What GDPR Means to American Firms?

Back in May, there was a good deal of news coverage around the European General Data Protection Regulation (GDPR).  Unfortunately, most of the coverage was hyperbolic with a focus on penalties and how few companies had complied.  While the GDPR fear-mongering has died down, there is still a need to understand GDPR and comply with the law, even if you have no operations in Europe.

GDPR was passed several years ago and implemented across the EU on May 25^th.  The law covers how firms hold and protect data related to EU citizens and residents.  It is the citizenry that is subject to protection so the regulation applies to companies even if they have no operations or employees located within the EU zone.  You cannot argue that your digital data management policies aren’t subject to EU regulatory scrutiny simply because you don’t market to Europe.  A study by data hygiene vendor Oceanos found that 4% of contacts with a US postal address were individuals residing in foreign countries.  Thus, even firms that strictly target US businesses are at risk of violating GDPR or the Canadian CASL email regulation.  Furthermore, GDPR penalties are potentially draconian, reaching up to 4% of revenue or €20 million, whichever is greater.

To make matters worse, there is no single standard across the EU zone, so countries differ in their approach to enforcement.  In the UK, the Information Commission Office (ICO) has set a good faith standard, but other countries may be more aggressive in their rule interpretation and enforcement. 

“I have no intention of changing our proportionate and pragmatic approach,” said ICO Information Commissioner Liz Denham.  “Hefty fines will be reserved for those organizations that persistently, deliberately, or negligently flout the law.”

Both data vendors and individual companies are subject to the law. Simply licensing data from a GDPR compliant vendor does not make a firm GDPR compliant. It is the processing of the data which makes companies subject to the law. However, working with GDPR compliant vendors is a necessary first step.

The EU expects to pass uniform ePrivacy legislation covering external communications by the end of 2019, but the current focus is on data privacy, not messaging.  Thus, opt-in and opt-out rules are country specific.  The law is channel agnostic so covers a broad set of digital communications including phone, email, social, and programmatic.

Legitimate Interest

There are six “lawful bases” for processing personal data about clients and prospects, all of which have equal weight: Consent, Contract, Legal Obligation, Vital Interest, Public Task, and Legitimate Interest.  Of these, Consent (e.g. opt-in) and Legitimate Interest are the most common for B2B sales and marketing teams.  Support and service departments would most likely be covered under contractual relationships.

“Legitimate Interest aims to provide a solid and lawful basis upon which commercial communication can occur, allowing marketers to promote their products and services to a targeted and well-defined audience,” said Rhetorik Data Protection Officer Samantha Magee.  “At its heart, is the desire to ensure that commercial practices and communications are relevant to the individual, offering the assurance that high standards of care are applied and that their essential privacy rights are considered of the utmost importance.”

Once the legal basis of holding personal data is defined, companies have additional conditions to meet around transparency (notification and the right to object), data minimization (Is there a legitimate interest in collecting all of the fields? How long is data retained?), and reasonable expectation (limited impact to personal and private life; ensuring data accuracy and security).

For individuals who opt out, firms must retain suppression lists to prevent the re-collection of personal information.  The suppression list should store the minimal information required to ensure the individual is not added back into the marketing database at a later date.  With B2B, the list may simply be name and email.

GDPR Proponents

While the GDPR appears to be a hindrance to sales and marketing, several US technology firms including Salesforce, Microsoft, and SugarCRM have taken a leadership position in calling for a US GDPR.  Microsoft called privacy a “fundamental human right” and has built GDPR compliance into its platforms.

Salesforce CMO Simon Mulcahy stated that many companies simply view GDPR as a compliance issue and nuisance, not an opportunity to align company interests with customer desires.  “It is a compliance issue, but it’s also a phenomenal opportunity to give your customers what they want. What they want is to know that when they give you their data, you’re looking after it appropriately.”

Account Based Marketing

GDPR is another reason for firms to shift from broad demand generation strategies to targeted ABM campaigns.  Focusing your sales and marketing activity around best-fit accounts provides a Legitimate Interest compliance basis.  Well-targeted accounts and contacts are more likely to be interested in your offering so there is a legitimate reason to be holding and processing data around those accounts.  Conversely, “batch and blast” campaigns are more likely to be subject to regulatory scrutiny as it is difficult to argue that a good faith effort was made to establish a Legitimate Interest basis for data processing and communications. 

Utilizing Sales Engagement platforms such as Koncert Cadence, which supports direct, personalized communications between sales reps and prospects buttresses the Legitimate Interest position as sales reps will spend little time messaging non-qualified prospects.  Sales Engagement platforms support sincerity and authenticity across multi-channel communications.

“GDPR is about protecting our interests from unlawful behavior. GDPR removes unwanted cold calls, email campaigns, and any other processing that we haven’t agreed to. A transparent and fair existence for all ” said Johnty Mongan, Managing Director of the Mongan Group.

Authenticity, trust, personalization, and targeted messaging – not a bad set of benefits from EU regulatory compliance.

Also Published on Medium