If you do business in the European Union (EU) or collect data from member states' citizens, your company is subject to the GDPR. This legislation has strict guidelines and substantial penalties for non-compliance – to the tune of €20 million or 4% of global annual turnover.
With GDPR governing all activities related to the processing of customer data, it’s crucial to approach it in a structured manner that allows your teams to do their best outreach, marketing and sales work while ensuring your company remains compliant.
However, don’t let fear and misconceptions surrounding GDPR steer you on the wrong path. In this article, we'll explore the ins and outs of the GDPR, the data it protects and essential steps you can take to make sure your business stays on the right side of the law.
The General Data Protection Regulation (GDPR) Explained
The General Data Protection Regulation (GDPR) is landmark legislation that replaced the outdated Data Protection Act (DPA) in May 2018. It ushered in a significant shift in how businesses worldwide need to handle personal data.
GDPR’s goal is to protect the fundamental rights and freedoms of people’s personal data.
According to the law, it applies to any business that processes the personal data of EU citizens or residents or offers goods or services to such people, regardless of where they are in the world.
To gain a full understanding of the GDPR, we need to cover some key legal terms:
- Personal data is any information that relates to an individual that would allow you to identify him or her, either directly or indirectly. This includes obvious identifiers such as names and email addresses, as well as other data points such as location information, ethnicity, gender, biometric data, religious beliefs, web cookies and political opinions.
- Data processing refers to any action performed on data, whether automated or manual. This encompasses various activities, including collecting, recording organizing, structuring, storing, using and erasing data.
- Data subject is the person whose data is being processed. In the business context, data subjects typically include clients, leads, website visitors, etc.
- Data controller is the individual or entity that determines the purposes and means of processing personal data. If you're an owner or employee who handles data, you likely fall under this category.
- Data processor is a third party that processes personal data on behalf of a data controller. The GDPR imposes specific obligations and responsibilities on these individuals and organizations. These typically include SaaS and cloud providers.
When Can You Process Personal Data?
Again, the GDPR is strict when it comes to processing personal data. Under GDPR, you cannot collect, store or do anything with it unless it meets one of the following criteria from Article 5.1-2:
- The data subject has given specific, unambiguous consent to process the data. This is particularly important for sales and marketing.
- Processing is necessary to execute or prepare to enter into a contract to which the data subject is a party.
- You need to process the data to comply with a legal obligation.
- Processing is necessary to protect someone's life.
- Processing is necessary to perform a task in the public interest or to carry out an official function.
- You have a legitimate interest in processing someone's personal data. This is the most flexible lawful basis, but it's important to note that the "fundamental rights and freedoms of the data subject" always take precedence, particularly when it involves the data of a child.
Everything is data and this is the framework to use when gauging if you’ll be compliant with GDPR.
What Is Legitimate Interest in GDPR?
Legitimate interest in GDPR is like having a good reason to use someone's personal data without requesting their explicit permission. This is why you often see cookie notices with adjustable permissions where the “legitimate interest” sub-toggles are automatically turned on.
However, we advise more caution. For example, suppose you provide project management software to other businesses.
Here’s how you would approach applying legitimate interest under GDPR:
- Identifying a valid reason: You may have a legitimate interest in analyzing usage data of your platform to improve its performance and add new features. You might also use customer contact information to provide important updates about the service.
- Checking if it's necessary: Using data to improve your software is crucial for maintaining its quality, but you should only collect the data you absolutely need to improve your service or provide value.
- Considering businesses' rights: If you’re in B2B, your data processing activities must respect the rights of the businesses using your software. Be transparent about the data collected and how it's used. Provide options for businesses to control their data (e.g., opting out of different communication types).
- Strengthening the right to opt out: Opting out is the key. Even if you have a legitimate interest in collecting the data, you should always clearly communicate ways customers can opt out.
For example, you might send an occasional email with feature updates or tips. Despite this helping users get more value out of your software, you should still provide an easy way for businesses to unsubscribe.
In this B2B context, legitimate interest is still about finding a balance between the company's goals (improving the software and providing useful information) and respecting the rights and preferences of their business customers.
What Does the GDPR Mean for B2B Sales and Marketing?
We know it’s difficult to navigate the complexities of the GDPR. But it's vital to grasp its significance and impact on sales and marketing.
Do you use purchased leads to bolster your sales pipeline? What about automatically importing Sales Navigator data into your CRM? Do you ask for referrals from existing clients?
If any of these strategies sound familiar, understanding GDPR is essential. This does not mean you should avoid these strategies completely. Contrary to popular thought, cold email is not against GDPR. It only requires careful planning and ensuring you get the data through legal, GDPR-compliant means.
The Right Partners for GDPR
Findymail’s contact information enrichment tool is an excellent example. As an EU-based service, Findymail offers the highest accuracy rates while adhering to GDPR. Your business stays on the safe side while increasing your revenue.
Then, ensure your CRM setup complies with GDPR by partnering with the right data enrichment tools. For example, Findymail’s CRM Datacare offers CRM enrichment, deduplication and data hygiene for a thriving pipeline.
The Core Concepts
Three main concepts directly impact B2B sales and marketing:
- Consent: Under the GDPR, individuals must provide explicit permission for you to utilize their data. Whether tracking cookies online or subscribing to a mailing list, obtaining consent is non-negotiable.
- Data Management: The GDPR grants consumers the right to understand what data you're collecting and to exercise control over it, including the ability to update or erase their info.
- Privacy: Specific guidelines within the GDPR dictate how personal data is gathered, stored, used and more. Companies are obligated to adhere to these regulations.
Your CRM likely contains a lot of personal data, from names and email addresses to interests and social media accounts. Know how to approach your prospecting strategies while staying GDPR compliant.
5 Ways to Stay GDPR Compliant in Sales and Marketing
The following are best practices for ensuring you can prospect and run effective marketing campaigns while adhering to the rules and stipulations of the GDPR.
1. Designate a DPO
A DPO (Data Protection Officer) plays a significant role in making sure your business stays GDPR compliant. In fact, Article 37 says you’re required to appoint a DPO if:
- You’re a public authority other than a court,
- An organization engaged in systematic large-scale monitoring (think: Google),
- You’re handling “special categories” of data (such as racial identity, biometrics, criminal activity, political views, religion).
Even if your business doesn't fall within these categories, we still recommend assigning a DPO, especially if you collect large amounts of data or are based in the EU.
A DPO can be a liaison between your organization and regulatory authorities. And they can provide confidential guidance on GDPR compliance and help mitigate potential risks. Plus, they serve other functions such as compliance audits and providing data protection training.
2. Is Cold Email Allowed under GDPR?
Yes, cold email is allowed under GDPR if you have legitimate interest and proof that your contact can benefit from your communication. At the same time, ensure that you give them an option to opt out of your messaging.
If you don’t get consent at the time of data collection, inform them within 30 days and provide details on the purpose for collecting it in the first place. This is typically something you will normally do in your first cold email when you are reaching out with a specific purpose that connects to how they can benefit from your products.
You have to honor requests from anyone who doesn’t want to communicate and remove their data from your CRM immediately.
However, compliance isn't straightforward. There are situations where you’re legally obligated to hold on to data. In these cases, you need to communicate why you’re doing so. That would be the role of the DPO.
When it comes to cold outreach prospects, GDPR experts recommend removing their data from your lists if they haven’t responded in 30 days.
3. Use Social Selling to Obtain GDPR Consent
Social selling may be a relatively new concept for many sales professionals. However, for those who embrace it, it’s emerged as an effective method for prospecting and engaging with potential customers.
The masters see their sales opportunities jump up by 45%.
Thankfully, GDPR doesn’t hinder our ability to leverage social media platforms like LinkedIn for connecting with prospects. Whether seeking recommendations from existing contacts or contacting new leads directly, social media is a priceless tool in your kit.
For example, LinkedIn’s Sales Navigator is a powerful prospecting tool your teams may already be using. With GDPR-compliant tools like Findymail, they can easily export data into your CRM with email contact information.
4. Evaluate Your Web Forms Through the GDPR Lens
A website is still a great platform for capturing new leads. But if you're using web forms to gather contact information, ensure compliance with GDPR.
Under GDPR, you need to justify the collection of personal data from website visitors, meaning you must only request necessary information. Details like job titles and dates of birth may help in lead scoring, but you need to be able to provide a legitimate “why” to collect it.
Moving forward, prioritize capturing essential information such as name, company and business email address. Consider if you truly need additional data or if you will enrich it within your CRM.
Transparency is key – visitors must understand how their data will be used and for what purpose. Provide clear opt-in (preferably double opt-in) and opt-out options via a subscription management tool so prospects can control their preferences.
Also, you have to recognize that giving an email address for one purpose – like signing up for a webinar – doesn’t mean they consent to join all your mailing lists.
5. Ask for Referrals
Referrals from existing customers are still one of the most effective prospecting methods. Reach out to your already satisfied customers and ask for references in their network. GDPR doesn’t restrict your ability to contact prospects based on recommendations from existing customers.
Of course, it’s best to ask the customer to contact the potential lead and ask for an introduction. A personalized email from them increases your chances of success and leaves a digital trace of the interaction.
GDPR Compliance Best Practices
Here are some best practices to keep in mind when striving to maintain GDPR compliance in your sales and marketing:
Understand and Organize Your Data
Gain a comprehensive understanding of the data you collect. Determine why it's collected, how it's stored, who has access to it and whether it contains sensitive information.
Data hygiene matters, especially with GDPR in place. Your lists should be accurate and valid at the moment of sending the emails or reaching out to prospects. Regularly audit and update your databases.
Map the Data Flow
Create a flow map showing how you gather, process and use data in your organization. This will help you identify potential vulnerabilities and ensure you have data protection measures at every stage of the lifecycle.
For example, if you have CRM integrations with enrichment tools that add more context to your data, include them in your map. Then, outline who has access to that data and how the data is ultimately used (marketing campaigns, outreach, analytics, etc.).
Use Double Opt-Ins
While legitimate interest is key, double opt-ins (initial agreement to get your communications and then a confirmation through email) add an extra layer of consent verification. There will be no room for ambiguity or misunderstanding.
Maintain Transparency
Transparency is paramount. Communicate with individuals about how their data is collected, processed and used.
Provide easily accessible information regarding data privacy practices (Terms and Conditions or Data Processing Agreements) and make sure your contacts can easily ask for their data to be removed.
Report Data Breaches Instantly
Finally, while we hope it will never come to that for you, GDPR mandates prompt reporting of data breaches.
If you experience a breach or the data is compromised, notify relevant authorities and affected parties within 72 hours of becoming aware of the incident.
Data Management for GDPR Compliance
In a world ruled by data, GDPR compliance is essential. The goal of the regulations is clear: safeguarding individuals' privacy rights. Your goal? Maintaining trust and revenue.
Data management lies at the heart of GDPR compliance. With Findymail's Datacare, we offer a comprehensive solution to help businesses effectively manage their CRM data.
With features designed to clean and organize CRM data – removing duplicates and populating fields with relevant information – Datacare simplifies maintaining a GDPR-compliant database.
By signing up for early access to Datacare, you can take proactive steps towards ensuring your data practices align with GDPR and enhance the efficiency and accuracy of your CRM system.
Sign up for early access and unlock the benefits of compliant data.