As the initial storm of activity (and in some cases panic) surrounding preparation for GDPR subsides, we take a look at a practical guide for funds wishing to communicate with current and potential investors. We’ll consider what’s changed, what it means and what you can do to still communicate your fund’s value to the widest possible audience.
Does GDPR apply to business to business marketing?
In short, yes, most of the time. GDPR applies wherever your fund processes personal data - so a name and number, an email address that identifies the individual, or even a stack of business cards that you file or scan onto your computer.
What firms need to do to be compliant with GDPR?
A lot of emphasis has been placed on gaining consent from people whose details you hold or will process, however this is only a very small part of the GDPR story. The main thrust of the regulations is not actually about the act of consent (although freely given consent is one way you can qualify to contact someone).
The more important elements are the context of that consent and the availability of information on what that consent actually means. Most importantly:
- Full disclosure of how the information you hold on that individual will be stored, protected and used
- Clear instructions as to how the individual can discover what information is held about them
and alter it
Grey areas and questions of risk appetite to explore through due diligence
The key piece of legislation here isn’t actually GDPR but PECR (in the UK) and the forthcoming substantially updated EU ePrivacy Regulation (ePR) (expected in the autumn of 2019).
Electronic communications (emails, SMS and calls) are subject to far tighter control than other forms of communication and to be fully compliant you should run your own opt out database, provide an opt out in every communication.
For best practice, you should have consent from all parties for these channels, however it’s not a legal requirement in all cases. Depending on your organization’s risk appetite, you’ll have to make your own call on whether you restrict yourself to contacting actively consented records or using “legitimate interest” as justification in some cases.
Where is consent required and where does legitimate interest serve?
You can use legitimate interests as a means of justifying your contact of investors in lieu of holding active consent, but only if you can demonstrate that the way you use that data is proportionate, has a minimal privacy impact, and the recipient would not be surprised to receive the communication or likely to object to what you are doing.
There are exceptions even here however. Private individuals, sole traders and some partnership structures are considered to be individual consumers not businesses, so you can only email or SMS them if they have specifically consented, or if they have previously bought into a similar investment from you in the past and didn’t opt out from marketing messages. You must include an opt-out option in the message.
How to connect with the most possible investors (legally)
- Prioritise postal direct mail over email or SMS as the rules governing electronic messaging are far tighter than for other channels
- Leverage events, networking, inbound and content marketing to gather consent wherever possible, even when you don’t anticipate needing to use it
- Consider rebalancing your marketing mix to include more traditional methods (ads, inserts, mail shots etc.) instead of relying on email and SMS
- Use digital marketing to replace email and SMS as a direct route to a targeted group of individuals
What does this mean for due diligence?
Prosecutions and fines for breaches of GDPR will carry significant risk of business disruption (as the firm tries to rectify the issue) and reputational damage. It is therefore essential that you include GDPR in your due diligence considerations and process.
- Make sure your own fund is compliant
- Make sure your fund managers are complaint
- Make sure their suppliers are complaint