CALL US: 0121 416 0121

GDPR is only for personal data

GDPR is only for personal data

“GDPR is only for personal data so I won’t need consent to send marketing emails to corporate email addresses”

The idea behind the GDPR is to protect the data of EU citizens from risks. The law makes clear that if an organisation uses personal data (any data that, on its own or in conjunction with other data, allows identification of a natural person) then the organisation has an obligation to protect that data.

In the headline statement, it was implied that using a B2B email address for a corporate body will not require consent. Let me give you a scenario:

Bloggs and Co has registered the domain and the staff have firstname.lastname formats that end in

A marketing company is using an email database that includes all the family members of the Bloggs & Co board and managers. Fifty thousand emails are sent to this list and 20 people in Bloggs & Co receive the email. Everything seems okay with this so far?

However, what we didn’t know is that John Bloggs the MD setup an email address for Jack Bloggs his 9 year old son under the company domain. The email list company purchased Jack Bloggs email address (along with 2000 others) from a gamers portal and matched the address to the company details for Bloggs & Co.

Now the marketing company has sent an email to a 9 year old boy. The problems are manifold:

1. Assuming that corporate email addresses are exempt from this law is potentially dangerous.
2. If any email address contains enough information (i.e. Firstname, Lastname) to identify a natural person that could be regarded as personal data.
3. There are special rules for obtaining the consent of children, including the language used must be age appropriate.
4. Supervisory Authorities may add extra requirements to protect children’s data.
5. Were any actions taken to mitigate this risk, if so what evidence is there? – the answer will impact the level of fine.

I recognise that this is an imagined scenario but is it a ‘flight of fancy?’

With regard to GDPR, who is at fault here?

Is it the marketing company?
Is it the company that supplied the list?
Is it the MDs fault for giving a company email address to a child?
Is it the child’s’ fault for signing up to a gaming portal?

Here’s a hint. It’s not the last two.