If your company markets to, sells, or otherwise engages prospects in Europe, GDPR should be on your radar.
I know these conversations are taking place in legal and IT departments, but I haven't seen much awareness for SDR or AE VPs, Directors, or Managers. So, this is your polite wake-up call. If you haven't paid much attention to the General Data Protection Regulation (GDPR), that is likely to change. And soon.
This brief post is my attempt to give you an assist.
High Level. What's GDPR?
The EU General Data Protection Regulation (GDPR) sets out a new, unified privacy law for Europe. The new law is relevant not just to businesses established in Europe; it will also apply to entities worldwide that provide goods and services to individuals in Europe, and online platforms and other website operators that are accessible from Europe. - McDermott Will & Emer
Net-net, GDPR applies to any organization that retains, processes, or profiles the data of individuals in Europe. Broadly, this seems to include the European Union and the European Economic Area. As you might suspect, prospecting (including cold, outbound emailing) most certainly involves profiling, processing, and retaining individual data.
Why Should You Care?
Fair question. GDPR includes substantial fines for non-compliance. Article 83(5)(a) states that infringements of the basic principles for processing personal data, including the conditions for consent, are subject to the highest tier of administrative fines. This could mean a fine of up to €10/20 million, or 2%/4% of your total worldwide annual turnover*, whichever is higher. (* It's complicated.)
Think about your revenue-tech stack.
You likely have marketing automation, CRM, email tracking tools, IP lead tracking on your website, and perhaps a BI tool thrown in there as well. GDPR includes a right to erasure should an individual withdraw their consent. Are you set up to handle those requests across all those systems?
What Should You Do?
First, talk to your own legal counsel. This stuff is complex. Second, check out this webinar featuring Daniel Barber that was put on by SalesHacker: How Sales and Marketing Can Prepare for GDPR. Daniel provides a great read in on interpretations and implications.
What's All This Mean for Outbound?
On the webinar, Daniel discusses "how to prepare for outbound in 2018." He brings up the concept of legitimate interest. From the Information Commissioner's Office (ICO):
There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
My key takeaway from what Daniel shared was that cold outreach (including email) appropraitely balances the legitimate interest of the vendor with the privacy interests of the individual being prospected. But the balance is delicate.
Emailing a prospect once as part of outreach?Likely permitted.
Emailing a prospect multiple times with an opt-out link?Likely permitted.
Emailing a prospect 10+ times whether or not they respond? Questionable.
So how should SDRs and AEs handle non-responses to their cold outreach? Should 50 emails without a reply be consider implied opt-out? What about 5? This seems to be the grey area.
If you or your legal team have done any work around GDPR, please share in the comments. I'll update this post to include your insights. This is a hot topic and one we all need to start paying attention to.
Additional reading:
- Guide to the General Data Protection Regulation (ICO)
- Can Companies Still Cold Call Under the GDPR? (Greenlight CRM)
- A Primer on GDPR and Marketing Data Protection Best Practices (DiscoverOrg)
- The Ultimate Legal Guide to Email Outreach (Nina Cvijovic)