GDPR Requirements for B2B Sales and Marketing: The Definitive Guide
May 25th, 2018 is a new dawn for information security and data privacy as the European Union’s GDPR legislation comes into effect. Companies across the globe are realizing that in order to do business in Europe, they need to become compliant with this law.
As a European-founded company, Datahug has always had a culture of “privacy first” when it comes to handling personal information and enabling collaboration across the enterprise.
This article outlines the key points that sales, marketing, business development professionals and CRM owners should consider as they start on the journey to EU GDPR compliance, and how we can help!
What is GDPR and why do B2B companies need to address it now?
The General Data Protection Regulation (GDPR) is a new regulation by which the European Parliament and European Data Protection Board (EDPB), the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). When the GDPR takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC).
It is urgent because fines for breaches of the data protection law, GDPR can go up to 20 million Euros or 4 percent of annual global turnover, whichever of both is highest. GDPR comes into effect on May 25, 2018, which means that all companies have just a short time to become compliant.
Does GDPR affect US companies and your customers in the US?
GDPR is designed to protect the data privacy and sensitive data of individuals located in the EU and EU residents, so it is likely to impact most U.S. companies and Canadian multinational organizations given its broad scope.
What does GDPR mean for B2B Marketing?
GDPR expands on existing data privacy laws and includes harsher fines. Companies following best practice today in how they treat personal information will see little change. However, often because regulators have lacked ‘teeth’ in enforcing data protection principles, many companies have ignored this issue for years so GDPR is forcing them to review and define how they handle customer data and prospects.
GDPR specifies that companies must:
- Obtain and process the personal data fairly
- Keep it only for one or more specified and lawful purposes
- Process it only in ways compatible with the purposes for which it was given to you initially
- Keep it safe and secure
- Keep it accurate and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it no longer than is necessary for the specified purpose or purposes
- Give a copy of his/her personal data to any individual, on request.
Specifically for B2B Marketing, this boils down to:
- Improved lead capture forms with increased transparency.
- Identification of a legitimate business interest when communicating with a prospect when consent has not been given – where consent is relied upon instead, explicit (opt-in) consent.
- The ability for prospects to request a copy of their data and remove consent for any data processing or storage at any time.
- Obviously, not selling or sending the data to third parties (e.g. to other companies who intend to market to the same prospect) unless this has been explicitly agreed.
- Completing a privacy impact assessment (i.e., a ‘risk assessment’) of the third party tools that they use for processing data or performing analytics.
What does GDPR mean for B2B Sales Development, Inside Sales, and Telesales?
While mass B2C telemarketing will come under a lot of scrutinies as part of GDPR, particularly regarding consent, B2B Business Development (or Sales Development or Inside Sales) teams will also have to put processes in place to take account of the new regime.
Buying lists will be the hottest topic for B2B Sales Development teams and business development professionals. Companies will need to understand the source of these lists and complete privacy impact assessments for each of their vendors. If they are unclear of the origin of prospects they are putting their company at high risk that the prospects were collected in a way that does not meet GDPR requirements.
Personalized outreach to a prospect via their business email or phone to start a conversation is not ruled out by GDPR. The ‘legitimate interests’ clause in article Article 6(1) provides grounds for storing and data processing for this purpose.
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Source: GDPR EU.
However, this does not provide a green light for all behaviors. For example, the legitimate interest needs to be continuously assessed to ensure that use continues to be legitimate, and a complete history of interactions will be required to demonstrate the evolving nature of this relationship.
Additionally, companies will need to demonstrate that guidelines are in place for salespeople to follow the process to ensure their use of data is legitimate. Specific training and documentation of the process are advised in this scenario.
Who enforces GDPR and what will an enforcement action look like?
Each member state of the EU will appoint a Supervisory Authority. US companies with a presence in an EU country may see enforcement actions from their local Supervisory Authority. Supervisory Authorities will have the power to conduct audits, review certifications, issue warnings, order your company to comply with GDPR, and impose fines.
Companies without a presence in the EU will be obliged to designate a representative in the EU for GDPR purposes.
Who at companies is responsible for compliance?
To comply with GDPR, you must appoint a Data Protection Officer (DPO) if you are a public authority, conduct monitoring of individuals (e.g., online behavior tracking for marketing purposes) or process (or are involved with processing) sensitive data, like health or criminal records.
The GDPR defines several roles which should be rolled out at organizations which are responsible for ensuring data security and compliance. Those rolls are defined as a company’s Data Processor, Data Controller, and the Data Protection Officer. These roles have a distinct data protection directive within companies and are responsible for monitoring and personal data breach notifications as well as being up to date on new requirements.
The Data Controller role at companies defines how Personal Data has been processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
It’s also important to note that GDPR holds contractors, processors, and service providers liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely with the processing partner.
