I know a lot of people are not going to be happy to hear this, but the days of buying contact lists are over. GDPR (or for those of you that don’t know the acronym, the General Data Protection Regulation) has been creating confusion for some time now, and companies are starting to scramble to demonstrate compliance (which will be mandatory by spring of 2018). Although there are some grey areas to the law (passed by the European Commission in April of 2016), one thing is crystal clear: if you purchase a list of prospects with the intent of emailing them, you are breaking the law.
How can that be, you say? Well, I’ll tell you. Data brokers may claim that they have obtained opt-ins from their lists of contacts, but the fact of the matter is that they didn’t get them specifically for you. Opting-in to receive information from one company and then being contacted by another (even if they are a “partner”) is not allowed; so unless you reach out to a prospect and explicitly obtain consent for you (and only you) to send them an email, you are not in compliance with GDPR.
What is consent, you say?The GDPR law states that consent is a “clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement”. (So, pre-ticked boxes, inactivity or silence cannot constitute consent). Moreover, “when the processing has multiple purposes, consent should be given for all of them.” AND, “where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation”. *
- Need explicit permission from a contact in order to use their data;
- They need to know who you are, and what you plan on doing with their data; and
- You need to prove that the contact gave you permission to use their data for a specific purpose (or purposes).
What would constitute proof, you say? Well, I’ll tell you. Basically, for every prospect a data broker supplies, they will need to provide you with screenshots of online forms filled in by a prospect proving email opt-ins for you to send them information (including the exact dates and times when a prospect opted-in and for what). A data broker will also need to demonstrate that they store and transfer all data securely and that a prospect can have their data modified or deleted at any time upon request (which, with data brokers, is basically impossible regardless of what they tell you).
But I thought the GDPR only applied to “personal” data, you say? Well, it does, but the GDPR definition of what constitutes personal data is vast — for example, an IP address is considered personal data. A professional email address is also personal data. If your data relates to an identifiable living individual, whether in personal or family life, business or profession, the data is considered “personal.”
Of course, distinctions are made between “personal data” and “special categories of personal data” (or sensitive data) which includes things most B2B companies would never collect (such as race, religion, sexual orientation or biometric/genetic data); but let’s be clear — GDPR is not only relevant to the B2C space, but the B2B one as well. And this applies whether you are located in Europe or not (as long as you are handling the data of contacts located in Europe).
Data brokers are considered data “processors” because they obtain, hold and process data. Thus, they are subject to following the GDPR (as are all companies that operate in Europe in any capacity, in fact, because GDPR also applies to Human Resources departments collecting data on employees too) and they could also be accused of security breaches by transferring data to you (since for sure no-one would give them permission to sell their data to someone else, now would they!).
Are you starting to get the big picture now? So if I can’t buy data, what can I do, you say?
Here are some things you can do to ensure GDPR compliance when carrying out your marketing campaigns:
Implement traceability and transparency
One of the key measures you are going to need to take for GDPR compliance is to make sure that data-handling and storage processes are secure, transparent and completely traceable. You’ll need to work with suppliers who can provide you with the details on how data was obtained, who has access to it, and how it can be suppressed should a prospect no longer wish to grant you permission to use their contact details.
Use telemarketing to obtain opt-ins
The law allows for telemarketing in the B2B space, so you can call a company and navigate by phone to find the right decision-makers you would like to target. You cannot send an email prior to calling, but you can set the stage for obtaining consent. Oral consent is allowed by the law, and CRM time stamps and call logs can help serve as proof. If you are using an external agency for telemarketing, they must stipulate who they are and that they are calling on your behalf; the reason for their call should be clear and the call-to-action (sending an email and/or receiving a call-back from one of your specialists) explicitly agreed to.
Always allow your prospects to opt-out
Because GDPR states that prospects have the right to disallow use of their personal data (including professional email addresses) at any time, every email you send to someone needs to include an easy option to opt out. You should include a disclaimer at the bottom of each email explaining why they are receiving the message, and what steps need to be taken should they no longer wish to receive information from you. Providing an unsubscribe link should suffice for this purpose, but on the back-office side, you need to ensure the suppression of that contact person’s details from your database of prospects. If you email a contact after they have opted out, you are in infraction of the law.
Enable prospects to call you back
GDPR will also put an end to anonymous phone calls and masked IDs. The law requires that the individual being called have the ability to call back the person trying to reach them, so prospects need to see a valid phone number every time you make a dial-out. Smart telemarketing outsourcers will provide this service free of charge. To enhance the ‘user-experience’ even further, we recommend the creation of an ad-hoc help-desk service to centralize all inbound inquiries under one roof. That way your receptionist is not going to get bombarded with calls that he/she can’t handle.
Require your outsourcer to use secure data transfer methods
Using DropBox (whose user terms and conditions stipulate that whatever is stored on their site they own), Skype or other free online tools are not allowed under GDPR for transferring personal data. Secure systems may include cloud-based bespoke applications or lead delivery portals that require access through a username and password. Just sending unprotected Excel files over email may not be a viable method of transfer as they could trigger breaches to security (if you send them to the wrong person by accident, for example).
Being GDPR-compliant will take time and thoughtful planning, but that doesn’t mean you are going to have to completely halt your direct marketing initiatives. Working with the right people and using the right tactics will help ensure compliance.