The B2B data space is evolving at break-neck speeds and with it spanning wider and wider, data privacy is an increasing concern for consumers, businesses, and the people whose job it is to use that data.
One of the hardest parts is that people don’t know where to start. What is GDPR? How do I make sure the data I’m using won’t get me in trouble? How will this impact how I market and sell my solution?
After recently digging into our own compliance and completing a Legitimate Interest Assessment (LIA) for GDPR compliance, we reached out to data providers, marketing automation tools, programmatic advertising companies, and outbound sales tools to get their expertise on how GDPR affects B2B tech teams and what they can do to make sure everything’s compliant.
We interviewed leaders from B2B data and service providers to gain their perspectives on compliance. Answers range from what GDPR means for buyers and sellers now, how to make sure your data providers are up to standard, and how to effectively market and sell in a B2B landscape while remaining compliant.
We talked to:
- Tapajyoti (Tukan) Das, VP Product Management, Foundry
- Sarah Hicks, Director of Coaching and Consulting, Predictable Revenue
- Logan Neveau, VP of Enablement & Strategy, Metadata
- Sathyanarain (Narain) Muralidharan, Head of Global Field Marketing & Events, BrowserStack
Keep in mind, this article isn’t written by lawyers, but by providers who know the ins and outs by being compliant themselves, and ensuring their customers do the same.
For the sake of honesty, there are a few shameless plugs, but what can I say, it’s written by marketers across the industry. We wouldn’t be doing our jobs if we didn’t shout out our products at least a little bit.
So, what is GDPR?
GDPR, or General Data Protection Regulation, is a set of rules to give EU citizens more control over their personal data. It aims to simplify the regulatory environment so both citizens and businesses in the EU can fully benefit from the digital economy.
Data Protection regulations outlined by GDPR include:
- Right of Access: you may request access to your personal information and obtain a copy of personal information.
- Right of Rectification: you may request to change, update or complete any missing data processed about you.
- Right to Erasure: you may at any time withdraw your consent to the processing of your personal information. In this case, if there is no overriding legitimate interest for continuing the processing of your personal information and the personal information is no longer necessary in relation to the purpose for which it was originally collected, we will erase your data.
- Right to Data Portability: You have the right to receive personal information in a structured, commonly used format.
Questions to ask your third-party data provider
At Foundry, data fidelity and compliance matter. This means double and triple checking our data and processes and completing a Legitimate Interest Assessment (LIA) to make sure we’re doing all we can to be compliant.
That’s why we answered the next question in-house and asked Tukan Das, VP of product management, about how to make sure the data you buy fits the bill.
“The most important question to ask your data provider is if they are processing and sharing any personal data with you? Personal data from a B2B perspective includes first name, last name, email, phone, LinkedIn, social IDs, etc. If they are dealing with personal data then ask them where they are collecting the data from and ask for the lawful basis of them collecting and processing the data?”
“If they have explicit consent from the data subjects (i.e. professional contacts) ask them how they collected the opt-in and any additional context (terms of service etc.) around it. If they don’t have consent – then they’d probably use legitimate interest as their lawful basis to process the data (most third-party providers would fall under it). Ask them to provide a detailed LIA for their data collection and processing.
In addition to a completed LIA, ask them if they can support blocking of contacts and also providing a full-trail of the personal data they have stored on the contacts in a human-readable format.”
If these boxes are all checked, you’re probably good to go. At the end of the day, transparency is key here.
What are the compliance implications of account vs contact-level data?
Concerning the countries GDPR applies to, “You have to be 100% confident that every single person who’s going to see your ad is not a European Union citizen.” says Metadata’s Logan Neveau.
He dives deeper explaining, “They don’t hold double citizenship. They’re not on vacation, and they’re not using a VPN because the VPN can screw with where they’re actually located. So it’s practically impossible. By default, everyone should be treated as if GDPR applies to them if you want to be safe from a legal perspective.”
When it comes to targeting at the contact-level using email addresses from an ads perspective, Neveau says “When you want to target contacts you don’t get to see the Personal Identifiable Information (PII), it’s hashed, encrypted, and passed directly to the API for the data set to Facebook or LinkedIn. So we’re not exposing any PII until you opt-in and you consent saying let’s have a conversation, then we can unmask who that person is.”
What’s allowed and not allowed within GDPR compliance?
Now that we’ve talked a bit about the implications of GDPR compliance, we can dive into what we can do with data. There are SIx Lawful Bases for companies to legally acquire and process personal data in the European Union. As a marketer, the ones that matter most are consent and legitimate interest.
Obtaining consent should be the primary legal basis by which marketers use personal data. This largely means requiring contacts to opt into a specific use of their personal info. Specifically, the GDPR states that consent should be given by:
“Clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
This means that silence, inactivity or pre-ticked/checked boxes do not equal consent. For contact-level data to remain compliant, A clear opt-in process means you should be able to contact them through typical marketing channels, so long as the use cases were clearly stated to the individual who opted in.
GDPR and Outbound Sales
We’ve said it before and we’ll say it again. Data is only as good as its action plan. So now that we know what it takes for intent to be compliant. How does GDPR impact the processes intent ebbs and flows into?
Does GDPR mean you can’t do Outbound Prospecting?
“It doesn’t!” says Predictable Revenue’s, Sarah Hicks, “But it does mean you have to play by the rules.”
