GDPR is the General Data Protection Regulation, a collection of EU regulations that outlines how data about EU citizens can be used, stored, and transferred. And it has significant implications for sales teams, especially ones that use outreach.
It isn't a particularly sexy piece of legislature, to be sure. But it is critical to protecting your business if you do outbound sales.
Now, for inbound sales, it is less critical. If you are using lead generation tools like Leadfeeer to see who has been on your site and then go looking for their email and phone number, then GDPR may apply.
In our recent webinar GDPR Guidelines for B2B Outbound Sales, Peter, the customer success lead here at Leadfeeder was joined by JB from Evergrowth.io to discuss how GDPR can impact your B2B sales outreach — and how to make sure your processes stays compliant.
Keep in mind that GDPR fines can be as much as 10 million euros or 2% of a company's global turnover in the previous year. GDPR isn't anything you want to mess around with.
Frequently asked questions about GDPR in the sales world
The GDPR is a complex set of laws and rules — a total of 11 chapters and 99 different articles. There's a lot to unpack, as you can see in the screenshot of all the laws below.
In the first part of the webinar, Peter and JB answered the most commonly asked questions about GDPR in the sales field. Here's what you need to know.
If I find someone on LinkedIn can I contact them without consent?
Yes, you can. At the beginning of the text of the GDPR, they have a list of what we call recitals, basically bullet points. Recital 47 clearly states, "The processing of personal data for direct marketing purpose may be regarded as legitimate interest." What that means is when you have a legitimate interest, you do not need to ask for consent to contact these people.
Now, this doesn't mean you can buy a random list of contacts and send them random emails. You need to make sure that you have a legitimate interest and to be able to prove that these people actually match your ideal customer profile, and you have a legitimate reason to contact them because your other customers look exactly like them.
Does the data subject have rights if I process their personal data for direct marketing purposes?
Yes, absolutely. Article 15 says the data subject has the right of access. This means they can ask you to extract their data from your CRM and send it to them at any time; they have the right to do that.
They also have the right to rectify the data, meaning that they could say, "I changed my job title, I got promoted; please update it in your CRM." According to GDPR, they have the right to do this and you have to comply.
They also have the right of erasure, to be forgotten. That's coming from many different articles in the GDPR and many different recitals. And while some big, big internet companies might not make it very transparent, people have the right to be forgotten, or remove their data. .
They also have the right to restrict the processing of their data, which means they can question your legitimate interest. They might say, "Keep my data but I am going to question your legitimate interest with whatever authority is in my region. Restrict the processing and we're just going to ask an authority to say who is right here."
Do I need to inform the data subject about their rights?
This is a big one. The short answer is yes. You need to inform them about the identity and the contact details of the controller — so basically the identity of your company and the contact details of the data protection officer. You may also need to tell them what you will use their data for, and you may need to name the legitimate interest.
You'll also need to tell them what categories of personal data you have, such as their full name, email, job title, and their phone number, if you have it.
Then you'll need to tell them how long you will store their data, and if that is not possible, then the criteria used to determine that period. For example, how long will you store their data in your CRM, and what point would you delete it?
All of this information needs to be shared when contacting them for the first time.
Do I need to follow the GDPR regulation if my organization is based outside of the EU?
Yes, because GDPR is about the EU data subjects and not about the organization. So if your organization is located in a place where the EU laws apply by virtue of public international law, you do have to comply.
Now, maybe if you're in North Korea, you don't need to follow the GDPR because the EU laws do not really apply in North Korea. But if you are based somewhere else, like the United States, Europe, and most other countries, you do need to follow the GDPR. The laws concern EU citizens' data, so it's not about where the company is located.
How to keep your sales process GDPR compliant
The easiest way to stay GDPR compliant is to use an email disclaimer the first time you reach out. It might feel a bit clunky at first, but it protects your company and shows your prospects that you are committed to following the rules.
So, what do you need to include?
Address and full details of your company. This can be included in your email signature line.
Inform them of their rights, including where you found their data, what information categories you have, the purpose of the data, where it will be stored, and how long you will store it for.
Let them know they have a right to lodge a complaint, a right to be forgotten, and the right to get a copy of their data.
How to express their rights. For example, you could tell them that they need to reply to the email with a number of the rights they want to apply. So if I want you to stop contacting me, I just reply "One". If I want you to erase my data and also get a copy, I reply, "Two and Three."
There are pros and cons to this type of disclaimer. The main pro is that it is complying with the GDPR according to our understanding and it offers a straightforward and painless process for the data subject to basically express a request.
The format is also straightforward in terms of the internal process. If I get a reply with one, then I just put the status in my CRM as "Do not contact" and that's it, done. The con is it's very not sexy to have this big fat piece of text at the bottom of your email, right? But that's a compromise that has to happen to be compliant.
Another process you could use is to send the disclaimer in an email and tell them to follow a link that sends them to another form where they can select the right they want to express.
The cons with this approach are that you might need some API integration, integrate it with your CRM, and so forth. If you don't have that, then it adds extra steps to your process because you need to delete information in your CRM. You'll need to have some kind of reminder or task system to make sure the information is properly deleted.
Want to learn more about GDPR in outbound sales?
Watch the full webinar here, where Peter and JB answer more frequently asked questions, share more ways to make sure you are GDPR compliant in sales, and answer audience questions.
Less prospecting, more selling.
Wish you could spend less time finding prospects and contact details and more time connecting and closing deals? Yeah, us too. That’s why we created Leadfeeder.
Find out how you can grow your sales pipeline by identifying prospects already interested in what you sell.Show me how