The General Data Protection Regulation (GDPR), effective from 25 May 2018, governs the processing of personal information.
Given the varied nature of data we process in support of customers’ activities, we have audited and updated our processes to ensure we comply with the requirements of GDPR. As a result, BiP operates in compliance with this new legislation.
GDPR does not require BiP customers to stop using or to change how they use our services, if what was being done before was lawful.
The GDPR is a set of laws concerning how personal data must be processed and stored. It is aimed at giving individuals greater control over how their data is used. Post-Brexit, GDPR will continue to apply in the UK as part of its domestic legislation.
Much of the media coverage relating to GDPR references consent, but this is only one of six lawful bases for processing personal information. What is also often overlooked is the role of the PECR.
The Privacy and Electronic Communications Regulations (PECR) are based on the European Directive 2002/58/EC and sit alongside the GDPR. PECR set out more specific privacy rights in relation to electronic communications. BiP Solutions is also compliant with this legislation. PECR differentiate between corporate and individual subscribers and explicitly allow unsolicited marketing to corporate subscribers without prior consent, so long as recipients can easily unsubscribe or opt out.
The EU is in the process of replacing the e-privacy Directive with a new e-privacy Regulation to sit alongside the GDPR, but the new Regulation is not yet agreed. For now, PECR therefore continues to apply alongside the GDPR.
BiP takes data privacy and data security very seriously. As such, we operate an ISO27001 certified information security management system (ISMS) that is independently audited for compliance. This comprises a range of policies and procedures designed to ensure the confidentiality, integrity and availability of information, which includes all forms of personal information processed by BiP, and ensure appropriate measures are in place to protect individuals’ privacy.
In conjunction with ISO27001, we operate an ISO9001 certified quality management system (QMS). This is also independently audited twice yearly and helps ensure continuing compliance with regulations as we update our processes on an ongoing basis.
We are also registered with the Information Commissioner as a data controller.
For BiP’s own marketing activities, BiP differentiates between corporate and individual subscribers in accordance with the PECR. Under PECR, the need to have prior consent arises for individual subscribers unless certain conditions are met in which case prior consent is not required (also known as the “soft opt-in”). However, prior consent is not required for contacting corporate subscribers so long as an option to unsubscribe or opt out is provided.
BiP’s business intelligence services such as Tracker, DCI and Supply2Gov Tenders deliver aggregated content to our customers. BiP processes and publishes this content under the lawful basis of legitimate interest (Article 6 of the GDPR) whereby we are promoting supply chain development and engagement between buyers and suppliers. In turn, this is in the interests of both the buyers and the suppliers. This is underpinned by the fact that buyers are in control of what information they publish and, where buyers do publish personal information within these documents, it is with a view to enabling suppliers to engage with them more effectively in the pursuit of procurement activities. They can therefore reasonably assume that their information will be used in this way, there is minimal impact on the individual, and their rights and freedoms are not adversely affected – indeed there is benefit to them as their opportunity notices are reaching a wider audience and therefore bringing benefit to their procurement exercises.
Customers are responsible for their own data practices and for how that personal information is processed post-delivery. Customers must ensure their own compliance, which could include their own legitimate interest assessment.
BiP’s Ingenium and Opus data is drawn from publicly available sources and relates exclusively to corporate subscribers. This information is continually researched to identify organisations involved in procurement and delivery of goods, works and services to organisations. Throughout these research processes, contacts are identified and made available to our customers. While this is still classed as personal data under GDPR, PECR nonetheless allow the data relating to these corporate subscribers to be used for business-to-business (B2B) and business-to-government (B2G) marketing purposes without prior consent.
For third parties to make use of BiP’s Ingenium and Opus databases in B2B and B2G contexts, prior consent is not required. Although GDPR requires consent to be specific, informed and positively given, this applies only where consent is relied upon as a lawful basis for processing.
Prior consent is not realistic for data sets such as those offered by BiP. If prior consent alone was to be used as the lawful basis for marketing against the Ingenium and Opus databases, then all third-parties who may access an individual’s personal data would need to be named and each use of the data specified. Such prior consent is not realistic in this context.
Under the GDPR, consent is only one of six lawful bases for using data. An alternative lawful basis for using Ingenium and Opus data in this way is that of legitimate interest. While GDPR Recital 47 states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest, the PECR establish a lawful basis to complement the legitimate interest of targeted marketing to corporate subscribers without prior consent where the aim is to enhance engagement between buyers and suppliers in a B2G and B2B context.
Customers using BiP’s Ingenium and Opus data must therefore use a different processing ground, such as legitimate interest, to use personal data included in BiP data. If legitimate interest is relied upon, the Information Commissioner’s Office (ICO) recommends conducting a legitimate interest assessment. It is important that this legitimate interest is not intended/allowed to provide an excuse for disregarding an individual’s privacy rights, which must be fully respected at all times.
Opt-in consent is not required for third parties to make use of BiP’s Ingenium and Opus data. These data are provided to customers based on the legitimate interest of enhancing engagement between buyers and suppliers in a B2G and B2B context.
Customers are responsible for ensuring their own data processes are compliant.
Our Ingenium and Opus databases are updated daily and so will always reflect the most up-to-date status of any individual’s consent.
No. Customers are responsible for their own data practices and must ensure that they are compliant with all relevant regulations, which could include their own legitimate interest assessment.
Please be aware that this does not constitute legal advice. If you want to know what your legal position is, then we suggest that you obtain legal advice as soon as you can.
If you have any queries regarding BiP data and the GDPR, please get in touch.