This statement sets out the operating procedures Virtual AI Ltd undertakes to ensure GDPR best practice is observed to the greatest extent possible, at all times.
1. What is GDPR?
From 25th May 2018, the “GDPR” brings all EU member states under a common regulatory framework called the General Data Protection Regulation.
Virtual AI Ltd takes GDPR compliance seriously, and in addition to appointing a compliance officer to oversee our adherence to the rules, we have engaged 3rd party legal expertise to audit our processes and advise on best practice.
This investment enables us to assure clients that GDPR best practices are strictly observed wherever possible, at all times.
2. Virtual AI Ltd’s relationship with you
Virtual AI Ltd is a service provider, when you engage our services, we work for you, and when we create data, we create data exclusively for you.
To put this in the language of GDPR and the ICO:
- You are the data controller – data belongs to you and is not shared with any other client, company or third party. No messaging is sent without your oversight.
- We are the data processor – we are the data processor. We work for you.
2.1 Third Party Processors
Our carefully selected partners and service providers may process personal information about you on our behalf as described below:
Digital Marketing Service Providers
We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information. Our appointed data processors include:
3. Does our marketing and prospecting activity comply with GDPR?
Virtual AI Ltd’s range of professional services are designed and offered solely to help businesses improve their own business performance. We are strictly marketing “B2B” and not “B2C” (ie directly to consumers or to a consumer retail market).
Before launching any new marketing or prospecting activity, Virtual AI Ltd conducts an in-depth assessment to establish if the product or service, combined with the proposed targeting, meets the criteria for GDPR compliant business to business (B2B) marketing. This assessment is called the Legitimate Interest Assessment (LIA).
Prior to conducting the LIA, suitability can usually be determined by the following two questions:
3.1 Will the product or service being offered benefit the businesses we are targeting, and not the individuals within the businesses themselves?
The product or service that you are offering needs to be of benefit to the target business, and when talking to any individual, relevant to their business role only. It can help to consider the following examples:
- If you are targeting companies that sell widgets, to offer marketing services designed to increase their sales of widgets, then there is a clear, sole benefit to the company.
- If you are looking to contact business owners in order to help them invest their hard-earned wealth, despite the links to their professional role, this is aimed at the individual not the company.
3.2 Are the services being provided equally beneficial to whomever may be contacted about them?
If question one can be answered positively then a further test to the business nature of your offering is to consider the target individuals that you would like to introduce it to. The only consideration here should be job specific – typically department and seniority. Your offer should be equally relevant to whoever fills these role(s) at any given time, and in no way targeting any given individual.
4. Virtual AI Ltd and Personally Identifiable Information (PII)
At the core of the Virtual AI Ltd marketing process is the identification of target companies. Whilst the details of this stage can vary, it involves no personal information at all. Once the list of accounts has been finalised we then determine the details of the individuals in the target role(s) at the companies. This stage typically generates Personally Identifiable Information (PII).
Personally Identifiable Information (PII) data held is kept to an absolute minimum:
- Business email address – emails are only stored that are on the target company domain(s). For example, if targeting a company who’s website is xyzcorp.com, emails will be @virtualai.io. No personal email addresses are stored, ever.
- Social profile URLs
5. Legitimate Interests
GDPR sets out a number of permissible circumstances (or categories) under which PII can be stored and processed, the most appropriate category in the case of Virtual AI Ltd is Legitimate Interests.
This link explains the Legitimate Interests basis for storing and processing PII: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
To ensure client activity falls into this category, prior to engaging, we will carry out a full Legitimate Interests Assessment (LIA) with each new client.
Essentially the LIA is a questionnaire containing a series of questions about your scenario. There are 3 areas that need to be satisfied for Legitimate Interests to be used as a basis for processing PII:
- Identify a legitimate interest
The legitimate interest can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The data processing is generally in your interests – whether it be to increase market share, increase brand awareness, or engage business leaders.
- Show that the processing is necessary to achieve it