The GDPR, otherwise known as the General Data Protection Regulation, is a legislation package that passed in the European Union that has international implications. While most laws apply to a specific nation or region, the GDPR affects anyone handling the personal data of EU citizens. To further understand this topic, we should break down some key elements and make some distinctions.
How Does GDPR Differ from PECR?
The Privacy and Electronic Communications Regulation, known simply as PECR, is legislation passed in the early 2000βs that restricts unsolicited direct marketing, including both cold emails and calls. Meanwhile, the GDPR is more specifically targeted at how data is handled, collected, processed, and used. Even if youβre compliant with either the GDPR or PECR, you must be compliant with both to avoid hefty penalties and restrictions.
How Does GDPR Define Personal Data?
According to the GDPR, personal data is information that can be used to identify an individual, and includes (but is not limited to):
- Name
- IP Address
- Physical Address
- Phone Number*
*While the GDPR is vague on whether or not phone numbers are considered personal data, itβs better to say that they are and process them in the same manner.
Does GDPR Affect B2B Data?
Even if youβre dealing with B2B data, you must remain GDPR compliant. Even if youβre handling work emails (e.g., rebecca@business.com), they still fall under personal data. There are some nuances with this, however. Official business emails, for example contact@business.com, do not necessarily have the same protections as the GDPR specifically states the protections apply to βnatural person(s)β. Even with this information in mind, it is often better to err on the side of caution.
What Are the GDPR Penalties?
The penalties for failing to comply with GDPR, even in a foreign nation to the EU, are quite severe; especially for small and medium businesses. The law falls into the domain of international law, thereby allowing the EU to pursue damages from foreign markets. As for the penalties themselves, whichever of the two variations is higher is the bill your organization will be footing: β¬20 million or 4% of your organizationβs βtotal worldwide annual turnover of the preceding financial yearβ.
How to Be GDPR Compliant?
The answer to this question depends on the size of your firm. If your firm maintains less than 250 employees, you must maintain everything a smaller business does with additional steps. There are several ways in which you may legally justify your use of data and contacting an individual; the most relevant and valuable to an outbound sales firm is known as βLegitimate Interestβ. While there are other cases, such as the βnecessary performance of a contractβ or the individual has βexplicitly consented to the proposed transferβ, legitimate interest is going to be your go-to.
In Article 49, section 1, subsection g, we can find the following:
βthe transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.β
The controller (your business) must have a legitimate reason for collecting data and contacting an individual. This means that your ICP (Ideal Customer Profile) should be established and that your outreach is laser-focused. While in sales outreach, this would seem like a no-brainer, however, this limitation may improve your teamβs performance. In other words, targeting someone who is most likely to buy your goods or services is considered a legitimate interest, by which you may contact them for the purposes of B2B sales.
Yet, there are some steps you must be aware of in the interim. You must allow the individuals access to their own data upon request; if they file a request for the data youβve collected on them, you must deliver to them everything you have that is associated with that particular individual. You must also allow them to opt out, should they withdraw their consent or feel your contact isnβt relevant to them.Β
Additionally, through the Records of Processing Activities portion of the GDPR (Article 30), you must maintain a thorough record regarding said data. This includes the security measures used; third parties who also process the data; the name and contact details of the controller (the organization that decides the purpose and means of processing); the controllerβs representativeβs and data protection officerβs details; the purpose of the processing; the categories of current and future recipients of the data; all transfers of personal data; and when the data will be deleted.
Furthermore, you must inform the individual that youβve collected their data in two circumstances. If the data is obtained directly (Article 13), the individual must be notified immediately. However, if the data is not obtained from the individual (Article 14), they must be informed in no more than one month.
While this is not a complete list for all cases, it is recommended to both seek legal counsel and read the GDPR itself to ensure that youβre in compliance with the requirements.
What Changes When I Have 250+ Employees?
Within the GDPR it is stated that any organization with more than 250 employees who is handling personal data must meet a few more requirements. Chiefly among them is assigning a Data Protection Officer whose role is to inform and advise the controller or processor and employees who handle the processing of personal data; monitor compliance with the GDPR; conduct training and raise awareness; provide data protection impact assessments; cooperate with the supervisory authority; and act as a point of contact for the supervisory authority on issues related to processing and consultation.
There are, of course, other considerations to bear in mind however, this does not stop the world of outbound sales.
What is the Best Solution for B2B Outbound Sales?
When it comes to the topic of outbound sales, due to the complexity of the GDPR, PECR, and other international laws, it would be safe to say that itβs best to rely on an external team to manage these processes. With professional expertise, legal compliance, and a hands-on approach, hiring a third-party sales outreach firm is the safest choice for your organization; especially considering that itβs the responsibility of the outsourced firm to ensure their compliance.
In regards to cold email campaigns in the modern legal climate, itβs incredibly important to ensure that you have first established who your customers and clients are through ICP research. While this has always been true, the only consequence of failure in the past was a failure to convert leads into closed deals, being a failure solely in the hands of the sales staff you hired.
