How Do We Use GDPR for Marketing Purposes?
Notice: This is for discussion purposes only. Sales.Rocks is not qualified to provide legal advice of any kind and is not an authority on the interpretation of the GDPR or any other rule or regulation. To understand how the GDPR or any other law impact you or your business, we encourage you to seek independent advice of qualified legal counsel.
After 10 months in effect, there is still a lot of confusion when it comes to implementing the General Data Protection Regulations (GDPR) in everyday business practice.
One common misconception that outbound marketers share is that they believe that all contacts need to be “opt-in” under GDPR. Some of them ask their email contacts for consent, several times, just to be sure. Opt-in consent is one way to comply with GDPR – but it is not the only way.
Actually, there are 5 other legal bases to process personal data under the GDPR:
- By having a contract with the data subject
- Complying with a legal obligation of the controller
- Protecting the vital interests of the data subject or of another person
- Completing a task in a public interest, or for an official authority
- For purposes of “legitimate interests” sought by the controller, or by a third party data subject
Is direct marketing a legitimate interest?
According to the GDPR, our marketers in Sales.Rocks are permitted to process personal data for legitimate interest, and keep the data until we notice it is not valid anymore. This doesn’t mean that our marketers are completely authorized to gather every subject we think we need. We only process information that is available to the public.
Primarily, when we gather data for direct marketing, we consider the balance of interests and the nature of the data, in order to ensure that our “legitimate interest” is not overridden by the interests, or fundamental rights and freedoms of the data subject. Before we send the gathered data to our clients, it passes through our data processors. If there is sensitive information included, it is selected and added to the do-not-call list.
Who has access to our data?
When implementing the technical and organizational measures, we are taking into account the nature, scope, context and purposes of the processing. Also, we are considering the risks of varying likelihood and severity for the rights and freedoms of natural persons by determining:
- Where the servers are
- Who has access to it
- In which way the data can be viewed or changed
Our staff computers can only be accessible by persons with access permissions. They are also protected from all forms of external access. Moreover, for security purposes, we also use two-factor authentication to comply with GDPR standards. The passwords we use are personal and strong, and are regularly changed every 3 months.
GDPR compliance is not created to lower your ability to grow your business within the European Union. Instead, it motivates marketing and sales professionals to follow good business practices, and gather their data in lawful ways.