GDPR – The General Data Protection Regulation – will come into effect on May 25th. There has been much discussion about the new regulation for several years, but now the change is almost upon us.
For any organisation doing business in Europe or with European residents, the GDPR will affect you. It will impact almost every part of marketing and sales operations, especially those which rely on capturing, tracking and reporting on actions taken by a lead.
For Sales Enablement, changes will need to be made in a number of areas, including consent, processing, and how historical analytics are performed.
This article only provides general information on GDPR and does not constitute any form of legal advice. Please speak to a trained legal professional for specific support on the new regulations.
GDPR in a nutshell
The GDPR is the new regulation that affects ALL organisations who operate in Europe or work with the data of European residents. It governs the way that data can be obtained and used, to protect the rights of the individual. It puts the ownership of personal data into the hands of the person who that data is about.
For definition purposes, personal data is any kind of data which can be used to determine the identity of an individual – directly or indirectly. It includes traditional forms of personal data like email addresses, as well as data like IP addresses and geo-location information.
What this means in practice
If you control or process any form of personal data, then the GDPR will directly affect you, and you’ll need to make sure you are compliant.
The key changes to consider are:
- How you get consent for data from an individual
- How and why you process that data
- How you will protect that data from security breaches
The law changes how consent for data processing can be obtained; it must be clear and explicit. Organisations will need to state exactly what data they want and why, including how it will be used before it is collected.
For the first example, a user must actively consent to give their data after seeing an explanation of why that data is required. In the second example, the type of data a user is handing over is unclear and ‘improve your experience’ doesn’t give any indication of what it will be used for.
Furthermore, organisations cannot prohibit users from accessing a service or website if they do not hand over personal information, except on rare occasions when that personal data is a necessary requirement.
When it comes to processing personal data, an organisation must have clear, legitimate reasons for doing so. You must have a purpose for asking for any personal data.
Every type of processing must have its own form of consent too. You cannot use a ‘catch-all’ type of consent to allow you to process data any way you want. And if you intend to process data in a way in which consent wasn’t previously given, you’ll need to reacquire consent.
For example, you cannot simply require a user to enter their gender when they’re signing up if you don’t have a legitimate reason for asking for that information. You must show how and why you will be processing the data you ask for, otherwise, you cannot request it.
Naturally, protection is a key part of the GDPR, and the onus is on organisations to secure their data against potential breaches. Personal data must be stored correctly, ideally in a pseudonymised form.
You should keep detailed records of processing, ensure staff are trained correctly to handle data, and you must report any potential breaches immediately.
If the law had been in effect when the data breaches at Yahoo, LinkedIn, Adobe and Sony took place, then each company could have been fined 4% of their annual turnover or up to €20 million – whichever was higher!
Adapting Sales Enablement to GDPR
Sales Enablement covers a wide range of topics and activities, but it will undoubtedly be affected by GDPR. Some common examples that you’ll need to address include:
- Making sure you have consent from the recipient of an email to track whether they opened it or not (and have explained what you will do with that information
- Being careful about adding personal information obtained by sales reps from a phone call, where consent wasn’t explicitly given – like a date of birth, location or personal email address
- Keeping track over permissions to forward emails. You might have obtained consent for a prospect’s email, but did they consent to a sales rep forwarding and sharing an email response from them?
Another core part of the new GDPR legislation is on the right to be forgotten. Every individual has the right to have their personal data erased and be forgotten about; they can request for you to delete all their information at any time.
This should not be too much of problem if you have the correct set-up with your processes and systems, but it could pose a challenge in some circumstances. For example, if you’re creating reports on the sales behaviour of people in your pipeline and you need to remove personal data about a prospect, it could eschew the reports and analytics – and potentially change forecast models.
The law also has the potential to affect any machine learning used for predictions and analytics, and there are many ambiguities yet to be addressed. What happens if an organisation has to remove personal data that was used for a prediction for example? Is it OK to still use what was learned from that personal data, after the data has been removed?
There is still much that remains unknown about the impact of GDPR, and it will be difficult for the law to keep up to date with the fast-growing tech and Sales Enablement industry.
Staying on top of GDPR in Sales Enablement
- Minimise interruptions and be upfront and open about consent
The beginning of any interaction with a prospect is the key to a positive relationship with data and consent. Start by being open and honest about how information will be collected and used, so the prospect will feel comfortable giving his/her consent. Avoid asking for the minimum amounts of consent and the need to constantly request permission for more and more data to be collected.
- Take a tactful approach to communications
The GDPR makes it easy for individuals to challenge consent and data processing, and to ask for the right to be forgotten. But if you take a considered, engaging approach to communication and deliver good value with your content, then individuals are less likely to be concerned about their personal data or how it is used.
- Make sure your vendors are compliant too
If you use other vendors to process data – e.g. through additions and integrations to your CRM – then you’ll need to make sure they are following the new requirements as well. They may be controlling and storing data obtained by you in their own platforms, so you need to make sure they are compliant with GDPR too; they should only be storing the data you are using, to prevent future data removal problems – or the possibility of a fine if their platform is breached.
What questions should I ask my vendors to make sure we are all compliant?
What data are you storing and why?
You must be sure your vendor isn’t holding unnecessary data that you don’t have consent for storing and using.
Do they support acquiring consent?
Some vendors do not support consent acquisition, so you need to have it ready before any tracking takes place.
Do they offer different consent levels?
The best practice is to store the different levels of consent you have in your CRM separately, and have solutions react based on the consent level. That way the process isn’t interrupted when you don’t get the necessary consent or need to remove data.
Does the vendor have a solid process for the right to be forgotten?
In line with the new regulations, individuals have the right to be forgotten and can request for all their data to be identified and deleted entirely from any records. You’ll need to make sure your vendor can easily find and remove data files, to ensure a smooth process.
Preparing for a GDPR world
When the law comes into effect on May 25th, the main change we’ll see is communication between organisations and prospects becoming more honest and transparent. It will be vital for acquiring consent and processing data accordingly.
Prospects will always need to know when they are being tracked and what the data will be used for, and companies will only be able to collect the data they need and can store in a safe manner.
Of course, the GDPR will affect many different parts of the sales and marketing process, and will vary depending on your current practices and procedures.
Would you like to learn more about how the technical aspects of GDPR might affect your Sales Enablement processes?