What sales and marketing teams need to know about GDPR

Jennifer Hall, Monday 26 February 2018
6 min read time

A world map with the GDPR written next to a padlock symbolOne of the biggest ever shakes up in EU data protection law is on its way – and for sales and marketing teams, it’s something you simply cannot afford to ignore.

GDPR, which stands for General Data Protection Regulation, comes into force on 25 May 2018. It applies to any business that operates in the UK and so has implications for millions of firms worldwide.

The regulation is designed to strengthen and protect the rights of EU citizens, regarding how businesses use their personal data. It sets out clear reasons for why businesses might legally gather and use personal data, and how they should go about doing so.

Why do you need to be up to speed on GDPR?

Because it’s a big deal!

The financial penalties for getting it wrong are hefty (up to a cool £20 million, or 4% of worldwide annual turnover, depending which is higher) and there’s no quick fix.

Basically, if you collect, hold and process any type of ‘personal data’ – which most businesses do – then you need to have a plan. If you don’t and you wait until the last minute to get your head around it all, then you could find yourself in some very hot water.

Who is responsible for GDPR compliance?

As the basis of GDPR is data protection, it’s likely that the weight of responsibility may fall on the shoulders of marketing teams. After all, it would seem a natural fit.

As marketers, you are likely to hold and process lots of data that will fall until the remit of GDPR. For example, you may be building a database of customers and prospects, using contact lists to send out email campaigns, or using telemarketing to generate leads.

But GDPR has implications for any department that processes personal data, from marketing and sales, to HR and accounting. It’s not simply a challenge for marketing alone.

Whoever is tasked with heading up the whole compliance process, needs to look at the big picture. It should be a cross-company effort that considers all the data the company holds and all the systems involved in its collection and processing.

If your company is large, with 250 or more employees, then you’ll also be legally required to appoint a dedicated Data Protection Officer (DPO).

For more advice on getting started and ensuring your business is GDPR compliant, we’ve put together this free checklist: 12 easy steps to GDPR compliance

 

New Call-to-action

How is GDPR likely to affect sales and marketing?

Anyone working in sales and marketing needs to be up to speed on GDPR and what its implications are. Your planning will depend on you knowing exactly what’s what and ensuring your processes are lawful.

4 key issues that teams need to be aware of are:

  • Personal data – what GDPR classifies as personal data
  • Legal bases – what the legally permissible reasons for processing data are under GDPR
  • Legitimate interests – why legitimate interests is likely to be the legal basis behind many types of sales and marketing activity
  • Consent – what GDPR deems as consent and the implications this has for existing and new data

 

What does GDPR classify as personal data?

GDPR is being introduced to better protect personal data, in part because current laws are struggling to keep up with all the digital advancements that are being made.

The regulation bolsters existing data protection rules and takes them to a whole new level. Personal data, in the eyes of GDPR, covers any information that could be used to identify a person, either directly or indirectly. This includes name, email address, telephone number, ID number and IP address, and also online handles and pseudonyms.

‘Sensitive’ data is covered too, including genetic data and biometric data, such as fingerprints, retinal and facial recognition.

 

What are the ‘legal basis’ under which you can process personal data?

To lawfully process personal data under GDPR you need to have a legally acceptable reason for doing so. GDPR specifies six options:

 

  • Consent
  • Contractual necessity
  • Compliance with legal obligations
  • Vital interests
  • Public interests
  • Legitimate interests

You must determine which legal basis you will be working under, before you begin processing any data. You also need to let individuals know exactly what that basis is, within a clear privacy notice.

Legitimate interests and consent are the most likely choices for sales and marketing activity, just be aware that if you rely on either of them, there are specific requirements and conditions that must be met.

 

What is legitimate interests?

Legitimate interests is the most flexible legal basis and, along with consent, is the one that lends itself most easily to sales and marketing activities. But that doesn’t mean you have a free pass to do whatever you want.

There are three elements to it. You need to identify a legitimate interest for the data processing, show that the processing is necessary to achieve it and prove you have balanced this against the interests, rights and freedoms of the individual.

The legitimate interests can be your own interests or the interests of third parties, and can include commercial interests, individual interests or broader societal benefits.

 

What is a Legitimate Interests Assessment (LIA)?

If you decide to use legitimate interests as a lawful basis, then a Legitimate Interests Assessment (LIA) must be completed in all cases. A LIA is basically a risk assessment that ensures you’ve gone through a comprehensive decision-making process and have balanced your own interests against those of the individual.

There is no standard format for doing this, however you must be able to prove you’ve considered everything and can justify the outcome.

The Information Commissioner’s Office (ICO), the organisation tasked with enforcing GDPR in the UK, is expected to release further guidance on this at some point. In the meantime, the Data Protection Network has put together this handy Legitimate Interests Assessment template.

 

What types of activity might legitimate interests cover?

While GDPR doesn’t detail all the circumstances under which legitimate interests may apply, there is one overriding rule – the rights of the individual are the most important thing. If the interests of the data controller (you) are overridden by the interests or rights of the individual, then legitimate interests can’t be used as the legal basis. If the same result can be achieved in a different way, then it also doesn’t apply.

For example, in the case of direct marketing, if an individual objects to receiving your communications then your legitimate interest as a controller will be overridden.

Again, the DPN has pulled together a detailed overview, along with examples, which can be downloaded here.

 

What is classed as consent?

Consent is about transparency and it must be freely given, never just assumed. You need to explain to individuals who you are, what you want their data for and how it will be used. As we’ve mentioned, you also need to specify the legal basis under which you will be processing it.

Consent needs to be given for a specific and specified reason. What you write must be clear and it cannot be hidden away or bundled up within other terms and conditions. In short - individuals need to know what they’re signing up for.

What you can’t do:

  • Use an automatic opt-in function
  • Use pre-ticked box to opt someone in
  • Use ambiguous or confusing language
  • Ask for consent as part of gaining approval for other terms and conditions

The emphasis is on you as a company to prove that any data was collected and is being processed in a lawful way. You need to have a strong system in place for recording what consent has been given, when and what for. You will need to provide this as evidence in the case of a complaint.

If you have existing data, then you will only be able to continue using it if it ticks all the GDPR boxes. Otherwise, you will need to gain consent again, in a GDPR compliant way.

 

Don’t forget about PECR

Remember, all your electronic marketing (emails, text messages, telemarketing), needs to comply with GDPR rules, but also needs to meet the UK’s Privacy and Electronic Communications Regulations (PECR).

If you’ve not refreshed your knowledge recently, then now is a great time to do so. You can find out more about the regulations here.

Other helpful resources


New Call-to-action

DISCLAIMER: Lead Forensics is a global market leading SaaS organisation.  We have conducted extensive research into the GDPR and have an active working knowledge intended to help our clients to become better prepared ahead of the GDPR coming into force.  Lead Forensics however does not provide legal advice on the GDPR and cannot be held responsible for the GDPR compliance of any organisation other than its own, it is the responsibility of each business to ensure their own compliance with the GDPR.  If you have any need for legal advice, please contact a solicitor or visit the ICO website for further informationwww.ico.org.uk

Topics: GDPR compliance

Other blog posts

How to ensure your business leads are top quality

 

 

A good-quality business lead has an interest in your brand and a genuine need for your product, meaning they’re more likely to become a new client. These are the leads you want to continuously generate. Lower-quality leads who come fuelled with questions about your product are hit-and-miss, due to their lack of product appropriacy and understanding. To ensure your B2B lead generation brings results that benefit your whole organization, you need to first ensure you leads are top quality. Here’s how… 

Read More

Best practices for business lead generation

 

 

Your lead generation strategy is paramount to your business success. Generating business leads offers new opportunities to grow your client base and expand your organization’s horizons, it’s the backbone of business growth. Once systems are in place, it’s easy to switch on autopilot and churn out the same tactics continuously yielding a similar result. But to see B2B lead generation success and continue growing your organization, we need to put the care back into our efforts. These best practices will give your business lead generation a new lease of life, helping you achieve the outstanding results your business deserves. 

Read More

Business lead qualification: 12 questions you need to ask

 

 

Business lead qualification is a vital part of the B2B lead generation process. Without properly qualifying leads, your sales team will struggle to convert them successfully into high-quality, retaining clients. Leads are often qualified with specific questions that access how well suited a lead is to the product or solution in question. But how should we approach lead qualification, and what sort of questions should we ask? The questions chosen for business lead qualification heavily effect their sales pipeline progression, so you need to choose correctly. Here are our 12 favourites to get you started… 

Read More