Keep Calm and GDPR On: How Marketers Can Comply with GDPR

This post is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. The views expressed are based solely upon DiscoverOrg’s interpretation of these regulations, do not purport to constitute official guidance, and may not be relied upon. DiscoverOrg as no authority or ability to determine or advise anyone regarding how any law or regulation should or will be interpreted by any court or regulatory authority.

GDPR: It’s the 4-letter word keeping marketers up at night.

There’s a lot of confusion and anxiety surrounding the upcoming General Data Protection Regulations (GDPR), which goes into effect May 25, 2018, leaving a lot of people wondering how it impacts them as a B2B marketer.

To start with, the GDPR does apply outside the EU in some circumstances, but does not apply to everyone:

• Do you have an established presence in the EU?
• Is your processing of personal information related to the offering of goods or services to those data subjects in the EU?
• Are you monitoring the behavior of data subjects in the EU?

If the answer is “yes” to any of these questions, the GDPR does apply to your data processing. It may appear that #2 applies to you if you are marketing to EU contacts. But if you are in B2B marketing only, we’re not sure it does, since you’re actually offering goods/services to the company, not the individual.

In any case, assuming the GDPR does apply to you, read on.

Does GDPR apply to you? Check out our GDPR primer.

We think it is natural to feel a little lost with regards to the GDPR, given the very broad scope of what the GDPR is attempting to accomplish. Just look at the definition of “personal data”: “Any information relating to an identified or identifiable natural person”!

Woah … any information?

That’s right. The GDPR does not just govern sensitive personal information like health records (as is the case with HIPAA in the U.S.); rather, the GDPR governs all information relating to an individual.

The ambitious scope has resulted in a broad and complicated statute that leaves many questions unanswered.

So, it’s important to carefully apply it to a specific context. The statute does treat different types of data differently; in several places, the regulation injects balancing tests and reasonableness standards into what otherwise appears to be a very onerous law.

As I talk to other outbound marketers, the most common misconception I come across is this idea that all contacts need to be “opt-in” under GDPR. I have heard of companies asking email contacts for consent 2 or 3 times, just to be sure. But it’s not the case that explicit consent is a hard and fast requirement.

Opt-in consent is one way to comply with GDPR – but it is not the only way.

Elizabeth Denham, UK Information Commissioner and one of the authors of the GDPR, makes it clear that one of the biggest myths of the GDPR is that consent as the only way to comply.

There are actually five other lawful bases to process personal data under the GDPR:

1. Performance of a contract to which the data subject is party (i.e. your customers)
2. Compliance with a legal obligation of the controller
3. Protection of the vital interests of the data subject or of another person
4. Performance of a task carried out in the public interest or official authority
5. For purposes of the “legitimate interests” pursued by the controller or by a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject

Direct marketing as a legitimate interest

As you can see, in addition to “opt in” consent, you are also permitted to process personal data where you have a “legitimate interest” in doing so that is not overridden by a person’s fundamental rights or interests.

In fact, the GDPR states that the “processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” (This is verbatim from the text of the regulation.)

Now, that doesn’t mean that you’re scot-free. You also have to consider the balance of interests and ensure that your “legitimate interest” is not overridden by the interests or fundamental rights and freedoms of the data subject.

That is where you need to consider other factors, including the nature of the data being processed. Clearly, some data (such as health records) is so sensitive that processing it for marketing purposes could be outweighed by the rights of the data subject. On the other hand, processing a person’s business email address – issued by the employer and used every day for business communications – has far less impact on a person’s fundamental rights or freedoms.

Provided the controller otherwise complies with the GDPR (including providing the data subject with adequate notice and the opportunity to object to data processing), we think the balancing of rights and interests in the GDPR weighs in favor of the lawfulness of processing of business contact information for direct marketing purposes as within the legitimate interests of companies trying to sell their products to other companies.

In other words, we think you are not limited to “opt in” contact data for B2B marketing under the GDPR. (Now, if you’re talking about personal information for B2C marketing, such as home addresses or personal email addresses, or data beyond just contact information, the analysis may be different.)

Notice requirements

Once you’ve determined that you have a lawful basis for processing a person’s information for marketing purposes, you still have other obligations under the GDPR. A big one is that you need to provide the person with a notice that you have their data.

• Who you are
• The purposes for which you will use the data
• Who you will be transferring it to (if anyone)
• If you are in the EU and intend to transfer it out of the EU; the countries where you intend to transfer it; and the
• existence or absence of an adequacy decision by the European Commission with regard to the safeguards such
• countries have in place for the protection of personal data
• How long you intend to keep the data
• The person’s right to correct the data, have it erased, and withdraw their consent
• The right to lodge a complaint with the supervising authority
• Whether you are using any automated decision-making or profiling
• The lawful basis for processing that you’re relying on (e.g. legitimate interest)
• How you got the data

It’s important to note that you have one month from the time you obtained the contact’s data to provide this notice. Where you are using the data to communicate with the data subject, you must provide the notice with your first communication.

So, we recommend ensuring that you reach out for the first time within 30 days of obtaining the data for marketing purposes, and include the required notice information in your first message.

Additional obligations

In addition to providing notice, you have additional obligations under the statute. While you should carefully review the law in its entirety and seek counsel to understand all of your obligations, a few of the main obligations include:

• Respect the rights of the data subject (i.e., provide access upon request, respecting opt-out/deletion requests, etc.)
• Implement appropriate technical and organizational measures to ensure GDPR compliance; that includes appropriate compliance policies
• Provide certain notifications in the event of a breach; however, a notification is not required if the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” If the data in question is strictly business contact information, we do not think a breach notification is required.

But wait, there’s more!

You should be documenting the source (or sources) of the data that you have obtained on the individuals in your prospecting database, as this may need to be provided in the event of an audit of your data processes.

While obtaining data from a third-party source is allowed, I suggest making sure that the source of your data is also in compliance with GDPR. If you are evaluating a data source, you should ask them to share their GDPR plan.

Learn what DiscoverOrg is doing to comply with GDPR.

Be sure to do your own homework, though. Much of the GDPR doom and gloom seems to be based on what people think the GDPR says, not what it actually says. Don’t take my word for it either; I am definitely not qualified to provide legal advice! Read (and review with your legal team) the actual text of the regulation to determine how you should prepare.

Ultimately, we don’t believe GDPR compliance should hinder your ability to grow your business within the EU. If anything, it forces us – as sales and marketing professionals – to follow good business practices and to be better at our jobs.

We should never lose sight of the fact that we sell to other human beings and should be respectful of who they are and what we know about them.

This article was originally posted on the DiscoverOrg Blog. Subscribe for regular updates on GDPR and other important marketing topics, themes and trends.