GDPR Checklist for Sales teams

We're often asked how sales teams can remain GDPR compliant. This document will help you and your team prepare.

Disclaimer: The content in this article is not to be considered legal advice and should be used for information purposes only.

GDPR has been in effect for almost two years, but there is still confusion amongst sales teams on what sales practices are allowed in Europe. At LeadIQ, we often get questions from our customers about sending emails or making cold calls to their sales leads in the EU and UK. In this article, we focus on the key considerations to help your B2B sales practices stay compliant with GDPR and the other EU privacy laws that regulate this area. At the end of this article, we have included a checklist that summarizes all the points we have covered.


GDPR - can we collect contact information for sales prospecting?

When sales teams obtain the contact information of their sales leads through LeadIQ or other means, they become “controllers” of that “personal data”. GDPR categorizes an organization as a controller when they have the ability to determine the purpose and means of how that personal data gets used or “processed”. 


There are various obligations under GDPR that govern how controllers, located both within and outside of the EU, can lawfully process EU personal data. We also wrote about the rights of individuals under GDPR in a previous article. For sales teams prospecting to EU leads, the key considerations are as follows. 


What is our “lawful basis” for processing the personal data?

Article 6 of GDPR requires organizations to have at least one of the six legal reasons for processing personal data, which are:

  1. Consent - Explicit consent from the individual for the purpose of marketing to them.
  2. Contract - Processing of the data is necessary to fulfill a contract with that individual.
  3. Legal obligation - Processing of the data is necessary to comply with the law.
  4. Vital interests -  Processing of the data is necessary to protect the individual’s life.
  5. Public task - Processing is necessary for you to perform a task in the public interest.
  6. Legitimate interest - Processing of the data is necessary for your legitimate interest, and your interest does not override the interests or fundamental rights and freedoms of the individual.

Tips:

The most appropriate lawful basis that our customers have for collecting and using personal data is legitimate interest. GDPR (Recital 47) identifies that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. However, to ensure this lawful basis applies to you, you need to:

  1. identify a legitimate interest;
  2. show that the processing is necessary to achieve it; and
  3. balance it against the individual’s interests, rights and freedoms.

 

For our customers, the purpose of collecting professional contact information through LeadiQ is sales prospecting and to sell a product or service to a business that may benefit from it. The contact information is necessary to fulfill a legitimate business interest, and when applying the balance test, we suggest sales teams follow these practices to ensure your right to do business does not outweigh the rights of the leads you want to contact:


  • Collect only necessary information for contacting the leads, such as name, business contact email and telephone number, company profile and address. Do not collect personal contact information.
  • Research and ensure you are collecting the contact information of leads who are in the relevant roles and will have an interest in the product or service you want to sell to their organization.

What else do we have to do to comply with GDPR?

Organizations should already have GDPR compliant policies and procedures in place for handling EU personal data more generally, including dealing with requests from individuals when they exercise their privacy rights, which we wrote about in another article.  For sales teams, you must pay extra attention to an individual’s rights under Article 14 of GDPR. 


Once our customers have the contact information of a lead through LeadiQ or a third party, Article 14 provides that individual with the right to be informed about the collection and use of their personal data within one month, including for what purpose, the retention period and who you will share the information with. There are a few circumstances when you do not need to provide individuals with this privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them, but they are unlikely to be applicable exceptions.


Tips:

To fulfill your notification obligations under Article 14 of GDPR:

  1. You should have a clear and transparent Privacy Policy that covers the privacy information you need to provide to individuals. 
  2. Consider how to inform the leads about the processing of their personal information within a reasonable amount of time, including how they can opt out of marketing communications. This could be covered in your first outreach.
  3. Make sure the way you reach out to your leads is compliant, which is the next topic we will look at.

ePrivacy Directive - what sales practices are allowed?

An often overlooked piece of EU legislation is the Privacy and Electronic Communications Directive (ePrivacy Directive) which first came into force in 2002. One of the areas this Directive covers is “unsolicited communications” for direct marketing purposes, such as the types of consent (opt-in or opt-out) required for sending cold emails or making cold calls. 

As it is a Directive rather than a Regulation, EU Member States have discretion over how they transpose it into national laws to achieve the goals set out in the Directive. That means the laws vary slightly between each country. This article will focus on the requirements in the UK’s Privacy and Electronic Communications Regulation (PECR). It should be noted that other countries, such as Germany, have stricter requirements than the UK.  A new regulation has been proposed in the EU to replace the ePrivacy Directive, but it has been delayed and is still being finalized.

Can you legally make cold calls and send emails in the UK?

The rules in PECR restrict unsolicited marketing by electronic means, such as cold calls (live or automated), emails, texts, faxes. There are stricter rules for marketing to individuals compared to marketing to companies, but as our customers are concerned with B2B sales, we will focus on the requirements that need to be met for marketing to companies through cold calling and emails.

Cold Calling (live)

You can make live calls without consent to a number if it is not listed on the TPS (UK’s Do Not Call register) AND only if that person hasn’t objected to your calls in the past. Your calls must be fair, which means you must not make any calls that the person would not reasonably expect or which would cause them unjustified harm.


Tips:

  1. Keep a ‘do not call’ list of individuals who have objected or opted out of your calls.
  2. Screen your call lists against the TPS register and your own ‘do not call’ list before making any cold calls. LeadiQ does not currently screen numbers against Do Not Call lists. 
  3. Only use an individual’s business phone number. Make sure your call is fair by directing calls to leads at an organization that would be interested in and benefit from your product or service (see GDPR section above). This means you need to properly research and qualify your leads.
  4. Clearly state who you are and why you are calling them at the start of a call. Be prepared to talk about your Privacy Policy  (see GDPR section above).
  5. If the lead is interested in your product or service on the call, ask for their explicit consent to send a follow up email with further information and records their consent.
  6. If the lead is not interested and does not want to be called again, add them to your ‘do not call’ list.


E-mail 

You can email any company, partnership or government body at their corporate email address (e.g. contact@company.com). If you are emailing employees who have personal corporate email addresses (e.g. name@company.com), you need to give them the right to opt out of marketing. 

Tips:

  1. Keep a ‘do not email’ list of any businesses that have objected or opted out of your emails.
  2. Only use an individual’s corporate email address. Make sure the lead you contact at an organization would be interested in and benefit from your product or service (see GDPR section above). This means you need to properly research and qualify your leads. 
  3. The content of the email should be tailored so that you can show how the product or service you are selling is relevant and beneficial to the recipient’s job role at their organization. 
  4. Include information that points to your Privacy Policy and an easy way for them to opt out of these communications in your email (see GDPR section above). If they opt out, make sure this gets actioned immediately. 

The Information Commissioner’s Office has produced a handy summary of the marketing rules for each method of communication.


Checklist for sales teams


GDPR - We have checked with our compliance team and confirm that we have GDPR compliant policies and procedures in place to handle EU personal data. 

GDPR - We have assessed the lawful bases for collecting and using (processing) professional contact information (personal data) and conclude that we have a legitimate interest that does not override the individual’s interests, rights and freedoms. This is because:

  1. We only collect the necessary information for contacting the leads, such as name, business contact email and telephone number, company profile and address. We do not collect a lead’s personal contact information.
  2. We only collect the contact information of leads who are in relevant roles and will have an interest in the product or service we want to sell to their organization.
  1. GDPR - We have a process in place to ensure that we will be able to notify the individuals about the processing of their personal information within one month of obtaining it. For example, this is done as part of our first outreach.

PECR (UK) - When we make cold calls to businesses, we check the following:

  • The phone number is not on the TPS register or our own ‘do not call’ list.
  1. We only call professionals in job roles at an organization that will be interested in our product or service. We are not calling personal numbers. 
  2. On the calls, we clearly state who we are and why we are calling them at the start of a call. We are prepared to talk about our company’s Privacy Policy.
  3. If the individual is interested in our product or service on the call, we ask for their explicit consent to send a follow up email.
  4. If the individual is not interested and does not want to be called again, we add them to our ‘do not call’ list.


PECR (UK) - When we send messages to personal corporate email addresses (e.g. name@company.com), we check the following:

  1. We only email corporate email addresses and not personal email addresses. When we email a professional, we make sure it is targeted and that they are in job roles at an organization that will be interested in our product or service.
  2. We tailor the content of our emails for the recipient and ensure we include information that points to our Privacy Policy and includes an easy way for them to opt out for receiving communications. We do not send out generic mass emails. 
  3. If the recipient opts out, we make sure that it is actioned internally so they no longer receive marketing communications from us.
  1. If we want to cold call or email professionals in other EU countries (outside of the UK), we check the legal requirements for direct marketing in that country.