A Winmo Primer on GDPR and Marketing and Sales Data Protection Best Practices
Notice: This is for discussion purposes only. Winmo is not qualified to provide legal advice of any kind and is not an authority on the interpretation of the GDPR or any other rule or regulation. To understand how the GDPR or any other law impacts you or your business, you should seek independent advice of qualified legal counsel. We recommend Simon Stokes, Partner at Blake Morgan (blakemorgan.co.uk).
The upcoming date of May 25th is on the minds of many advertising and media sales professionals: the day the new General Data Protection Regulation (GDPR) goes into effect. Winmo is a data processor, and we believe our customers are also data processors. With that in mind, many of our customers have asked how they should prepare–and how Winmo is preparing as well. This brief primer provides practical tips to help advertising sales teams be prepared and meet the changing regulations while also leveraging a sales intelligence solution like Winmo.
The first question you need to ask is whether – and to what extent – the GDPR applies to you.
The GDPR applies to your processing of personal data if (1) your company is “established” within the European Union (EU), (2) you are processing data on persons in the EU to whom you are offering goods or services, or (3) you are “monitoring” the behavior of individuals in the EU. (General Data Protection Regulation, Regulation (EU) 2016/679, April 27, 2016 (“GDPR”), Article 3.)
“Established” means doing business in the EU through a branch or subsidiary, but the GDPR is clear that it is a substantive definition, not a formalistic one. (See Id. Recital (22).) If you have employees or contractors who work for you in the EU, you will want to analyze this more carefully.
If you are not established in the EU, next you need to figure out if you are offering goods or services to data subjects (people whose data you possess) in the EU. We believe the GDPR, based on its plain language, does not apply to B2B marketing under this test, because the offer is to the employer, not the employee. (See Id. Art. 3(2)(a) (“The Regulation applies . . . where the processing activities are related to . . . the offering of goods or services . . . to such data subjects in the Union[.]”) (emphasis added).) In basic terms B2B companies are offering goods and services to companies, not the data subjects AT those companies – their products and services are for the benefit of the company, not the consumer (data subject) – think of this as the difference between selling a vacation cruise to a person over the phone or email vs. selling a sophisticated firewall or backup solution to a company. Be cautious. This is a gray area that may require you to seek additional guidance.
Lastly, the GDPR applies to you if you are “monitoring” persons in the EU, which the GDPR explains means tracking them on the internet in order to make decisions or predict preferences, behaviors, and attitudes. (See Id. Recital (24).) So, if you are simply processing business contact data and using it to reach out to prospects, that would not appear to constitute monitoring. But doing something more sophisticated to predict what a particular person does based on their internet activity, we recommend that you also need to look at this more closely.
In sum, if you have strictly U.S. based operations and the extent of your EU data is business contact information for B2B sales and marketing, we believe that the GDPR may not apply to you.
Assuming GDPR applies to you, in order to process personal data, you need a lawful basis to do so. (GDPR Art. 5(1)(a).) There are six different lawful ways to process personal data under the GDPR: (a) consent of the data subject; (b) performance of a contract to which the data subject is party; (c) compliance with a legal obligation of the controller; (d) protection of the vital interests of the data subject or of another person; (e) performance of a task carried out in the public interest or official authority; (f) for purposes of the “legitimate interests” pursued by the controller or by a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject. (Id. Art. 6(1)(a)-(f).)
For the remainder of this article, we will focus on legitimate interests and consent as we understand that our clients fall into one of these lawful bases.
The biggest myth about the GDPR is that consent is the ONLY way to lawfully process personal information on EU subjects.
While consent is one basis for lawful processing, it is not the only one. (GDPR Art. 6(1)(b)-(f).) According to Elizabeth Denham, UK Information Commissioner, “Consent is one way to comply with the GDPR, but it’s not the only way.” Most of our customers will process under the “legitimate interest” basis, which includes direct marketing purposes. (See Id. Art. 6(1)(f), Recital (47).) In that case, you do not need to obtain consent, but you do still need to provide the person with a notice that you have their data. (See Id. Art. 14.) That notice needs to include all of the information from the section on consent above, plus (1) the fact that you are relying on direct marketing purposes as your legitimate interest and (2) the source of the data.
The good thing is that you are allowed to provide the notice the first time you communicate with the person (but no later than one month from when you obtained the data). So, if you obtain a list for email marketing, you can include the notice with your first message.
Consent requires you to get the data directly from the data subject. Perhaps a prospect provided their information when visiting your website. In order to use that data, you need to make sure the consent is clear and unambiguous. You also need to provide certain information at the time you obtain the consent, including: (1) who you are, (2) the purposes for which you will use the data, (3) who you will be transferring it to (if anyone), (4) if you are in the EU and intend to transfer it out of the EU, the countries where you intend to transfer it and the existence or absence of an adequacy decision by the European Commission with regard to the safeguards such countries have in place for the protection of personal data, (5) how long you intend to keep it, (6) the person’s right to correct the data or have it erased and to withdraw their consent, (7) the right to lodge a complaint with the supervising authority, and (8) whether you are using any automated decision-making or profiling. (Id. Art. 13(1)-(2).)
