The General Data Protection Regulation comes into force in May 2018. At face value, it makes for some scary reading as it could fundamentally change the inner workings of many B2B sales teams.
With official guidance still limited (and somewhat sketchy), it’s difficult to say exactly how GDPR will be effect SME’s. Be wary when reading online information from experts in this field; I have seen many contradictory interpretations of some critical definitions. I’ve also seen some posts claiming that B2B Sales Armageddon is upon on us and some purporting that it will be Business As Usual come May 2018.
At Adenzo, we think the reality will be somewhere in between. There are many things to consider with GDPR. This blog post aims to add perspective to the top concerns faced by our current and prospective users.
Sending B2B Emails
Let’s start with the top concern: That you will no longer be able to send an email to someone you don’t know. Under current legislation, sending emails to consumers without their consent is a serious no. Sending emails to business people without their consent can also be a problem if abused. But for a sales guy to send an email from his business email account to another person’s business email account is generally okay if:
1 – It’s relevant and business related (e.g. you are not selling performance enhancing pills)
2 – It’s personal and preferably text based (e.g. it addresses the contact by name and is not formatted mainly with HTML)
3 – You act on their request to not contact them again. And this is really important.
The new GDPR may change this. Currently, B2B emails sent in the manner described above are generally considered to be ‘Opt Out’. However, fears are that come May 2018, B2B emails will be treated in the same way as consumers and be ‘Opt In’. This could mean people would end up in breach under a myriad of scenarios that the regulation is not meant for.
So if we look at the driving purpose of GDPR and the practices it’s meant to curtail, we believe you’ll be in trouble if:
Your email is not relevant. You are going to hear the term ‘Legitimate Interest’ used a lot in the run up to May 2018. Currently, interpretation of the term is all we have. But if you’re selling Bulls and regularly contacting China Shop owners, expect a knock on your door from the ICO.
Your emails are obviously bulk. Even if it’s sent from your own email address. We have long been advocates of sending no more than 50 emails a day to new contacts. Quality over Quantity. But our advice is not always taken and some people are happy with the reasonable results they get from sending a couple thousand emails in one hit. But under GDPR, this kind of activity will likely be considered a breach. Depending upon your company size and number of emails sent, this could be a real problem.
You don’t remove someone from your database when requested. Most CRM’s have a ‘do not contact’ checkbox and Adenzo won’t allow you to send an email to someone who has asked not to be contacted again. But under GDPR, this won’t be enough. You’ll need to actually remove the contact and provide evidence that you have done this if requested. Yup, delete them – ‘The Right To Be Forgotten’. This creates an obvious problem but we won’t complicate matters further by exploring it here….
Storing and Processing Contact Information
GDPR tries to remove the distinction between a consumer and a ‘person in a business’. An ‘individual’ is an ‘individual’, regardless of his or her employment status. So John Doe, when he is the avid mountain biking ‘consumer’ (email@example.com) is considered and treated as the same as Jon Doe when he is working as a Financial Analyst for Bloomberg (firstname.lastname@example.org).
Many interpretations of GDPR form that opinion that John Doe must give ‘unambiguous and explicit consent’ for you to store his name and job title in a database – such as your CRM.
Sounds crazy, right? What about Google? Google your own name and you’ll likely come up in the search results. Google is a database. Having your name in that database and serving up results is technically ‘processing’ your data. Did you give Google permission to do this? Explicitly? Didn’t think so. Does this mean that Google now needs to remove every ‘name’ from its database? Yup. Literal interpretation of GDPR would request this. But wait… I know a guy called William Shakespeare who lives not far from me. So Google will need to remove him from the database? Oh… but hang on… One can start to see how this becomes impractical.
In our opinion, how you choose to store and process ‘individual’ information determines if the ICO is going to come knocking. Some of these issues may be:
Insecure or Open Database. If you’re storing contact details on a google spreadsheet without access controls you could be in trouble. Or if you’re CRM isn’t secure or your don’t have strict user access controls, and you get hacked this could be determined as a breach.
You don’t use this information in the Legitimate Interest of the individual. If you’re collecting and storing information on individuals that are irrelevent to your business it is of no benefit to them and puts their information at undue risk. If your customers are Finance Directors in Pharmaceutical companies, you’d better have a good reason for having details of HR Managers in Car Rental firms.
So What’s Next?
In conclusion, we feel that GDPR will be a problem for those companies that ignore it and currently adopt questionable and inefficient practices when storing and processing individual’s contact information. Those that acknowledge GDPR and take steps to secure that information, learn from breaches and are ‘sensible’ with how they use that data (email, phone etc) will be safe from prosecution.
Remember that modern day legislation and regulation must be tested in the courts – especially where it contains ambiguity. In the past, the ICO has always acted with restraint and fairness. And whilst there will almost certainly be an increase in its powers and resources, there is little reason to suspect they will be draconian towards those companies whose conduct is interpreted to be compliant.
And at Adenzo, we’re working on the tools and features to keep you on the right side of that ‘compliance’ line.
Please feel free to get in touch with any questions or concerns you have over GDPR and how it might affect your current business development and sales processes.