It’s no secret that data security is a buzz-worthy topic.
Our online activities leave a digital trail that can be exploited in today's digital age. While companies use this data for personalization, it also exposes us to cybersecurity risks. The General Data Protection Regulation (GDPR), introduced in 2018, addresses these concerns by establishing stringent data protection standards for organizations operating within the European Union.
Beyond data privacy, environmental and safety software is crucial for protecting our digital world. These tools help organizations minimize their environmental impact and ensure safe online interactions, creating a more secure and sustainable digital landscape.
What is GDPR?
The General Data Protection Regulation (GDPR) is a framework established by the European Union (EU) that prohibits companies from collecting, storing, or using personal data belonging to EU citizens without their explicit consent. The regulation officially went into effect on May 25, 2018.
It’s important to note that GDPR affects any organization that processes the personal information of EU citizens, including companies outside of Europe. Within your own company, these changes have likely had a big impact on your day-to-day, especially if your job title is one that frequently deals with people’s data, such as sales.
Although your company has likely already made changes to comply with GDPR policies, it’s important for salespeople to understand the effects this regulation has on your daily activities. Failure to do so could result in substantial consequences for your organization.
Instead of going through all 99 legislative articles that make up the regulation, we’ll summarize everything you need to know about GDPR compliance that directly relates to sales teams – complete with minimal legal jargon.
GDPR compliance and sales
As previously mentioned, GDPR affects any company that processes personal data belonging to citizens of the European Union. This means your company doesn’t have to be based in Europe to be bound by these regulations. Some key implications of GDPR for sales team are:
- Data privacy by design: GDPR mandates that privacy be considered from the outset of any data processing activity. Sales teams must ensure that privacy is built into their processes and systems.
- Consent management: It is crucial to obtain explicit, informed consent from individuals before collecting and processing their personal data. Sales teams must have clear consent mechanisms in place.
- Data minimization: Only collect and retain data necessary for the specific purpose. Sales teams should avoid excessive data collection.
- Data portability: Individuals can request a copy of their data in a structured format and transfer it to another organization. Sales teams must be prepared to fulfill these requests.
- Data breach notification: In case of a data breach, companies must notify affected individuals without undue delay. Sales teams should have incident response plans in place.
- Accountability: Companies are responsible for demonstrating compliance with GDPR. Sales teams must be aware of their obligations and ensure they are met.
By understanding these key implications, sales teams can ensure that their practices align with GDPR requirements and protect the privacy of their customers and prospects.
When it comes to sales, data plays a big role in every stage of the funnel. For this reason, GDPR has had a major effect on how sales reps handle customer and prospect information throughout the sales process.
Want to learn more about Environmental Health and Safety Software? Explore Environmental Health and Safety products.
How does GDPR affect prospecting activities?
Prospecting is the activity most affected by GDPR for sales reps. This includes any outbound sales outreach, where a salesperson contacts prospects who did not voluntarily give out their information.
The GDPR outlines six different “legal bases” in which it is lawful to process or use personal data. In other words, the data controller (i.e., the sales rep) must meet at least one of the following conditions to store or use prospect information.
6 lawful bases for processing data under GDPR
- Consent
- Legitimate interest
- Performance of a contract
- Legal obligation
- Protecting vital interests
- Public interest
Regarding sales activities, we’ll mainly be looking at two of these conditions: consent and legitimate interest.
Consent
Getting explicit consent from the prospect is ideal but not always possible. An example is if a prospective buyer fills out a form to request a product demonstration. Before GDPR, it was safe to assume that a person who provides their contact information is willing to be contacted by a salesperson. Post-GDPR, it’s not that simple. It’s no longer safe to assume that a buyer is giving consent just by providing their contact information; they must tick all the boxes to deliberately opt in.
For consent to be valid by GDPR standards, the following conditions need to be met:
- Consent must be freely given
- Consent needs to be specific
- Consent needs to be informed; the person must know what they’re consenting to
- Consent is unambiguous
- Consent needs to be given by a clear affirmative action or statement
For the most part, the details related to consent will mainly affect marketers as they generate leads and create lead capture forms. However, salespeople need to be familiar with all aspects of the sales funnel in which GDPR plays a role.
Legitimate interest
If the prospective buyer did not explicitly consent, the data controller must show a legitimate interest in lawfully processing their personal data. In other words, a salesperson needs to explain why they are reaching out and, most importantly, why it is relevant or beneficial to the person on the other end. Handling someone’s personal data under this condition implies that you do so within reason.
The legitimate interest legal basis brings up a bit of a grey area since it’s subjective and can be argued for or against. To be safe, always consider if what you’re reaching out about is of value to the person on the other end or if your actions infringe on someone’s rights or freedoms. If you choose to rely on this basis, make sure you document your prospecting activities and can answer them. We’ll touch more on this later.
What are the consequences of failing to adhere to GDPR standards?
It’s important to note that the purpose of this regulation is to protect the data privacy of EU citizens, not hand out careless penalties to companies that are genuinely doing their best to adhere to these policies.
That said, the worst offenders could face hefty fines. Companies can be fined up to four percent of their annual global turnover or 20 million euros, whichever is greater. Ouch.
But it’s important to remember that not all compliance errors will lead to harsh fines. The scope of the infringement will determine the severity of the consequence. Less severe violations can result in administrative fines such as warnings or reprimands. Either way, it’s enough to know that the EU isn’t messing around regarding compliance – it might be time to hire a chief compliance officer.
Best practices for GDPR-compliant prospecting
At the end of the day, you’d rather be safe than sorry when it comes to ensuring your prospecting activities are GDPR-compliant. Whether you’re sending a cold email or making a cold call, there are several best practices to remember.
Keep a record of your prospecting activities
Most modern sales teams use CRM software as their primary database. It’s important to record your prospecting activities as they relate to European contacts and track how the contact data landed in your CRM to begin with.
Give an opt-out
Your outreach should always provide the receiver with the option to opt out of being contacted. In emails, include a link to your company’s privacy policy and an obvious button that allows the person on the other end to unsubscribe from your emails. For phone calls, mark “Do Not Call” in your database if the person on the line requests not to be contacted.
Tip: Regarding GDPR, it’s best to be cautious. Don’t store any data you don’t need, especially if the contact has opted out of communication with your company.
Be clear and honest
When contacting a prospect, always be clear about your intentions for contacting them. If they ask how you got their data, be honest. If they ask you to delete their information from your database, honor their request. Additionally, always be prepared to answer GDPR-related questions in your outreach. You want the person on the other end to know that you and your company value their privacy and security.
Bottom line
Internet privacy is important, and increased security risks require governments to take more drastic measures to protect their citizens. We’ve covered the basics of GDPR for sales, but you should contact internal resources within your organization if you want more specific legal information.
For most salespeople, as long as you have a general understanding of GDPR compliance and approach sales prospecting with it in mind, you should be clear. Happy (compliant) hunting!
Learn more about data protection and how you can protect user data!
This article was originally published in 2019. It has been updated with new information.
Izabelle Hundrev
Izabelle is a Partner Marketing Specialist at InStride and a former content specialist at G2. Outside of work, she is passionate about all things pop culture, food, and travel. (she/her/hers)
