General Data Protection Regulation (GDPR) became law on 25th May 2018 and covers how processing, storing & controlling data about individuals is carried.
As a membership organisation which provides data & information provider as part of its services to its members/customers for legitimate business interests since 1935, we take our responsibilities under the GDPR extremely seriously and ensure our processes and practices are compliant, and that our members & customers can make use of our data & information in confidence.
It’s a set of laws governing how personal data must be processed and stored, with a view to giving individuals greater control over how their data is used. Even after leaving the EU, the UK will continue to adopt GDPR as part of its own legislation. GDPR guarantees that data & information is treated with respect, kept protected, used honestly, responsibly and ina clear & transparent way.
We collect contact data from publicly-available, public-sector sources, local planning authorities, public tendering websites, publicly available spending plans, as well as publications & social media.
All this information is comprehensively and frequently researched to identify individuals involved in construction projects. Many of these contacts are corporate individuals. Whilst this is still categorised under GDPR as personal data, it can be used within current legislative framework for business-to-business sales and marketing purposes, assuming the Privacy and Electronic Communications Regulations (PECR) are followed.
Yes – the data & information is provided to our members/customers is based on the legitimate interest of improving marketing efficiencies for buyers and sellers within construction and connected markets. Legitimate interest is one of the six lawful grounds for processing data under the GDPR.
No. In a business-to-business setting an opt-in consent is not required for Builders’ Conference to share this data & information with third-party customers. In the setting of our business, properly informed opt-in consent is not realistic or practical.
Defined under the GDPR, consent requests must include the name of any third-party controllers (i.e. Builders’ Conference members/customers) who will rely on the consent.
Information Commissioner's Office (ICO): Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include: the name of your organisation; the name of any third-party controllers who will rely on the consent; why you want the data; what you will do with it; and that individuals can withdraw consent at any time.
This would mean in Builders’ Conference situation, listing the company names of thousands of companies, which cannot accurately be done in a succinct and easy to review manner. Merely informing platform contacts their details may be shared with a generic group of third- parties, for example members/customers, does not constitute opt-in consent.
Builders’ Conference would then need to re-contact all contacts each time a new third-party controller (i.e. a new Builders’ Conference member/customer) gained access to the Platform to ensure their consent remained in place, which is impractical and unrealistic.
By using legitimate interest as a ground for processing, Builders’ Conference members/customers can be assured that they are not at risk of relying on consent that is not legally robust in the eyes of the ICO, and that they will have access to our platform of industry contacts with no data & information being withheld due to lack of consent
No. Once our data & information has been exported/downloaded from our platform, your business becomes the data controller thereby you must ensure its storage, collection, use and retention complies with the GDPR. No matter where you receive sales and marketing data & information this is the case. We advise all members/customers to seek independent advice to recognise what can and cannot be done with data & information obtained from external sources to your own business. This could include the completion of a legitimate interest assessment, through which members/customers can demonstrate their GDPR compliance if required. In addition to the GDPR, members/customers must also consider electronic marketing communications are also covered by PECR.
Legitimate interest is one of the grounds for processing data & information as specified by the GDPR. The ICO states, “It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there isa compelling justification for the processing”. For business-to-business purposes, where members/customers are utilising our data & information to recognise companies and individuals who are likely to have a requirement for their products and services, this is appropriate.
Legitimate interest assessment (LIA) is a risk-assessment based on our member/customer’s specific context and circumstances for processing data & information.
Privacy and Electronic Communications Regulations (PECR) are a set of rules acting in conjunction with the GDPR giving people specific privacy rights in relation to electronic communications. PECR sets out different rules for marketing to companies and marketing to private individuals (i.e. not business contacts). In general, the rules on marketing to companies are not as strict. PECR states that private individuals can only be contacted via email or by text message with informed and specific consent. Accordingly, in order to safeguard our members/customers, email addresses and telephone numbers are removed from this data if it is collected.
Yes. You must identify the grounds for this under the GDPR via a legitimate interest assessment and you must also comply with the Telephone Preference Service (TPS).
Yes. You must identify the grounds for this under the GDPR via a legitimate interest assessment and comply with PECR.
No. members/customer’s own their mailing lists and therefore are your own responsibility.
It is incumbent upon members/customers to maintain their own suppression lists internally.
All requests to be removed from our platform are carried out quickly, It is essential all members/customers refer back to our website for the most recently updated information.
The GDPR stipulates personal data must not be held for longer than you need it. Members/customers must study what this means to them as a data controller and therefore justify if required to. As above, member/customers must be aware, if they retain and use out-of-date data for marketing purposes, they may contact individuals who have opted-out of inclusion which could lead toa complaint.
Our processes are secure and in line with industry best practise. All data & information is stored using market-leading technology.
If you have any questions regarding our data & information please contact us.