GDPR Compliance for Sales and Marketing

  • In May 2018, the General Data Protection Regulation (GDPR) was enforced throughout the European Union (EU) and the European Economic Area (EEA). This regulation is designed to grant individuals greater control over their personal data by implementing robust data protection measures.
  • The GDPR specifies how companies must handle and secure the data they collect from clients and potential customers. It permits companies to engage in direct marketing and sales activities provided they can establish a lawful basis for processing personal data. The most commonly used lawful basis in B2B contexts is legitimate interest.
  • If your company engages in services such as cold outreach, you need to provide appropriate notices, maintain records, conduct assessments, and comply with privacy policies, Data Protection Impact Assessments (DPIA), and legitimate interest assessments. It's crucial to understand that under GDPR, the processor and controller of data can be distinct entities. In B2B sales, the sales representative often acts as the data controller.

 

How does GDPR apply to sales prospecting?

    In May 2018, the General Data Protection Regulation (GDPR) was enforced across the European Union (EU) and the European Economic Area (EEA). This privacy legislation aims to grant citizens greater control over their personal data through stringent data protection measures. The GDPR sets forth guidelines on how companies must handle and safeguard the data they possess about their clients and potential customers. It permits companies to engage in direct marketing and sales activities provided they can demonstrate a lawful basis for doing so.

   

    The most frequently utilized lawful basis for processing personal data in B2B contexts is legitimate interest. If your company offers services like cold outreach, you must ensure the provision of appropriate notices, maintain records, conduct assessments, and adhere to privacy policies, Data Protection Impact Assessments (DPIA), and legitimate interest assessments. It is crucial to recognize that under GDPR, the processor and the controller of information can be separate entities. In B2B sales, the controller is typically the sales representative.

GDPR and Cold Calling

 

Cold calling itself isn’t directly affected by GDPR; it is covered by the Privacy and Electronic Communications Directive. However, GDPR governs the use of personal data, such as phone numbers, for making cold calls.

Under Article 6 of GDPR, there are six lawful bases for using personal data:

1. Explicit Consent from the Customer:

Companies must obtain clear and explicit consent from individuals before processing their personal data. This consent must be freely given, specific, informed, and unambiguous.
2.Fulfilling a Legal Obligation:

Organizations can process personal data if it is necessary to comply with a legal obligation to which the data controller is subject. This includes obligations under local, national, or international law.
3.Fulfilling a Contract with a Customer:

Processing is lawful if it is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
4.Carrying Out a Task in the Public Interest:

Personal data can be processed if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
5.Protecting the Vital Interests of an Individual:

Data processing is allowed if it is necessary to protect the vital interests of the data subject or another natural person. This typically applies in life-and-death situations.
6.Pursuing Legitimate Interest:

Organizations can process personal data if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided these interests are not overridden by the rights and freedoms of the data subjects. For cold calling, compliance with consent and legitimate interest is crucial to building trust with customers.

 

Consent

Having a prospect’s contact details doesn’t equate to having their explicit consent to contact them. For cold calling, consent must be:

  • Clear and explicit: The prospect must actively give permission for their data to be used for calling.
  • Specific to your organization: Consent cannot be transferred to a third party. The prospect must explicitly consent to your organization contacting them by phone.
  • Easy opt-out: Prospects should be able to withdraw their consent easily, and their data must be deleted within a month if they do so.

 

Legitimate Interest

Sales Development Representatives (SDRs) can cold call prospects under legitimate interest, depending on the jurisdiction, but this can be overridden by the prospect’s right not to be contacted. Ensuring GDPR compliance involves:

  • Clear roles and rules for handling personal data.
  • Secure recording and storage of conversations.
  • Proof of consent for leads obtained from third parties.
  • Establishing legitimate interest before calling.
  • Clear opt-in and opt-out messages.

 

GDPR and Sales Emails

 

    GDPR does not prohibit sending cold emails but establishes specific rules on how personal data should be handled. Sales representatives should focus on contacting prospects who are likely to benefit from their products. The collection of data must be relevant and sufficient for lawful processing.

When sending cold emails, sales reps must adhere to the following guidelines:

Transparency:

Clearly explain why the prospect is being contacted.

Source of Contact Details:

Specify where the contact information was obtained (e.g., LinkedIn).

Data Removal Requests:

Promptly honor requests to remove prospects from the database.

Opt-out Option:

Provide an easy way for prospects to opt-out, such as an unsubscribe link.

 

GDPR and Social Selling

 

    Salespeople must ensure their social selling practices on platforms like LinkedIn are GDPR compliant. On LinkedIn, the platform is the data controller and processor, protecting user data per GDPR requirements. As long as sales reps use LinkedIn for outreach, compliance is maintained.

Cognism’s GDPR Compliance

Cognism ensures its outbound sales emails are clear about their source and include opt-out links. To remain GDPR compliant:

  • Segment email lists based on business needs.
  • Explain how prospects' email addresses were obtained.
  • Protect data and retain it only as long as necessary.
  • Provide easy opt-out options.