Whenever you are processing someone’s data, they have certain rights under GDPR. (See GDPR Arts. 15-21.) They always have the right to ask you what data you have on them, and for the other information that’s required in the above-mentioned notices. They also have the right to make you correct the data if it is wrong, or delete it or object to processing. If you have transferred it to anyone else and the person requests deletion, you also need to tell whomever you transferred it to that the data subject requested deletion.
You are also required to implement “appropriate technical and organizational measures” to ensure you are complying with GDPR, including appropriate compliance policies. (GDPR Art. 24(1); Art. 32(1).) These measures may take into account what is appropriate given the nature of the data and the purpose for which it is processed. (Id. (“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons . . . .”).) The regulation as a whole seems clear that processing business contact information for B2B marketing does not require procedures that are as stringent as those that would need to be in place for processing, for example, sensitive health information.
You also need to maintain records of compliance, which include maintaining much of the information already discussed with respect to particular data. (Id. Art. 30.) However, you are not required to maintain these records if your organization has fewer than 250 employees. (Id. Art. 30(5).)
If there is a data breach, GDPR imposes notification requirements, both to the data subjects and to the supervisor authorities. (GDPR Arts. 33-34.) However, notification is not required if the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” (Id.) If we are talking strictly about business contact information, we think a breach notification may not be required.
The GDPR is extensive and complicated. We have tried to summarize a few key areas, but we cannot explain the entire 88-page regulation here. This guidance is intended to apply to your use of business contact information for your own B2B sales and marketing purposes. Other uses and other kinds of data may impose significant additional obligations. As always, you should consult with an attorney for a full analysis of your rights and obligations under applicable law.
Data is at the heart of prospecting. Although there are new regulations on the road ahead, data management should already be a part of your sales and marketing operations. The impending GDPR effective date should be seen as an opportunity to implement better data management practices, which will also help establish and maintain trust with your customers.
If you’re just getting started, here are some key best practices to consider.
A data management team should consist of the core stakeholders who are impacted by your company’s use of data. The team should be established to focus on maintaining the integrity and protection of your prospect database.
The data management team’s first task is to evaluate:
If you use a Marketing Automation or CRM tool, you should understand what your chosen vendor is doing to protect your prospect and customer data, including access controls, regulatory compliance, and information and application security processes and tools. In addition, explore existing functionality that may be helpful in preserving your data. This may include roles and permissions of users, history of user activity and/or data updates, and the ability to enable/ disable automatic data capture. Documenting the flow of data throughout your systems may be necessary to visualize what and who has access.
It is important to be aware of the type of data that is being collected and stored within your database. Processing sensitive information, versus simply business contact information, carries with it additional obligations. Sensitive information includes:
Generally speaking, B2B sales and marketing does not require processing sensitive personal information; however, if you do possess any of the foregoing types of data on your prospects, keep in mind that your legal obligations to obtain consent and to protect the security of that data are much, much higher under the GDPR and other laws.
Part of complying with data protection obligations is showing that you understand where your data comes from, how it is maintained, and the legal justification for processing it (discussed below). This means you need to consider tracking additional data points on your prospecting records. For example, Lead Source may already be a value tracked within your database. Depending on the number of data sources feeding an individual contact record, you may need to expand this out to account for additional sources of data. In addition, it should be noted when and how data was obtained (i.e. via form fill, badge scans at an event, 3rd party data appending). Most Marketing Automation (MAT) and Customer Relationship Management (CRM) tools have the ability to timestamp the population or update of individual fields.
Once you understand the data you have, how you collect it, and are tracking the appropriate metadata, you should develop clear policies that outline your data practices and your plan for compliance. Your data protection plan should address issues around data gathering, notification requirements (if any) and practices, the purposes for which data will be used, practices for updating data and purging old data, and security practices and procedures.
Winmo is dedicated to GDPR compliance, and we have GDPR and privacy experts on our executive team who are working hard to ensure full compliance with the regulation in our data practices. These include our U.S. based General Counsel, our U.K. based Specialty Counsel and our Vice President of Product & Content.
Winmo will continue to process only business contact information for US and UK contacts: company, job title, work email address, work phone number, etc. We do not provide sensitive personal information of any kind, e.g. health information, political or religious ideology, internet search history, etc. We simply provide information of the type that is typically found on a business card, an email signature block, or a public professional profile.
Winmo has also nominated our Vice President of Product & Content to serve as the company’s Data Protection Officer. This person will be responsible for several things, including: