January 30th, 2018 | by
10 min read

Notice: This is for discussion purposes only. DiscoverOrg is not qualified to provide legal advice of any kind and is not an authority on the interpretation of the GDPR or any other rule or regulation. To understand how the GDPR or any other law impacts you or your business, you should seek independent advice of qualified legal counsel.

May 25, 2018 is a date on the minds of many sales and marketing professionals: the day the new General Data Protection Regulation (GDPR) goes into effect. DiscoverOrg is a data processor, and we believe our customers are also data processors. With that in mind, many of our customers have asked how they should prepare–and how DiscoverOrg is preparing as well.

This brief primer provides practical tips to help sales and marketing teams be ready and able to meet the changing regulations while leveraging a sales and marketing intelligence solution like DiscoverOrg.

Download a PDF of this document.

The GDPR deadline is looming. Does the GDPR apply to me?

Scope of GDPR

what does GDPR mean for me?

The first question you need to ask is whether – and to what extent – the GDPR applies to you.

The GDPR applies to your processing of personal data if (1) your company is “established” within the European Union (EU), (2) you are processing data on persons in the EU to whom you are offering goods or services, or (3) you are “monitoring” the behavior of individuals in the EU. (General Data Protection Regulation, Regulation (EU) 2016/679, April 27, 2016 (“GDPR”), Article 3.)

If you’re established in the EU

“Established” means something like doing business in the EU through a branch or subsidiary, but the GDPR is clear that it is a substantive definition, not a formalistic one. (See Id. Recital (22).) If you have employees or contractors who work for you in the EU, you will want to analyze this more carefully.

If  you’re not established in the EU

If you are definitely not established in the EU, next you need to figure out if you are offering goods or services to data subjects (people whose data you possess) in the EU. We think the GDPR, based on its plain language, does not apply to B2B marketing under this test, because the offer is to the employer, not the employee. (See Id. Art. 3(2)(a) (“The Regulation applies . . . where the processing activities are related to . . . the offering of goods or services . . . to such data subjects in the Union[.]”) (emphasis added).) In layman’s terms B2B companies are offering goods and services to companies, not the data subjects AT those companies – their products and services are for the benefit of the company, not the consumer (data subject) – think of this as the difference between selling a vacation cruise to a person over the phone or email vs. selling a sophisticated firewall or backup solution to a company. But it is a gray area that wants additional guidance.

If you’re “monitoring” persons in the EU

Lastly, the GDPR applies to you if you are “monitoring” persons in the EU, which the GDPR explains means tracking them on the internet in order to make decisions or predict preferences, behaviors, and attitudes. (See Id. Recital (24).) So, if you are simply processing business contact data and using it to reach out to prospects, that would not appear to constitute monitoring. But doing something more sophisticated to predict what a particular person does based on their internet activity, then you will need to look at this more closely.

In sum, if you have strictly U.S. based operations and the extent of your EU data is business contact information for B2B sales and marketing, we think the GDPR may not apply to you.

Okay, the GDPR applies to me. Now what? (Lawfulness of Processing)

Assuming GDPR applies to you, in order to process personal data, you need a lawful basis to do so. (GDPR Art. 5(1)(a).) There are six different lawful ways to process personal data under the GDPR: (a) consent of the data subject; (b) performance of a contract to which the data subject is party; (c) compliance with a legal obligation of the controller; (d) protection of the vital interests of the data subject or of another person; (e) performance of a task carried out in the public interest or official authority; (f) for purposes of the “legitimate interests” pursued by the controller or by a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject. (Id. Art. 6(1)(a)-(f).)

For the remainder of this document, we will focus on legitimate interests and consent as we believe our clients will most often fall into one of these lawful bases.

1. Direct Marketing as a Legitimate Interest

The biggest myth about the GDPR is that consent is the ONLY way to lawfully process personal information on EU subjects. While consent is one basis for lawful processing, it is not the only one. (GDPR Art. 6(1)(b)-(f).) According to Elizabeth Denham, UK Information Commissioner, “Consent is one way to comply with the GDPR, but it’s not the only way.” Most of our customers will process under the “legitimate interest” basis, which includes direct marketing purposes. (See Id. Art. 6(1)(f), Recital (47).) In that case, you do not need to obtain consent, but you do still need to provide the person with a notice that you have their data. (See Id. Art. 14.) That notice needs to include all of the information from the section on consent above, plus (1) the fact that you are relying on direct marketing purposes as your legitimate interest and (2) the source of the data.

The good thing is that you are allowed to provide the notice the first time you communicate with the person (but no later than one month from when you obtained the data). So, if you obtain a list for email marketing, you can include the notice with your first message.

2. Consent

Consent requires you to get the data directly from the data subject. Perhaps a prospect provided their information when visiting your website. In order to use that data, you need to make sure the consent is clear and unambiguous. You also need to provide certain information at the time you obtain the consent, including: (1) who you are, (2) the purposes for which you will use the data, (3) who you will be transferring it to (if anyone), (4) if you are in the EU and intend to transfer it out of the EU, the countries where you intend to transfer it and the existence or absence of an adequacy decision by the European Commission with regard to the safeguards such countries have in place for the protection of personal data, (5) how long you intend to keep it, (6) the person’s right to correct the data or have it erased and to withdraw their consent, (7) the right to lodge a complaint with the supervising authority, and (8) whether you are using any automated decision-making or profiling. (Id. Art. 13(1)-(2).)

3. Rights of the Data Subjects

Whenever you are processing someone’s data, they have certain rights under GDPR. (See GDPR Arts. 15-21.) They always have the right to ask you what data you have on them, and for the other information that’s required in the above-mentioned notices. They also have the right to make you correct the data if it is wrong, or delete it or object to processing. If you have transferred it to anyone else and the person requests deletion, you also need to tell whomever you transferred it to that the data subject requested deletion.

4. Compliance Protocols

You are also required to implement “appropriate technical and organizational measures” to ensure you are complying with GDPR, including appropriate compliance policies. (GDPR Art. 24(1); Art. 32(1).) These measures may take into account what is appropriate given the nature of the data and the purpose for which it is processed. (Id. (“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons . . . .”).) The regulation as a whole seems clear that processing business contact information for B2B marketing does not require procedures that are as stringent as those that would need to be in place for processing, for example, sensitive health information.

You also need to maintain records of compliance, which include maintaining much of the information already discussed with respect to particular data. (Id. Art. 30.) However, you are not required to maintain these records if your organization has fewer than 250 employees. (Id. Art. 30(5).)

5. Breach Notifications

If there is a data breach, GDPR imposes notification requirements, both to the data subjects and to the supervisor authorities. (GDPR Arts. 33-34.) However, notification is not required if the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” (Id.) If we are talking strictly about business contact information, we think a breach notification may not be required.

6. (Another) Disclaimer

The GDPR is very extensive and very complicated. We have tried to summarize a few key areas, but we cannot explain the entire 88-page regulation here. This guidance is intended to apply to your use of business contact information for your own B2B marketing purposes. Other uses and other kinds of data may impose significant additional obligations. As always, you should consult with an attorney for a full analysis of your rights and obligations under applicable law.

I’m in Sales and/or Marketing. What should I be thinking about when crafting my general data protection approach?

Data is at the heart of prospecting. Although there are new regulations on the horizon, data management should already be a part of your sales and marketing operations. The impending GDPR effective date should be seen as an opportunity to implement better data management practices, which will also help establish and maintain trust with your customers.

GDPR best practices

If you are just getting started, here are some key best practices to consider.

1. Establish a Data Management Team

A data management team should consist of the core stakeholders who are impacted by your company’s use of of data. The team should be established to focus on maintaining the integrity and protection of your prospect database.

2. Evaluate Your Current Data Practices

The data management team’s first task is to evaluate:

  • What data do we collect and store, and what is its nature (what data points do we have)?
  • How/when do we collect the various types of data (i.e. though websites, tradeshows, third-party data providers)?
  • What are the purposes for which we intend to use the data we collect?
  • Where data is stored, and how does it move through our organization?
  • Who has access?
  • What security measures do we have in place with regard to the data?

3. Understand the Data Protection Practices of Your Sales & Marketing Systems

If you use a Marketing Automation or CRM tool, you should understand what your chosen vendor is doing to protect your prospect and customer data, including access controls, regulatory compliance, and information and application security processes and tools. In addition, explore existing functionality that may be helpful in preserving your data. This may include roles and permissions of users, history of user activity and/or data updates, and the ability to enable/ disable automatic data capture. Documenting the flow of data throughout your systems may be necessary to visualize what and who has access.

