Prospecting in a Post-GDPR World
The past few years have been rather tumultuous in the digital realm. First came Mobilegeddon in 2015, heralding the end of (desktop) days. And now, we’re dealing with the fallout of the General Data Protection Regulation (GDPR), which officially became the law of the (European) land on May 25, 2018.
Are you familiar with it? Are you adhering to it? If the answer is ‘no,’ you’re likely not alone. As of a year ago, 57% of surveyed marketing and sales reps were not aware of GDPR or how it would impact them, and only 29% of organizations label their approach to data protection and organization as “mature.”
But if you’re in either of those groups, you need to fix it.
The GDPR is a new set of rules on how to manage and share personal data. It’s worth the effort to read the regulation in its entirety, but here are a few of the biggest changes:
- A data breach must be reported to appropriate authorities within 72 hours of discovery
- Upon request, you must disclose or erase all data records of an individual
- A violation can result in fines as high as €20 million or 4% of annual turnover
The GDPR technically only applies to the European Union. If your business operates out of the EU, or your customers include EU residents, you are required to comply. But most companies are being proactive and covering all their bases by treating it as a worldwide mandate in order to maintain a single policy. Become GDPR-compliant even if you don’t have to.
The regulation impacts those dealing in massive amounts of consumer data, such as data brokers and marketers. If your workflow and business model depend on acquiring and exploiting consumer data, consent must now be explicit and informed – and renewed if that use changes.
Do you collect and use the data of individuals in order to prospect? You need their permission.
That might sound like a lot of extra work – and it can be – but marketers should see it as an opportunity to become more trustworthy and responsible. The customer experience – from prospect to lead to customer to advocate – is set to become the key differentiator in the very near future. Consumers are looking for businesses that go the extra mile for them, so earn their trust, and you’ll earn their business.
Here’s how to best prospect in a post-GDPR world.
Become GDPR Compliant
We’ll say it again: become GDPR-compliant even if you don’t have to. GDPR compliance means greater accountability and governance of personal data, staff training, data protection protocols, audits, increased record-keeping, and greater transparency. It is a lot of extra work, but the payoff in consumer trust and goodwill far outweighs that startup investment of time and resources.
”GDPR adds complex new requirements for any company that gets user data secondhand, requiring a lot more transparency on what a company is doing with your data. As a result, all of those partners have to be brought into the open …” ~The Verge
If you’re processing (i.e. collecting and using) personal data, you must demonstrate a “legal basis” as outlined in the GDPR. As it relates to prospecting, we’re mainly concerned with either 1) consent, 2) performance of a contract, or 3) Legitimate interest (your interest as the controller, so long as it doesn’t infringe on the rights of the individual).
In order to prospect with cold email or calls, you have to be able to demonstrate at least one of these before sending that first message or making that first call.
One simple way to increase compliance is to follow the rule of data minimization. Put simply, it refers to only processing the data necessary for legitimate interest purposes.
“Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” ~GDPR, Chapter 2, Article 5
This is a smart business practice regardless of the GDPR. The less data you ask for, the more likely you’ll get an answer. And the less data you keep, the less disastrous the fallout from a data breach or hack, and the lower the risk of analysis paralysis when making decisions.
Ask yourself whether you have a legitimate interest and whether or not it infringes on individual rights and freedoms. Then, ask only for the data you actually need rather than what you might want.
In sales, that would include name, email, and maybe a phone number. Further data collection like call recording, email open tracking, and click tracking may run afoul of GDPR without explicit consent.
Data minimization is a good idea for everyone. Data minimization as it relates to the GDPR is a must.
An important reminder and warning: you are responsible for the compliance of all vendors you partner with, so choose only those that take privacy and security seriously.
Draft a data processing addendum, or DPA. This mandatory document specifies the relationship and responsibilities of all parties you share data with or receive data from. Get it in writing, and make it easily accessible.
Consent, Consent, Consent
The best way to stay compliant is to have consent from the data subject, although it’s not always possible.
Individuals must be informed within 30 days if there was no consent at the time of collection. They have the right to know what you’ve collected on them, why, how you plan to use it, how long you plan to keep it, and more. Most importantly, they can request you erase it all.
Keep and maintain a record of consent.
Using the Data
Gone are the days of automatically adding prospects to various lists based on their actions or behavior. People need to consent to specific lists beforehand. If they haven’t explicitly asked for or requested it, you can’t send it.
Many businesses are using subscription dashboards and tools for this to stay compliant, so users can quickly unsubscribe from one list, several, or all based on their preferences.
The safest route here is prior consent. That said, when prospecting with cold email, you don’t yet have that consent. So does that spell the end of email prospecting?
Not necessarily. You can still cold email if you follow a few guidelines:
- Reveal your identity and contact details
- Include an opt-out link
- Explain what data you have on them, where it originated, and what you plan to do with it
- Mention any attempt to contact them via other channels
- Ensure the message is personalized and sent to an individual
- Make sure it adheres to the “legitimate interest” clause
Be ready to explain, and be ready to handle complaints and questions.
Social Media Prospecting
Reach out and connect on social media, as the GDPR does not extend to that channel if it’s in the course of posting content and engaging with users without collecting data.
Be aware, though, that using the Facebook Pixel, Twitter Pixel, LinkedIn Matched Audiences, and many other social media features requires explicit consent.
Most of the big platforms have guidance on using their service and staying GDPR compliant. If you use a particular platform, find it and read it to know exactly what you can and can’t do. It’s always wise to engage and ask permission to send something valuable or relevant to them, and get that consent.
In addition to what we’ve already discussed, here are a few other recommendations:
- Check online for and adhere to “Do Not Call” or “Do Not Contact” lists for EU countries.
- Remember less is more when it comes to timing and frequency.
- Leverage this legal workaround: first contact via info@, sales@, or marketing@, as these do not fall under GDPR if they’re not associated with an individual. After getting a response, ask them to refer (there’s your consent) you to the appropriate individual.
Of course, new rules and regulations mean new pitfalls, as what was once legal is suddenly on the wrong side of the law.
When it comes to prospecting, one of the biggest changes relates to purchased leads. Not only does the vendor need consent, but so do you before making contact unless they’ve explicitly given consent for transfer to third parties. If yes, make sure you have that consent in your files. If not, you need consent before you can use the list.
Likewise for referrals and recommendations. In the past, you could simply state that so-and-so provided you with their name and contact details. In the post-GDPR world, that’s no longer good enough.
Instead, ask for an ‘introduction email’ in which you and the individual being referred are bcc’d in a message from the referrer. They introduce you but leave it up to the referred friend whether they consent and want to be contacted by responding to the email.