Finally, articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
Checkout Datahug’s New eBook
B2B Sales Operation PlaybookLearn more
What is the difference between GDPR, US CAN-SPAM, and Canadian Anti-Spam laws?
The CAN-SPAM Act is a US law that provides rules and guidelines for commercial email and other messages. The law bans false or misleading header information (“From”, “To”, “Reply-To”), requires accurate subject lines, and is the reason that marketing email tools provide mandatory space on their templates for Unsubscribing and include the company name and location.
Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $40,654. GDPR does not override, replace, or serve the same purpose as CAN-SPAM.
CASL is the Canadian anti-spam law that broadly forbids electronic messages within, from or to Canada without prior consent. Email is allowed in some limited scenarios where consent is being sought or where a business relationship exists.
Organizations that don’t comply risk serious penalties, including criminal charges, civil charges, personal liability for company officers and directors, and penalties up to $10 million.
Ultimately, CASL and CAN-SPAM are marketing focused, whereas GDPR covers far broader data processing activities. That said it has similarities to CASL in terms of consent requirements, but it is a broader law and provides arguably far more expansive protections to individuals.
How is GDPR impacted by Brexit?
The UK will still be in the EU when GDPR comes into effect on 25 May 2018, so companies marketing and selling to UK citizens will still have to be compliant. In the short term, the UK has already undertaken to implement GDPR in full post Brexit. In the medium term, even if there may be some legislative deviation between UK and EU law, it is expected that similar data privacy legislation will be enacted in the UK ongoing post-Brexit. Note that, if the UK does not align with GDPR in the long term, then UK companies will likely be required to rely on a ‘Privacy Shield’ type model or rely on model clauses for the transfer of data between the EU-UK – although this is all subject to conjecture.
What are Sensitive Personal Data and do marketing teams need to worry about this?
GDPR defines Sensitive Personal Data as data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Processing of Sensitive Personal Data has additional and stricter rules associated with it. Most B2B marketing and sales teams do not process this type of information, but if they do, further research and assessment is required.
What government organizations can I contact in relation to GDPR?
The EU regulators offer helpful advice on GDPR and have useful guidelines and documentation. See for instance the websites of some of the key regulators:
- The EU Data Protection Supervisor.
- The Irish Data Protection Commissioner.
- The German Federal Commissioner for Data Protection.
How are companies handling “the right to be forgotten”?
Article 17 of GDPR introduces the Right to Erasure (‘right to be forgotten’) and states that individuals shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay. It is worth noting that contrary to popular belief, this is not an absolute right. However, as far as practical companies should try to enable deletion of data.
Organizations will implement this with a form on their website, or publish a specific email address to contact with such requests. This will be a tricky issue for companies, as the right is not limited to a particular database such as your CRM and may extend to the content of emails and paper records. Additionally, because of the wide-spread publicity GDPR is receiving, it is likely that simply because of the increased awareness, individuals are likely to exercise their rights more frequently.
Right to Erasure should not be confused with the right to withdraw consent. It is a final resort for consumers.
Companies that a) do a better job of keeping track of customer interactions and b) provide easy ways for EU citizens to opt out of communications can expect to have fewer Right to Erasure requests triggered on them.
What is a practical way for organizations to capture and record consent?
If consent, is relied upon, lead capture forms should not be displayed to prospects with pre-ticked boxes. A tick-box should exist for each type of consent that the prospect is giving.
- Agree to receive future marketing communications
A separate field should be created in your CRM for each type of consent received.
How does GDPR affect how B2B companies communicate with their customers?
While companies have a legitimate interest to communicate with their customers, to ensure transparency, you should formally set expectations with your customers for the types of communications they will receive from you. Where you sell a product that impacts end users, the end users should have control over the types of communications they receive.
What are the first three things I should do as a B2B Sales or Marketing Leader to become GDPR compliant?
- Make an inventory of all the tools, external services, and data providers you use as you will need to assess how they handle personal information
- Perform an audit of how your individual sales, marketing, and business development professionals treat data relating to customers and prospects
- Write a charter containing the guidelines for how your organization will treat personal data, ensure legitimate business reasons for contacting people and manage consent
- Ensure a team member has ongoing ownership of checking and ensuring privacy compliance
How can Datahug help with improving GDPR compliance?
Datahug automatically captures and tracks all active business relationships to prove the legitimate business interests of your sales, business development, and marketing activities.
Our GDPR solution creates a single, accurate dataset of customer relationships you can use to cleanse Salesforce, Microsoft Dynamics, Pardot, Eloqua, and CallidusCloud LeadRocket.
You can identify European leads and contacts with active business relationships, purge your CRM and marketing automation of stale data, and initiate ‘right to be forgotten’ workflow requests.
For more information, click here to talk to one of our team.