4. Understand the Nature of the Data

It is important to be aware of the type of data that is being collected and stored within your database. Processing sensitive information, versus simply business contact information, carries with it additional obligations. Sensitive information includes:

  • Government ID and financial account numbers
  • Health, genetic, and biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation or preferences

Generally speaking, B2B sales and marketing does not require processing sensitive personal information; however, if you do possess any of the foregoing types of data on your prospects, keep in mind that your legal obligations to obtain consent and to protect the security of that data are much, much higher under the GDPR and other laws.

5. Maintain Data on Your Data

Part of complying with data protection obligations is showing that you understand where your data comes from, how it is maintained, and the legal justification for processing it (discussed below). This means you need to consider tracking additional data points on your prospecting records. For example, Lead Source may already be a value tracked within your database. Depending on the number of data sources feeding an individual contact record, you may need to expand this out to account for additional sources of data. In addition, it should be noted when and how data was obtained (i.e. via form fill, badge scans at an event, 3rd party data appending). Most MAT and CRM tools have the ability to timestamp the population or update of individual fields.

Part of complying with data protection obligations is showing that you understand where your data comes from, how it is maintained, and the legal justification for processing it (discussed below). This means you need to consider tracking additional data points on your prospecting records. For example, Lead Source may already be a value tracked within your database. Depending on the number of data sources feeding an individual contact record, you may need to expand this out to account for additional sources of data. In addition, it should be noted when and how data was obtained (i.e. via form fill, badge scans at an event, 3rd party data appending). Most MAT and CRM tools have the ability to timestamp the population or update of individual fields.

6. Implement an Ongoing Database Health Program

Once you understand the data you have, how you collect it, and are tracking the appropriate metadata, you should develop clear policies that outline your data practices and your plan for compliance. Your data protection plan should address issues around data gathering, notification requirements (if any) and practices, the purposes for which data will be used, practices for updating data and purging old data, and security practices and procedures.

What is DiscoverOrg doing to address data protection regulations?

DiscoverOrg is dedicated to GDPR compliance, and we employ several GDPR and privacy experts on our executive team who are working hard to ensure full compliance with the regulation in our data practices. These include our General Counsel, Senior Counsel, and our Senior Vice President of Data and Research (a licensed attorney).

Well in advance of GDPR (in fact, about two years ago), DiscoverOrg implemented a plan to provide notice to all EU-based contacts in our database. The notices state that we are processing their business contact information in our database to provide to our paying clients for their marketing purposes. We give each such person the right to opt out of our database upon request, and have been honoring such requests since we implemented the notice program.

In advance of GDPR’s effective date, we will begin publishing, within our password-protected customer platform, a list of contacts who have recently opted out of our database. Customers will be asked to check this list regularly and independently honor those opt outs, unless they separately obtained consent for data processing from the contact. When we remove someone from our database due to an opt out request, beginning in May we will also flag those contacts for our customers’ through our CRM and marketing automation integrations in real-time.

DiscoverOrg will continue to process only business contact information for EU contacts: company, job title, work email address, work phone number, etc. We do not provide sensitive personal information of any kind, e.g. health information, political or religious ideology, internet search history, etc. We simply provide information of the type that is typically found on a business card, an email signature block, or a public professional profile.

DiscoverOrg also has hired a Director of Data Practices, who will also serve as the company’s Data Protection Officer. This person will be responsible for several things, including:

  • Maintaining comprehensive records of all data processing activities conducted by the company
  • Serving as the point of contact between the company and GDPR Supervisory Authorities
  • Educating the company and employees on important compliance requirements
  • Conducting audits to ensure compliance and address potential issues proactively
  • Training staff involved in data processing

What difference can good data make? Find out.

[cta id=”15726″ color=”green” size=”full” align=”center”]

About the author

Henry Schuck

Henry Schuck is the CEO of DiscoverOrg, a 7-time Fortune 5000 company, which he co-founded at the age of 23. He has extensive experience managing the sales and marketing activities of fast-growing information technology data companies.