There’s a four-letter word you’ve been hearing way too much of recently.
It’s not a naughty word.
Although it could be soon.
GDPR just might become the most upsetting four-letter word you could ever hear if your sales team is handling European data and you’re not properly prepared for the General Data Protection Regulation.
(GDPR doesn’t stand for Grief Despair Pain Regret - as much as you and your inbox might feel like it should).
If you’re not based in Europe, you might think GDPR is just an irrelevant inbox-punishing law change you don’t need to worry about.
But even if you are not a European company - if any of your prospects or customers are residents of the European Union, you need to understand your GDPR responsibilities.
Otherwise you risk a €20 million fine. Or a fine of 4 percent of your global turnover. Whichever is bigger.
Both are scary.
Scary enough for you to concentrate in ready this guide to understanding your GDPR responsibilities as a non-EU company.
Quick GDPR Explainer
Most sales and marketing pro’s outside the EU are confused about GDPR. That’s very understandable. The new regulations are wide-ranging and complex. Even some of the experts aren’t quite sure about the impact and fallout.
Here’s a quick GDPR summary in the simplest terms possible to bring you up to date:
- GDPR went live on May 25th
- GDPR is designed to give European residents more control of their personal data
- The regulations give EU residents the right to know what data companies are collecting from them and how that data is stored
- EU residents now have the right to ask companies to delete this data
- The law also requires businesses to be able to prove they have reasonable cause to collect data or make contact
That last 3 bullet points have serious implications for sales and marketing professionals.
If you want to contact a prospect, lead or potential customer residing in the European union - the game has changed.
Does GDPR Affect You?
One really important exception you need to understand before we get any further…
Know that GDPR will not prevent you from selling and marketing to your existing clients (at least until those clients opt out of hearing from you). Customers have agreed to do business with you by entering into a transaction with you.
You don’t need to change your marketing practices for existing customers.
If you’re a non-E.U. business who markets to anyone who lives in Europe
Sorry for the shouting. Don’t be alarmed (too much).
Yes, GDPR affects your business. But you shouldn’t feel scared or frustrated.
Take GDPR as an opportunity for you and your team to develop more customer-friendly sales and marketing practices.
GDPR is designed to encourage helpfulness. This will also help focus your attention on the right prospects and filter better qualified leads into your pipeline. The businesses with the most customer-friendly experiences win.
Because GDPR requires prospects to opt in to almost every sales activity, you’ll only be able to to sell to European residents who are genuinely interested in your products or services. That may mean a smaller number of leads in your pipeline, but they will so much more qualified.
If you know for a fact that you don’t sell to Europeans at all
No worries - GDPR won’t directly affect you.
There is an asterisk, though.
Europe might just be the legislation guinea pig.
Other lawmakers around the world will be sweating on GDPR and they might just decide to follow the EU’s lead by passing their own similar data protection laws.
While the EU is in the grip of GDPR fever — you can get yourself ahead of the game and build a new GDPR-compliant sales and marketing process for all your customers.
One more thing to consider for non-European businesses: are you sure you don’t have any European clients or prospects?
You might find it hard to know with certainty.
- Maybe your product is tailored toward an audience in a particular country, but a European resident is interested
- Maybe one of your customers has moved to Europe
- Maybe you just don’t know the location of an individual on your mailing list
The penalty for violating GDPR is stiff, so if you’re not sure about the location of even one prospect on your list - it is safest to assume that person is in Europe.
The Basics Of GDPR
If you think you might have even one client or prospect in the E.U., you probably have some questions. Don’t panic. We’re going to explain what you need to know to keep on the right side of GDPR.
Below are the five points of GDPR most relevant to sales teams:
- Individuals have to agree to the collection of their personal data
- They must know how and when that data is collected
- People must be able to request copies of their data
- These individuals also must be able to ask for their data to be edited or deleted
- They must explicitly agree to be contacted by salespeople
Before our experts answer some commonly-asked questions about GDPR, you should know two things about the law:
First, GDPR isn’t trying to restrict your right to do business. In fact, the law recognizes businesses’ need to promote goods and services as legitimate.
Second, GDPR isn’t banning you from contacting prospects. It’s just giving those prospects more control over their contact with you. You can still talk to prospects, you just have to get them to agree to be contacted.
Let’s get to it.
What Data Is GDPR-Related?
You’re not just dealing with names, vital statistics, or personal email addresses.
Under GDPR, “personal data” is broadly defined as any information that identifies an individual.
That includes social media accounts, work email addresses, photos - even online quiz results.
That’s a lot of info. If you collect any of it - you have to be prepared to defend your reasons for doing so, and explain how that information is stored.
There’s a simple remedy to the problems caused by collecting too much data:
Don’t collect all the data.
Just collect the data you absolutely need.
Your sales team will thank you for it; if they spend less time collecting data, they can spend more time doing what they do best: selling.
What Happens If I Have a Global Account With EU and Non-EU data?
If you’ve got an account with any EU data at all, treat that account as a European.
GDPR doesn’t just cover EU citizens, it covers anyone who lives in the European union.
Better safe than sorry.
What Are My Cold Calling Responsibilities?
Under GDPR, you need permission to contact an individual. Unsolicited contact sounds a lot like cold calling, but this doesn’t mean you have to stop calling prospects altogether. You just need to take a slightly different approach to European prospects.
Article 6 of GDPR says organizations can legally use someone’s personal data for six reasons:
- If someone has given you their explicit consent
- If you need to use their data to fulfill a contract with that person
- If you are legally obligated to use that data
- If you must use their data to protect that person (or another person’s) health or well-being
- If you must use their data to protect the public good
- If you are using data to pursue legitimate interests, except when your interests are overridden by the interests or fundamental rights and freedoms of the person you’re calling
You’re probably not cold calling for your prospect’s health or the public good, but check out the bolded bullet points one and six.
If someone has explicitly consented to your calling them by proactively checking a box or filling out a form, go right ahead, you are clear to contact them.
Now take a look at that last bullet point. As long as you have “legitimate” business interests — you’re selling a product or service to a prospect who might benefit from them — you’re allowed to cold call, so long as your right to promote your product isn’t overridden by your prospect’s desire not to be contacted.
In order to claim that your direct marketing efforts are a legitimate business interest, you must do something called a “balance test,” which weighs your right to do business against the prospect’s right not to be called.
If you do use phone calls as part of your sales process, you’ll want to understand this issue in detail. We dedicated an entire article to helping you understand cold calling under GDPR. You can read a collection of expert advice from Pipedrive’s GDPR expert Martin Ojala about the topic.
What about my GDPR emailing responsibilities?
The restrictions around sales emails are similar to those around cold calling.
Both fall under “unsolicited contact” and both require sales teams to perform a balance test in order to know how to proceed with specific customers.
This may seem off-putting, because GDPR compliance is judged on a case-by-case basis, but it’s not as difficult as it sounds.
With the help of Ojala - our GDPR Expert, we detailed 7 of the most common sales scenarios so you could understand your specific GDPR email marketing responsibilities in each situation. You should read this guide thoroughly to understand how the balance test could work in practice for your specific sales emailing activities.
Does GDPR Change the Webform Requirements On My Website?
Yes - in a few ways.
Firstly, know that pre-ticked consent boxes are a thing of the past.
A prospect must actively consent to being contacted, so you must let customers check their own boxes.
Additionally, your web forms must be explicit about what clients are consenting to.
Under GDPR, you can’t count on someone opting in to a freebie — like a webinar — as consent to be put on your mailing list. You need specific permission for each specific sales or marketing activity. The freebie must be truly free; your prospects should be able to access it without giving away data, and you’ll need a separate consent box for the mailing list.
You may be wondering what the point of offering lead magnets is if you’re not getting leads.
But this change will help you strengthen your marketing and sales game. Those lead magnets are now there to provide value to potential customers, and you can use those freebies to prove your worth and convince prospects they want to be on your list to receive more helpful resources and marketing info.
When prospects are impressed enough with your product to proactively sign up to be contacted by you, those are some of the best-qualified leads you can have.
How Can You Find Out Which Of Your Tools Are GDPR Compliant?
Over the last weeks and months, you should have been hearing about GDPR compliance from the companies behind the tools you’re using. Responsible vendors should be sending notices to their clients, and posting those notices to their sites, explaining exactly how they’re handling data processing on your behalf.
If they aren’t you’ll want to get in contact and ask them some questions:
- Do you have a data processing contract in place?
- Are those companies compliant when it comes to moving data into and — more importantly — out of the E.U.?
- If a client in the E.U. requests a copy of their data, or wants to be deleted, how ready is your vendor to comply?
- What steps have they taken to train staff when it comes to GDPR?
What Should You Expect From Your CRM?
Your CRM manages your client data on your behalf.
You should be able to trust your CRM partner to manage your customer data correctly under GDPR.
Expect new features that make it simple for you to comply with GDPR. You should be able to update your webforms, delete customer data, and offer secure transfer of data into and outside of Europe.
Are you sure your CRM has prepared you for GDPR?
Call them now and ask.
Here’s an example of what you should expect:
Make sure you confirm where your CRM houses your data. If they’re working with a European data center, you’re likely in good hands.
Pipedrive is based in Estonia. We have strong European roots and three European offices - so GDPR is a serious priority for us. Our data center is in Germany, a world leader in data security management, and we have a team dedicated to data-protection and security.
If your CRM is based in the US or another non-EU company, that’s fine. But if you’re still unsure about their preparedness for GDPR, it may be time to consider a new CRM.
Even Non-European Sales Teams Need to be GDPR-Ready
Take the chance to make sure you have a best-in-class customer experience for you prospects.
Yes, the GDPR doesn’t force you to change your practices unless your handling EU data, but you should be proactive. First movers will get the rewards and similar legislation changes are bound to come to your region soon.
If you’ve already updated your sales and marketing practices, you’ll be well ahead of your competition and you’ll improve your lead qualification process while you’re at it.