GDPR: The Good, the Bad, and the Grey

The General Data Privacy Regulation (GDPR) was a key component that was highlighted in Sales Hacker’s sales trends and predictions for 2018.

This article dives into an overview of the GDPR, the good, the bad, and the grey areas around this new data privacy regulation.

Before we begin, let’s set a few things straight.

For most of us, we proceed each day repeating the same set of processes we completed the day prior—especially in sales. However, on May 25th this year, doing so will likely put you out of compliance with the GDPR.

You’re likely thinking, I’m based in Austin, Atlanta, New York, (insert US city name here), and this doesn’t apply to me. Unfortunately not.

The General Data Protection Regulation (today) only applies to residents of the European Union and to anyone who has personal data related to an EU resident. However, let’s expand that point for a moment:

gdpr scenarios

You guessed it, all three scenarios likely put you out of compliance.  OK, so what? The EU will surely be fairly reasonable with penalties.

Not quite.

Someone in my organization is likely on top of this, right? Maybe, but you should be sure.

Under a pre-GDPR regime, several companies, including Honda Motors, have already been fined amounts ranging from £10,000 to £70,000 for the mistake of sending emails to consumers who have already opted out. For non-compliance, the GDPR allows for fines “up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher”.

Gartner reported that only half of the impacted organizations will be compliant by year-end. Based on our research, I’d expect half that number.

Related: Permission Based Marketing: How to Sell with User Consent

The Good

The GDPR prioritizes consumer rights over those of business organizations. We expect many countries to follow the EU’s lead. Further, when international businesses have difficulty deciding who is subject to the GDPR, we expect the regulation will tend to be broadly adopted.

With the Equifax disaster in the news and the ongoing revelations of the breadth of the leak, we may even see similar regulations in the US.

The GDPR is designed to strengthen the regulatory environment for businesses while deterring the theft, misuse, exploitation or neglect of consumer data.

Covering the security, sharing, and export of personal data emanating from EU territories, GDPR supersedes the outdated and optional Data Protection Directive of 1995.

Unfortunately, as an SDR, AE, VP Sales, VP Marketing, CEO, this likely doesn’t bode well for your existing sales and marketing process.

The Bad

The GDPR considers any data relating to an identifiable person as personal data. These include but are not limited to the following:

  • Name
  • Personal and corporate contact information (addresses, mobile numbers, internet accounts, email addresses, etc.)
  • Employee information
  • Answered survey forms
  • Biometric data
  • Location data
  • Online footprint (IP addresses, website cookies)
  • Social media posts
  • Sensitive personal data (racial/ethnic information, sexual orientation, health data, social security data, tax information, driver’s license, banking/credit accounts, etc.)

Consent forms are significantly strengthened and using personal data gathered subject to non-conforming consent forms puts you on a risky footing. In particular, widespread sharing of 3rd party data sources has become much more difficult, and practically speaking, may be banned in many cases.

Companies will have to conduct a balancing test to regulations created by EU privacy organizations. If their activities don’t meet the balancing needs of data subjects’ privacy, organizations will have to rely exclusively on what users consent.

Users are unlikely to consent many activities. Adding to the complexity, to use consent, each use of personal data has to be individually consented with default NO. We expect users to be uninterested in clicking “yes” for 15 different checkboxes.

Unfortunately, it doesn’t stop with just the consent form.

After a data subject (i.e. an attendee on your recent webinar) is successfully opted-in with a compliant lead capture form, the individual can request their data to be retrieved or deleted at any time across all 1st and 3rd party systems.

This is not trivial for sales, marketing, and operations teams. Consider all the locations where data may be stored: Salesforce, Marketo, Netsuite, Zendesk, Outreach, the list goes on.

The Grey

In a recent Sales Hacker webinar, attendees indicated that “outbound” was their highest concern related to upcoming privacy regulation. This is no surprise, as the outbound sales development movement has grown exponentially in the last decade.

It’s still unclear how the needs of businesses to conduct marketing and outbound sales will be balanced with data subjects’ privacy rights.  What is certain is that many common business practices, particularly around widespread sharing of personal data to third parties, will no longer be permitted.

The solutions will involve:

  • A new focus on inbound and direct customer relationships.
  • Better handling of data used to target customers which should result in higher quality leads and a more trusting relationship with potential customers. 
  • Potentially an increased willingness of customers to share personal data if they are comfortable with what you are doing with it.

Under GDPR, non-consented data subjects can be contacted by direct sales by phone if:

“…processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

What does this mean? It’s really tough to tell.

Unfortunately, we’ll all be holding our hat until we have clearer explanations of the balancing tests between legitimate interests of businesses to conduct marketing and sales versus personal privacy rights.

However, one thing is for certain, organizations will need to have systems in place that can distinguish between compliant opt-ins and non-consented individuals across all 1st and 3rd party systems.

What’s in store next?

This movie has a sequel, so in our next installment, we’ll dive into the specific tactics that marketers, sales, and leadership can take to ensure they’re compliant ahead of May 25th and beyond.

Disclaimer: Please be advised that while Sales Hacker is committed to providing helpful and tactical information, we are not lawyers and any information posted here should not be construed as legal advice! Please consult your own legal advisors on the matter and ensure you have proper protection in place. Any decisions you make that impact your outbound processes should be double checked by a qualified licensed professional and are done at your own risk.

Join Us Today

Insider access to the GTM network and the best minds in tech.

Join Us Today

Insider access to the GTM network and the best minds in tech.

Trending Now

You may also like...