Our processes ensure that all B2B prospecting activity is lawful, transparent, and respectful of individual rights. We continuously audit our operations to align with best practices and evolving legal frameworks.
The ICO are like the data protection police and we need to make sure we always keep on their good side. Our determination to be 100% GDPR and PECR compliance will do exactly that!
It is important to take GDPR compliance very seriously, since the penalties for non-compliance are punitive and designed to be painful. You definitely don’t want to be on the receiving end of an ICO investigation or enforcement notice!
The General Data Protection Regulation (GDPR) is a legal framework governing how personal data is collected, stored, and processed across the European Union (EU) and the UK. It applies not only to businesses operating within the EU but also to organisations outside the EU if they process the personal data of EU citizens. GDPR ensures individuals have greater control over their personal data and imposes strict requirements on businesses to protect privacy and security.
The Privacy and Electronic Communications Regulations (PECR) govern direct marketing activities, including email and SMS communications.
Under PECR, businesses can send B2B marketing emails without prior consent, provided:
Data Protection Impact Assessment (DPIA): We have conducted a full Data Protection Impact Assessment (DPIA) to ensure that our data processing activities align with GDPR requirements and mitigate risks associated with personal data handling.
Pitch121 employees: Every Pitch121 employee receives GDPR, PECR, and compliance training as part of their onboarding and ongoing development. This training covers data protection principles, the impact of regulations on our operations and clients, and the importance of safeguarding personal data. We ensure our team understands and upholds best practices, with clear accountability measures in place.
Joint Controllers: Pitch121 and our clients are considered Joint Controllers, meaning we share responsibility for deciding how personal data is used and processed. This is covered in our standard Terms of Service through a comprehensive Data Sharing Agreement.
Legitimate Interest Assessment (LIA): We launch an in-depth assessment before starting each campaign to ensure it meets the GDPR’s ‘Legitimate Interest’ basis for processing data. Learn more about legitimate interest from the ICO: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/legitimate-interests/
Data Protection by design: Designed by our Data Protection Officer, our systems are built to handle data securely, ensuring compliance with GDPR principles.
Strict exclusion management: Recipients can opt out at any time, and we maintain detailed suppression lists to prevent future contact.
Robust security measures: We conduct regular security audits to ensure personal data is protected against unauthorised access.
Standard Privacy Policy for clients: We’re here to help with key clauses and references to Pitch121 for your Privacy Policy, but it’s ultimately up to you to manage it and ensure compliance with GDPR’s transparency requirements.
Under GDPR, businesses can process personal data if they have a legitimate interest that does not override the rights of the individual. Pitch121 has conducted a Legitimate Interest Assessment, considering:
– Legitimate interest: The business case for outreach, such as engaging with relevant decision-makers.
– Necessity: Demonstrating that email outreach is the most appropriate channel.
– Balancing test: Ensuring that our communications are relevant and not intrusive.
Opt-out management: All recipients can opt-out easily to prevent further email communication. Replies to prospecting emails are logged, and those prospects are added to the campaign exclusion list within 24 hours. Pitch121 also allows clients to import existing exclusion lists before a campaign begins. Exclusions can be submitted as individual email addresses or full domains, ensuring communications are blocked for those contacts going forward
Subject Access Requests (SARs): Campaign data subjects can email any SAR requests to [email protected], and we will return this data within 72 hours. For SARs submitted directly by other data subjects, we will respond within 30 days in compliance with GDPR requirements.
Right to be Forgotten: When requested, we securely remove personal data while ensuring suppression lists remain effective. To balance data removal with exclusion management, we encrypt removed email addresses using a one-way hashing algorithm (SHA1). This ensures we honour opt-out requests while preventing future messages from being sent to the same individuals.
Yes, GDPR applies to any EU citizen, regardless of location. Additionally, local data protection laws may apply depending on the country in which a prospect is located. If your marketing activity targets non-EU nationals, GDPR may not apply, but other regional data protection laws could still be relevant.
Businesses must be aware that GDPR applies to EU citizens even if they reside outside the EU. This means companies operating internationally should assess compliance obligations carefully to ensure they meet all relevant legal frameworks. Pitch121 considers these regulations when designing compliant prospecting campaigns and encourages clients to review the laws governing their target regions.
Whilst Pitch121 continues to take extensive measures to ensure best practice with respect to GDPR and PECR across all client activity, clients should take note that responsibility for compliance vests (in different forms) with each party. Pitch121 cannot be abreast of the constantly evolving regulatory frameworks in all countries at all times, as such it is important that you, as the client, have knowledge of your local regulatory climate and ensure your business operates within the relevant regulatory frameworks.
The Information Commissioner’s Office (ICO) provides extensive relevant guidance:
You can find the UK government legislation on GDPR and PECR here:
