GDPR Guideline for Direct Marketing Purposes
Notice: This is for discussion purposes only. Sales.Rocks is not qualified to provide legal advice of any kind, and is not an authority on the interpretation of the GDPR or any other rule or regulation. To understand how the GDPR or any other law impact you or your business, we encourage you to seek independent advice of qualified legal counsel.
May 25, 2018, is an important date for many sales and marketing professionals. This is the day when the new General Data Protection Regulation (GDPR) entered into force. Sales.Rocks is a marketing enablement platform that uses big data from publicly available sources. With that in mind, many of our clients ask us how do we gather this data. This brief primer provides practical tips to help sales and marketing teams, prepare to meet the changing regulations while leveraging a sales and marketing enablement solution like Sales.Rocks.
Does the GDPR apply to me?
This is the basic question you should start with. The GDPR applies to your processing of personal data if:
- your company is established within the European Union (EU)
- you are processing data on persons in the EU to whom you are offering goods or services
- you are “monitoring” the behavior of individuals in the EU, General Data Protection Regulation, Regulation EU, 2016 (GDPR Article 3)
Established vs. not established in the EU
What does it mean to be established in the EU?
“Established” refers to doing business in the EU through a branch or a subsidiary. Also, if you have employees or contractors who work for you in the EU, the GDPR applies too.
What if I am not established in the EU?
On the other hand, the GDPR applies to organizations located outside of the EU if your company processes, stores or transmits personal data belonging to EU residents. In other words, it applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Another case is if you have strictly U.S. based operations and the extent of your EU data is business contact information for B2B sales and marketing, the GDPR may not apply to you.
Does this apply if I am monitoring persons in the EU?
Yes. “Monitoring” persons in the EU means tracking them on the internet in order to make decisions or predict preferences, behaviors, and attitudes. In other words, if you are simply processing business contact data and using it to reach out to prospects, that would not appear to constitute monitoring. But doing something more sophisticated like predicting what a particular person does, based on their internet activity, goes under this regulative.
The GDPR applies to me! Now what?
If the GDPR applies to you, next time you try to process personal data, you will need a lawful basis to do so.
There are six different ways to legally process personal data under the GDPR, and processing shall be lawful only if and to the extent that at least one of the following applies:
- consent of the data subject
- performance of a contract to which the data subject is a party
- compliance with a legal obligation of the controller
- protection of the vital interests of the data subject or of another person
- performance of a task carried out in the public interest or official authority
- for purposes of the “legitimate interests” pursued by the controller or by a third party
How GDPR affects marketing?
Direct Marketing vs. processing personal information on EU subjects
It is a myth that the consent is the ONLY way to lawfully process personal information on EU subjects according to the GDPR. Consent is one basis for lawful processing, however, not the only one. Most of our customers will process under the “legitimate interest” basis, which includes direct marketing purposes.
In this case, you need to provide the person with a notice that you have their data. This notice needs to include all of the information from the section on consent above. In addition, you should mention the fact that direct marketing and source of data are your purposes of legitimate interest.
The positive thing here is that you are allowed to provide notice the first time you communicate with the person (but no later than one month from when you obtained the data). So, for example, if you obtain a list for emails for marketing, you can include the notice as an attachment to your first message.
What does consent refer to?
Consent means that you got the data directly from the data subject. Maybe a prospect provided their information when visiting your website or downloading your whitepaper. If you want to use that data, you have to make sure the consent is clear and unambiguous.
Furthermore, you will need to provide certain information at the time you obtain the consent, including:
- who you are
- what is the purpose for which you will use the data
- who you will be transferring it to (if anyone)
- if you are in the EU and intend to transfer it out of the EU (the countries where you intend to transfer it)
- how long you intend to keep it for
- the person’s right to correct the data or have it erased, and to withdraw their consent
- the right to file a complaint with the supervising authority
- whether you are using any automated decision-making or profiling
What rights do the data subject have?
The people whose data you are processing have certain rights under the GDPR:
- to ask you what data you have on them
- to ask you to correct the data if it is wrong, or to delete it or to object to its processing
- if you have transferred it to anyone else
- to request for data removal
How we implement GDPR in Sales.Rocks
Sales.Rocks is only processing business contact information for EU contacts: company, job title, website URL, work email address, work phone number, etc. We do not provide sensitive personal information of any kind, e.g. health information, political or religious ideology, internet search history, etc. Our platform only provides information that is typically found on a business card, an email signature block, or a public professional profile (e.g. LinkedIn).
Sales.Rocks has a Data Protection Officer who is responsible for:
This person is responsible for:
- To monitor company’s compliance with GDPR
- To maintain comprehensive records of all data processing activities conducted by the company
- To serve as the point of contact between the company, and the GDPR Supervisory Authorities
- To provide advice where requested as regards the data protection impact assessment and monitor its performance
- To train staff involved in data processing
- To educate the company and employees on important compliance requirements
- To conduct audits to ensure compliance and address potential issues proactively
The GDPR topic is very extensive and complex. This guidance is intended to apply to your use of business contact information for your own B2B marketing purposes. Other uses and other kinds of data may impose significant additional obligations. For a full analysis of your rights and obligations under applicable law, please consult with an attorney.