“GDPR requires permission from the individual to collect, store, and use their personal data. That means that if you’re purchasing lists from a data provider or having someone research/scrape to find data for you – you need to make sure that data is GDPR compliant.”
How can SDR’s still be compliant with their email outreach?
Hicks explains “Article 47 of GDPR states that ‘direct marketing purposes may be regarded as carried out for legitimate interest.’”
“Outbound prospecting falls under the umbrella of direct marketing in this context. If you have researched a company and/or buyer persona and write a one-to-one email to a prospect expressing relevant ways you can help them solve an issue or achieve a goal – that probably counts as legitimate interest. What you can’t do under GDPR is send out mass, spray and pray outreach via email.”
How will laws like GDPR affect outbound activity in the future?
This industry changes quickly and without remorse. It’s important to not only consider how your outbound sales activities are compliant today, but how SDRs can be compliant without interruption moving forward. Here’s Hicks’s advice.
“Data security and privacy laws and regulations are becoming increasingly strict. Each region has its own set of privacy acts that are being amended and added to all the time. At the moment, the EU and California have some of the most extensive data privacy regulations in place with GDPR and CCPA, but Canada is close behind with new regulations proposed. As individuals spend more and more time online, they become more concerned about their data security and privacy, and the legal and regulatory systems in countries are catching up.
There are certain business development thought leaders that believe that cold emails will be made completely illegal within the next decade and some that cold calls are a thing of the past thanks to increasingly tight regulations and personal attitudes that find these methods of communication invasive. I think it’s totally plausible that, in future, SDR/BDR activity will be limited to 1 to 1, researched, customized, and relevant outreach. “ says Hicks.
Browserstack’s Sathyanarain (Narain) Muralidharan goes on to explain “A multi-channel outbound sales strategy is really a powerful way to work within the rules of GDPR. The key is to get permission from a prospect before sending them an outbound sales email.
Once you have your account list, it is always a great practice to warm the prospect up via various channels like social media, and even channels like text messages and cold calls. A multi-channel sales engagement platform like Outplay lets you execute such a sequence at scale across your team of sales reps to ensure you operate within the rules of GDPR.”
GDPR and B2B Advertising
From an advertisement perspective, how will laws like GDPR and CCPA impact B2B marketers?
“The B2B advertising landscape for most of the ABM tools has all been very display focused. There’s a ton of data that you can get within a Display Side Platform (DSP) particularly on cookies and individual user tracking. But with Google’s changes coming to get rid of the ‘cookie-pocalypse’, paired with GDPR, it’s really hard to get that granularity and that visibility. So companies like 6Sense, Demandbase, and Terminus, which have all that intent data based on ad interaction data risk losing that visibility and those signals because you won’t be able to track third-party users via cookies on Chrome” says Neveau.
“Now that we’re working from home, IP is harder to track. And honestly, in GDPR, if you pair it with anything else, it’s no longer uniquely identifiable. So there’s a gray area in GDPR. Is it PII or is it not? Well, I don’t know. It depends. What’s the context? And so there’s hesitation to use IP addresses.”
How will Display Advertising be impacted?
“It’s already been impacted because you can’t target by specific PII signals. The only thing that makes it different is when you’re on Facebook and LinkedIn, you have accepted their terms and conditions, you have to be anonymized yourself in a display environment you have not,” explains Neveau.
“Right now the only way to target someone in a display network is by IP address. So if someone from within this IP address is visiting, show me that. We have lost individual-based targeting and display in the EU because of GDPR.”
How do you see GDPR impacting advertising outside of intent?
“Immediately when GDPR went into effect, you could no longer target an individual user on display in the EU. It’s IP address only so now you’re targeting an entire company. But, in a closed environment like social media, users have logged in, they’ve consented to share their information with Facebook or LinkedIn, platforms know who users are. Because of this, we can still target an individual user within social media. These walled gardens are going to become immensely more valuable in B2B marketing to continue to retain your targeting.“
Neveau goes on to say, “The downside about this is that LinkedIn knows where you work because you’ve told them so they can say, ‘hey, this account has seen your ad X and Y amount of times.’ Facebook or Quora does not. You can still target individuals there, but you can’t report in an ABM fashion. That’ll be quite scary soon because that is one of the metrics that a lot of these ABM platforms report, penetration on these accounts.
So we shouldn’t set up our marketing to drive clicks and impressions, we shouldn’t be reporting on an account-based lift, because it’s not in our favour, it’s only going to get worse. So instead, we want to say, ‘we’ve gotten impressions and clicks in front of these accounts, go ahead and send that to your sales team,’ but don’t hang your hat on that metric. There are holes in those numbers that you could drive a bus through. Use it as a leading indicator, but you should be rolling out, ‘we drove this many qualified inbound requests, we now have a first-party relationship with that user 100%.’”
- When buying data, have open conversations with your provider about where it’s coming from.
- Data privacy and compliance are good for everyone. For providers, it improves data quality and holds everyone accountable to the metrics that matter.
- Compliance at all stages matters. It’s not just about how to acquire data, it’s about using it in compliant ways.
- GDPR and other regulatory bodies aren’t going anywhere. Figuring out a compliant strategy now, and being adaptable as regulations evolve is the pinnacle to success.