting personal data easily and securely where there is no compelling reason for possession and continued processing.
All individuals have the right to request to have some or all data removed from our systems at any time. If individual agrees we keep minimum data in order to prevent future messaging. If individuals ask all data to be removed, we keep one-way encrypted info in order to prevent future messaging.
The right to restrict processing
You have a limited right of restriction of processing of your personal data by a data controller. Where processing of your data is restricted, it can be stored by the data controller, but most other processing actions, such as deletion, will require your permission.
All individuals have the right to request to have some or all data removed from our systems at any time. If individual agrees we keep minimum data in order to prevent future messaging. If individuals ask all data to be removed, we keep one-way encrypted info in order to prevent future messaging.
The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
All individuals have the right to request a copy of all data you hold on them. To support this data subjects can email any SAR requests to [email protected] and we will return this data within 72 hours.
The right to object
The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
All individuals have the right to request to have some or all data removed from our systems at any time. We process the request within 72 hours.
Rights related to automated decision making and profiling
You have the right to not be subject to a decision based solely on automated processing. Processing is “automated” where it is carried out without human intervention and where it produces legal effects or significantly affects you.
All individuals are targeted, messaged and contacted individually. Our employees are involved in every single step of the B2B marketing process. The inhouse software used by our employees follows the principles of GDPR.
bSpec Employees
All bSpec employees undergo GDPR, PECR and general compliance training, this covers the GDPR rule set in detail, the relevance and impact of those rules on bSpec and our clients, and the steps we take to ensure best practice is observed at all times. We also make clear the consequences associated with failure to meet the strict GDPR standards.
updated: November 2020