GDPR + Sales & Marketing – A Practical Guide

In preparing for compliance, companies have tended to focus on how they hold and store current data. They have not given much thought to the impact of GDPR on day to day operations. Your company should already be a long way down the line with its preparation. This paper is not intended for Data Controllers within an organisation or to advise you on how to ensure you are ready across your company for GDPR, it is intended as a reference source for the people handling data subject information within your sales and marketing departments.

The introduction of GDPR will impact every area of business, sales and marketing in particular, as it brings with it a requirement for a new level of responsibility. New data collection and the use and storage of data within departments have tended to be overlooked. This short paper looks at the specific practical implications of GDPR on sales and marketing. Every Information source on GDPR details the very high fines that accompany the new regulations, up to €20 million or 4% of global turnover. This alone should be enough to focus your mind on conforming to the regulations, and we believe that if you follow solid principles and best practice, your business will be able to achieve compliance and avoid incurring fines. Throughout this paper, it is assumed that the companies involved are working in the B2B space within the UK. We also assume that you have already had a look at the GDPR regulations that will be coming into force in May. General Data Protection Regulation (GDPR) comes into effect on the 25th of May, 2018.

What is your risk?

It is unlikely that your company will be picked for an audit, so for sales and marketing, the highest risks within your control are data breach, or being reported by an unhappy contact. Your Data Controller should inform you of what to do in the event of a data breach, and you should familiarise yourself with the process of immediately reporting a breach to them. Being prepared and efficiently handling requests from contacts, to opt out of future communications for example, will minimise risk. But this is not an excuse to be complacent, one complaint could be very disruptive to your business and lead to a damaging fine. GDPR might feel frustrating but it is for the benefit of us all as it protects how our personal data is being held and used. It is good practice to treat every contact with the same security and diligence with which we’d expect our credit card company to treat our own personal data.

The General Data Protection Regulation (GDPR) is a ruling intended to protect the data of citizens within the European Union. The GDPR is a move by The Council of the European Union, European Parliament, and European Commission to provide citizens with a greater level of control over their personal data. This applies to the UK and will not be affected by Brexit.

The basic principles are:

Lawfulness, fairness and transparency Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject

Purpose limitation Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Data minimisation Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed Accuracy Personal data shall be accurate and, where necessary, kept up to date

Storage limitation Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed Integrity and confidentiality

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Accountability The controller shall be responsible for, and be able to demonstrate compliance with the GDPR

If you are new to GDPR I recommend that you read the Information Commissioners Office Guide https://ico.org.uk/for-organisations/guide- to-the-general-data-protection-regulation-gdpr/

As we are looking at the specifics of job functions we are only working with the main points that you should be aware of. This guide is intended to enhance your knowledge and allow you to apply it to your job role.

The Basics
…the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

GDPR requires the sending party to justify that a communication is in the legitimate interest of, and does not risk the privacy of, the individual concerned. The following of a three-step process, a Legitimate Interest Assessment, is required. This assessment should be recorded and attached to the record in the CRM in case it is required at a later date. Details of your legitimate interests must be included in your privacy notice.

1. Identify a legitimate interest. Sending a sales email to a person within a company who has decision-making responsibility for specifying and purchasing services that you sell would be a legitimate interest.

2. Is it necessary? Could this communication be achieved by another means? The business objective could determine necessity.

3. Strike a balance. Do the recipient’s rights override the sender’s interests in sending the email?

Legitimate Interest Legitimate interest is already reasonably well established and understood, as it is the basis for unsubscribe links. Any contact can object to direct marketing and this principle still remains. In most instances, Legitimate Interest will be used as legal grounds for marketing activity. But this does not give marketers carte blanche to continue the practices they have used previously.

If you want to read the rest of this guide download it for free from here