Back to Posts

What the Heck Is GDPR?

4 min read
Updated Aug. 25, 2021
Published Mar. 20, 2018

You’ve likely heard the term GDPR thrown around, but do you know what it means? Don’t feel bad if the answer is no. You’re not alone! According to a report by Forrester, only 15 percent of B2B marketers are fully compliant with the GDPR. In fact, less than half of the 66 marketing professionals they surveyed in January, had assessed every point from which they collect data.

Not to worry – we’re here for you. We sat down with our VP of Information Security, Mike Meyer, to bring you a 3 part series explaining GDPR as it applies to sales, what it means for prospecting, and how to make sure your technology is compliant.

So, what is GDPR?

The General Data Protection Regulation (GDPR) is the new privacy regulation in the European Union, which will go into effect May 25, 2018. The regulation is unprecedented in terms of scope and financial impact; penalties for noncompliance with GDPR are up to the greater of 20 million Euros (translation: $24.5M) or 4% of global revenue.

But I’m not a European company!

The new rules apply to anyone who collects data from EU residents, regardless of where your headquarters are. If you’re selling to anyone in the EU, this likely affects you.

The new regulation will affect security, privacy, and legal teams, but sales teams also have their work cut out for them. Our goal in this series is to help simplify GDPR compliance for sales teams and highlight practical action items teams can take to be compliant ahead of the deadline.

What type of data is included in the scope of the GDPR?

The regulation applies to personal data belonging to residents of the EU. The following in-scope personal data elements are likely to be processed as part of a company’s sales and marketing efforts:

Regardless of where a company is in the world if the above data elements are processed, the organization must process the data in a manner compliant with the GDPR.

Am I a controller or a processor of data?

The GDPR makes the distinction between two different types of organizations that process data: “controllers” and “processors.” According to GDPR, controllers determine the means of processing whereas processors process data on behalf of the controller. The regulation sets forth different requirements for each role.

Because a sales team determines the means of processing data about EU residents, the organization is considered a controller in that capacity. Moreover, companies who provide cloud systems like CRMs, sales engagement software, and data management tools that are used by the controller in the sales process, are considered processors.

Some organizations may operate as both a processor and controller with respect to different data elements so it will be important for your company to distinguish between the various types of data it processes.

As an example, Salesloft acts as both controller and processor as follows:

  • Controller – Salesloft processes data about EU residents for its own sales and marketing purposes
  • Processor – The Salesloft platform processes sales and marketing data about EU residents on behalf of its customers

Regardless of any role as a processor, almost all organizations who sell to EU residents will be regarded as controllers with respect to sales-related data.

What’s the bottom line?

Because marketing and sales are controller functions, sales teams will need to adjust their processes and their technology accordingly. The following are key concepts that will need to be considered and addressed by sales teams prior to May 25th:

Teams should, of course, consult with their legal, privacy, and security teams to ensure their strategies align with the company’s overall approach for GDPR. Check out these other pieces in our GDPR series:

Curious about how we approach security? Click here to learn more about how we store, process and secure sensitive information.

What questions do you have about GDPR?