GDPR has been in effect for almost two years, but there is still confusion amongst sales teams on what sales practices are allowed in Europe. At LeadIQ, we often get questions from our customers about sending emails or making cold calls to their sales leads in the EU and UK. In this article, we focus on the key considerations to help your B2B sales practices stay compliant with GDPR and the other EU privacy laws that regulate this area. At the end of this article, we have included a checklist that summarizes all the points we have covered.
When sales teams obtain the contact information of their sales leads through LeadIQ or other means, they become “controllers” of that “personal data”. GDPR categorizes an organization as a controller when they have the ability to determine the purpose and means of how that personal data gets used or “processed”.
There are various obligations under GDPR that govern how controllers, located both within and outside of the EU, can lawfully process EU personal data. We also wrote about the rights of individuals under GDPR in a previous article. For sales teams prospecting to EU leads, the key considerations are as follows.
Article 6 of GDPR requires organizations to have at least one of the six legal reasons for processing personal data, which are:
The most appropriate lawful basis that our customers have for collecting and using personal data is legitimate interest. GDPR (Recital 47) identifies that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. However, to ensure this lawful basis applies to you, you need to:
For our customers, the purpose of collecting professional contact information through LeadiQ is sales prospecting and to sell a product or service to a business that may benefit from it. The contact information is necessary to fulfill a legitimate business interest, and when applying the balance test, we suggest sales teams follow these practices to ensure your right to do business does not outweigh the rights of the leads you want to contact:
Organizations should already have GDPR compliant policies and procedures in place for handling EU personal data more generally, including dealing with requests from individuals when they exercise their privacy rights, which we wrote about in another article. For sales teams, you must pay extra attention to an individual’s rights under Article 14 of GDPR.
Once our customers have the contact information of a lead through LeadiQ or a third party, Article 14 provides that individual with the right to be informed about the collection and use of their personal data within one month, including for what purpose, the retention period and who you will share the information with. There are a few circumstances when you do not need to provide individuals with this privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them, but they are unlikely to be applicable exceptions.
To fulfill your notification obligations under Article 14 of GDPR:
An often overlooked piece of EU legislation is the Privacy and Electronic Communications Directive (ePrivacy Directive) which first came into force in 2002. One of the areas this Directive covers is “unsolicited communications” for direct marketing purposes, such as the types of consent (opt-in or opt-out) required for sending cold emails or making cold calls.
As it is a Directive rather than a Regulation, EU Member States have discretion over how they transpose it into national laws to achieve the goals set out in the Directive. That means the laws vary slightly between each country. This article will focus on the requirements in the UK’s Privacy and Electronic Communications Regulation (PECR). It should be noted that other countries, such as Germany, have stricter requirements than the UK. A new regulation has been proposed in the EU to replace the ePrivacy Directive, but it has been delayed and is still being finalized.
The rules in PECR restrict unsolicited marketing by electronic means, such as cold calls (live or automated), emails, texts, faxes. There are stricter rules for marketing to individuals compared to marketing to companies, but as our customers are concerned with B2B sales, we will focus on the requirements that need to be met for marketing to companies through cold calling and emails.
You can make live calls without consent to a number if it is not listed on the TPS (UK’s Do Not Call register) AND only if that person hasn’t objected to your calls in the past. Your calls must be fair, which means you must not make any calls that the person would not reasonably expect or which would cause them unjustified harm.
You can email any company, partnership or government body at their corporate email address (e.g. email@example.com). If you are emailing employees who have personal corporate email addresses (e.g. firstname.lastname@example.org), you need to give them the right to opt out of marketing.
The Information Commissioner’s Office has produced a handy summary of the marketing rules for each method of communication.
GDPR - We have checked with our compliance team and confirm that we have GDPR compliant policies and procedures in place to handle EU personal data.
GDPR - We have assessed the lawful bases for collecting and using (processing) professional contact information (personal data) and conclude that we have a legitimate interest that does not override the individual’s interests, rights and freedoms. This is because:
PECR (UK) - When we make cold calls to businesses, we check the following:
PECR (UK) - When we send messages to personal corporate email addresses (e.g. email@example.com), we check the following: