Previously, we learned about GDPR – what it is and who it applies to. This week we’re examining how GDPR affects prospecting from our VP of Information Security, Mike Meyer.
The advent of GDPR will bring about big changes in the world of outbound sales. Here at SalesLoft, we’ve seen a wide spectrum of interpretations as to how GDPR will impact prospecting in Europe. The spectrum looks like this:
So, how does GDPR affect prospecting? The answer is likely somewhere in between, and here’s why.
Legal Basis for Processing
The GDPR requires companies to have a “legal basis” for processing personal data about EU residents in their systems. Article 6 of the GDPR lays out several of these bases, but sales teams will be most concerned with the following:
- Consent of the data subject
- Performance of a contract
- Legitimate interest pursued by the controller
While most companies will rely on consent or performance of a contract as a basis for processing data regarding inbound leads, the basis that will likely be most suited to data related outbound leads is legitimate interest pursued by the controller.
The term “legitimate interest” is not clearly defined, but Recital 47 of the GDPR states that a legitimate interest may provide a legal basis for processing data, provided that the interests do not override the rights and freedoms of the individual. In plain English, organizations should ask the following questions:
- Do I have a valid legitimate interest for processing the prospect’s data?
- Does the processing of this data threaten the rights and freedoms of the individual?
If the answer to number 1 is “yes,” and the answer to number 2 is “no,” a legal basis for processing the data likely exists.
So if a legal basis exists for processing the data, what needs to change?
The GDPR specifies that organizations should only process data that is necessary for the legitimate interest. This concept is known as “data minimization.”
For purposes of selling, data elements that may be required include:
- First and Last Name
- Email address
- Phone number
However, sales teams tend to collect quite a bit of personal data that may not be necessary for the legitimate purpose of selling. Examples of these kinds of data include:
- Call recordings
- Email open tracking
- Link click tracking
Collection of the above data types should be avoided if they are not necessary for purposes of marketing and sales.
Best Practices for Prospecting Under GDPR
Assuming all the data processed for direct marketing and sales purposes is done so lawfully, sales teams still need to address how privacy regulations impact their ability to send emails and place phone calls to prospects in Europe. There is a sizable gray area when it comes to prospecting in Europe. With that in mind, here are a few best practices we know are tenants of European privacy law:
1. Pay attention to “Do Not Call” lists
Each member state may maintain its own “Do Not Call” list so it will be prudent to verify that your prospects are not on these lists prior to reaching out.
Links to the lists for several member states have been included below:
2. Include opt-out and privacy notice links in emails to EU residents
For emails to both inbound and outbound sales, it will be critical to include notice of your company’s privacy practices as well as the opportunity for the recipient to object to receiving future communications. This will increase your transparency and reduce the intrusiveness of the message.
3. Use discretion with the amount/frequency of communications
Although this is somewhat of a gray area, it is advisable to use discretion with the frequency and number of touchpoints to ensure that you do not intrude on the “rights and freedoms” of the individual as mentioned above.
4. Use social media
Social media is a solid alternative channel to cold email that will allow reps to diversify their method of prospecting while also remaining compliant with relevant privacy regulations.
This list is by no means exhaustive, but it should provide a helpful starting point for your sales reps. As always, review new processes with your legal and/or security teams to ensure alignment with the overall approach for GDPR.
Curious about how we approach security? Click here to learn more about how we store, process and secure sensitive information.
Hungry for more? Here are some other GDPR pieces you might find useful: