The 草榴社区 data space is evolving at break-neck speeds and with it spanning wider and wider, data privacy is an increasing concern for consumers, businesses, and the people whose job it is to use that data.
One of the hardest parts is that people don鈥檛 know where to start. What is GDPR? How do I make sure the data I鈥檓 using won鈥檛 get me in trouble? How will this impact how I market and sell my solution?
After recently digging into our own compliance and completing a Legitimate Interest Assessment (LIA) for GDPR compliance, we reached out to data providers, marketing automation tools, programmatic advertising companies, and outbound sales tools to get their expertise on how GDPR affects 草榴社区 tech teams and what they can do to make sure everything鈥檚 compliant.
We interviewed leaders from 草榴社区 data and service providers to gain their perspectives on compliance. Answers range from what GDPR means for buyers and sellers now, how to make sure your data providers are up to standard, and how to effectively market and sell in a 草榴社区 landscape while remaining compliant.
We talked to:
- VP Product Management, Foundry
- Director of Coaching and Consulting,
- , VP of Enablement & Strategy,
- , Head of Global Field Marketing & Events,
Keep in mind, this article isn鈥檛 written by lawyers, but by providers who know the ins and outs by being compliant themselves, and ensuring their customers do the same.
For the sake of honesty, there are a few shameless plugs, but what can I say, it鈥檚 written by marketers across the industry. We wouldn鈥檛 be doing our jobs if we didn鈥檛 shout out our products at least a little bit.
So, what is GDPR?
GDPR, or General Data Protection Regulation, is a set of rules to give EU citizens more control over their personal data. It aims to simplify the regulatory environment so both citizens and businesses in the EU can fully benefit from the digital economy.
Data Protection regulations outlined by GDPR include:
- Right of Access: you may request access to your personal information and obtain a copy of personal information.
- Right of Rectification: you may request to change, update or complete any missing data processed about you.
- Right to Erasure: you may at any time withdraw your consent to the processing of your personal information. In this case, if there is no overriding legitimate interest for continuing the processing of your personal information and the personal information is no longer necessary in relation to the purpose for which it was originally collected, we will erase your data.
- Right to Data Portability: You have the right to receive personal information in a structured, commonly used format.
Questions to ask your third-party data provider
At Foundry, data fidelity and compliance matter. This means double and triple checking our data and processes and completing a Legitimate Interest Assessment (LIA) to make sure we鈥檙e doing all we can to be compliant.
That鈥檚 why we answered the next question in-house and asked Tukan Das, VP of product management, about how to make sure the data you buy fits the bill.
鈥淭he most important question to ask your data provider is if they are processing and sharing any personal data with you? Personal data from a 草榴社区 perspective includes first name, last name, email, phone, LinkedIn, social IDs, etc. If they are dealing with personal data then ask them where they are collecting the data from and ask for the lawful basis of them collecting and processing the data?鈥
鈥淚f they have explicit consent from the data subjects (i.e. professional contacts) ask them how they collected the opt-in and any additional context (terms of service etc.) around it. If they don鈥檛 have consent 鈥 then they鈥檇 probably use legitimate interest as their lawful basis to process the data (most third-party providers would fall under it). Ask them to provide a detailed LIA for their data collection and processing.
In addition to a completed LIA, ask them if they can support blocking of contacts and also providing a full-trail of the personal data they have stored on the contacts in a human-readable format.鈥
If these boxes are all checked, you鈥檙e probably good to go. At the end of the day, transparency is key here.
What are the compliance implications of account vs contact-level data?
Concerning the countries GDPR applies to, 鈥淵ou have to be 100% confident that every single person who鈥檚 going to see your ad is not a European Union citizen.鈥 says Metadata鈥檚 Logan Neveau.
He dives deeper explaining, 鈥淭hey don鈥檛 hold double citizenship. They鈥檙e not on vacation, and they鈥檙e not using a VPN because the VPN can screw with where they鈥檙e actually located. So it鈥檚 practically impossible. By default, everyone should be treated as if GDPR applies to them if you want to be safe from a legal perspective.鈥
When it comes to targeting at the contact-level using email addresses from an ads perspective, Neveau says 鈥淲hen you want to target contacts you don鈥檛 get to see the Personal Identifiable Information (PII), it鈥檚 hashed, encrypted, and passed directly to the API for the data set to Facebook or LinkedIn. So we鈥檙e not exposing any PII until you opt-in and you consent saying let鈥檚 have a conversation, then we can unmask who that person is.鈥
What鈥檚 allowed and not allowed within GDPR compliance?
Now that we鈥檝e talked a bit about the implications of GDPR compliance, we can dive into what we can do with data. There are SIx Lawful Bases for companies to legally acquire and process personal data in the European Union. As a marketer, the ones that matter most are consent and legitimate interest.
Obtaining consent should be the primary legal basis by which marketers use personal data. This largely means requiring contacts to opt into a specific use of their personal info. Specifically, the GDPR states that consent should be given by:
This means that silence, inactivity or pre-ticked/checked boxes do not equal consent. For contact-level data to remain compliant, A clear opt-in process means you should be able to contact them through typical marketing channels, so long as the use cases were clearly stated to the individual who opted in.
GDPR and Outbound Sales
We鈥檝e said it before and we鈥檒l say it again. Data is only as good as its action plan. So now that we know what it takes for intent to be compliant. How does GDPR impact the processes intent ebbs and flows into?
Does GDPR mean you can鈥檛 do Outbound Prospecting?
鈥淚t doesn鈥檛!鈥 says Predictable Revenue鈥檚, Sarah Hicks, 鈥淏ut it does mean you have to play by the rules.鈥
鈥淕DPR requires permission from the individual to collect, store, and use their personal data. That means that if you鈥檙e purchasing lists from a data provider or having someone research/scrape to find data for you 鈥 you need to make sure that data is GDPR compliant.鈥
How can SDR鈥檚 still be compliant with their email outreach?
Hicks explains 鈥淎rticle 47 of GDPR states that 鈥榙irect marketing purposes may be regarded as carried out for legitimate interest.鈥欌
鈥淥utbound prospecting falls under the umbrella of direct marketing in this context. If you have researched a company and/or buyer persona and write a one-to-one email to a prospect expressing relevant ways you can help them solve an issue or achieve a goal 鈥 that probably counts as legitimate interest. What you can鈥檛 do under GDPR is send out mass, spray and pray outreach via email.鈥
How will laws like GDPR affect outbound activity in the future?
This industry changes quickly and without remorse. It鈥檚 important to not only consider how your outbound sales activities are compliant today, but how SDRs can be compliant without interruption moving forward. Here鈥檚 Hicks鈥檚 advice.
鈥淒ata security and privacy laws and regulations are becoming increasingly strict. Each region has its own set of privacy acts that are being amended and added to all the time. At the moment, the EU and California have some of the most extensive data privacy regulations in place with GDPR and CCPA, but Canada is close behind with new regulations proposed. As individuals spend more and more time online, they become more concerned about their data security and privacy, and the legal and regulatory systems in countries are catching up.
There are certain business development thought leaders that believe that cold emails will be made completely illegal within the next decade and some that cold calls are a thing of the past thanks to increasingly tight regulations and personal attitudes that find these methods of communication invasive. I think it鈥檚 totally plausible that, in future, SDR/BDR activity will be limited to 1 to 1, researched, customized, and relevant outreach. 鈥 says Hicks.
Browserstack鈥檚 Sathyanarain (Narain) Muralidharan goes on to explain 鈥淎 multi-channel outbound sales strategy is really a powerful way to work within the rules of GDPR. The key is to get permission from a prospect before sending them an outbound sales email.
Once you have your account list, it is always a great practice to warm the prospect up via various channels like social media, and even channels like text messages and cold calls. A multi-channel sales engagement platform like Outplay lets you execute such a sequence at scale across your team of sales reps to ensure you operate within the rules of GDPR.鈥
GDPR and 草榴社区 Advertising
Speaking of evolving industries, as many of us know 草榴社区 advertising changes constantly. Specifically, as we move away from the use of cookies and evolving Google regulations, maintaining compliance and what marketers can do with ads change constantly. To give us a better picture of what鈥檚 happening and what to do about it, we asked Metadata鈥檚, Logan Neveau.
From an advertisement perspective, how will laws like GDPR and CCPA impact 草榴社区 marketers?
鈥淭he 草榴社区 advertising landscape for most of the ABM tools has all been very display focused. There鈥檚 a ton of data that you can get within a Display Side Platform (DSP) particularly on cookies and individual user tracking. But with paired with GDPR, it鈥檚 really hard to get that granularity and that visibility. So companies like , , and , which have all that intent data based on ad interaction data risk losing that visibility and those signals because you won鈥檛 be able to track third-party users via cookies on Chrome鈥 says Neveau.
鈥淣ow that we鈥檙e working from home, IP is harder to track. And honestly, in GDPR, if you pair it with anything else, it鈥檚 no longer uniquely identifiable. So there鈥檚 a gray area in GDPR. Is it PII or is it not? Well, I don鈥檛 know. It depends. What鈥檚 the context? And so there鈥檚 hesitation to use IP addresses.鈥
How will Display Advertising be impacted?
鈥淚t鈥檚 already been impacted because you can鈥檛 target by specific PII signals. The only thing that makes it different is when you鈥檙e on Facebook and LinkedIn, you have accepted their terms and conditions, you have to be anonymized yourself in a display environment you have not,鈥 explains Neveau.
鈥淩ight now the only way to target someone in a display network is by IP address. So if someone from within this IP address is visiting, show me that. We have lost individual-based targeting and display in the EU because of GDPR.鈥
How do you see GDPR impacting advertising outside of intent?
鈥淚mmediately when GDPR went into effect, you could no longer target an individual user on display in the EU. It鈥檚 IP address only so now you鈥檙e targeting an entire company. But, in a closed environment like social media, users have logged in, they鈥檝e consented to share their information with Facebook or LinkedIn, platforms know who users are. Because of this, we can still target an individual user within social media. These walled gardens are going to become immensely more valuable in 草榴社区 marketing to continue to retain your targeting.鈥
Neveau goes on to say, 鈥淭he downside about this is that LinkedIn knows where you work because you鈥檝e told them so they can say, 鈥榟ey, this account has seen your ad X and Y amount of times.鈥 Facebook or Quora does not. You can still target individuals there, but you can鈥檛 report in an ABM fashion. That鈥檒l be quite scary soon because that is one of the metrics that a lot of these ABM platforms report, penetration on these accounts.
So we shouldn鈥檛 set up our marketing to drive clicks and impressions, we shouldn鈥檛 be reporting on an account-based lift, because it鈥檚 not in our favour, it鈥檚 only going to get worse. So instead, we want to say, 鈥榳e鈥檝e gotten impressions and clicks in front of these accounts, go ahead and send that to your sales team,鈥 but don鈥檛 hang your hat on that metric. There are holes in those numbers that you could drive a bus through. Use it as a leading indicator, but you should be rolling out, 鈥榳e drove this many qualified inbound requests, we now have a first-party relationship with that user 100%.鈥欌
Key Takeaways
- When buying data, have open conversations with your provider about where it鈥檚 coming from.
- Data privacy and compliance are good for everyone. For providers, it improves data quality and holds everyone accountable to the metrics that matter.
- Compliance at all stages matters. It鈥檚 not just about how to acquire data, it鈥檚 about using it in compliant ways.
- GDPR and other regulatory bodies aren鈥檛 going anywhere. Figuring out a compliant strategy now, and being adaptable as regulations evolve is the pinnacle to success.
