GDPR Compliance: Is Your Sales Team Ready?
Any salesperson or marketer who hasn’t heard about the GDPR by now is in for a bumpy (and potentially litigious) ride.
The GDPR stands for the General Data Protection Regulation, a recent EU law that sets the rules for anyone handling personal data about EU residents.
You might think only IT teams and marketing specialists would need to worry about compliance with these news regulations. But the GDPR change could have significant implications for you and your sales team.
Even when you’re selling to a business, you interact with individuals and their personal data each and every day – meaning many of your activities fall under the GDPR scope.
When is the GDPR change (and why does compliance matter)?
GDPR enforcement will begin on 25 May 2018 and you don’t want to be caught off guard.
The authorities see salespeople as data controllers who bear the brunt of the responsibilities under the law. If you’re unprepared, you’ll feel the wrath – salespeople will receive no special treatment.
Failure to comply can lead to crippling fines of up to 20 million euros (a significant portion of annual turnover for even the largest of global companies).
How do you make sure of your sales team’s GDPR compliance?
Going through all 99 articles of the legislation is enough to frighten a team of well-practiced lawyers, let alone salespeople who have calls to make, meetings to hold, and emails to send.
There’s no need to panic. You shouldn’t feel like you need to put a pause on your business until you’re up to speed. You have plenty of time to make your processes compliant and you only need to understand a fraction of the legislation.
I’m about to simplify this potentially mind-numbing web of legal mystery so you know exactly what actions you need to take to prepare you and your sales team for GDPR compliance.
3 sales-specific GDPR lessons to keep your team safe
I want to help you find the needle you are looking for in the GDPR haystack.
Although it helps to have a broad understanding of the entire GDPR – you really need to make sure you understand the principles of the GDPR which are set out in Article 5.
In particular, salespeople need to follow the 3 key directives outlined below.
#1. Gather only data you need and make sure you have lawful grounds to process this
The GDPR includes a limited list of acceptable reasons for gathering data you do not need and “it might be useful at some point in the future” is not one of them.
Develop a process designed to generate as little data as possible. Regardless of the GDPR, minimizing the data collection process for a salesperson only makes her job easier (more time to chase down quality leads and less time spent managing admin).
If you need the data for your contract with the person or for your legitimate interests (according to GDPR Recital 47, direct marketing passes this test!) you should have no problems – as long as you define and explain your need to the data subject.
Otherwise, you must ask for consent.
Don’t underestimate the difficulty of this task. Gathering the proof points you need for consent is much more complicated than it sounds. Consent has to be freely given, specific, informed and unambiguous. This needs to come through an affirmative action (pre-ticked boxes aren’t allowed).
You’ll have to record the consent and you need to be prepared and able to remove the relevant data if the person changes their mind.
#2. Be open about your actions and prepare for data subject requests
Protecting the individual is a core purpose of the GDPR.
As a salesperson, you should make sure your customers are well informed of what you’re doing with their data and why you’re doing it.
You also need to be prepared for your customers exercising their right to have access to the data. You need to make this process possible, and you need to be able to delete this data on request of the contact.
#3. Keep the data safe and delete it when you’re finished with it
You cannot have privacy without security.
The GDPR requires you to make sure you have appropriate security for any personal data you process. This means strong passwords, access controls, and industry standard technical security measures are an absolute must.
Additionally, you should establish a system to make it clear when data needs to be deleted. Establish specific triggers when certain conditions are met to live up to that commitment and automate the deletion process – you’ll save time and reduce your anxiety in the long-term.
How the GDPR impacts 3 important sales situations
#1. Cold Calling
The GDPR does not currently prohibit you from making calls to potential customers but for accountability purposes, you should note down when you made the call and how long the call lasted.
You should also keep track of whether the person was open to being contacted again. Pipedrive’s activities feature will help you handle this easily. You can pair this with one of Pipedrive’s many calling integrations to help you make this recordkeeping as simple as possible.
#2. Cold Emailing
This is a tricky topic with interpretations varying from one source to another.
The recitals of the GDPR allow for direct marketing to be considered as a legitimate interest but more specific rules will be put in place with the ePrivacy Regulation which is set to replace the current ePrivacy Directive in a year or so.
At present, the GDPR does consider direct marketing as a legitimate reason for salespeople to collect data. However, more specific rules will be established in the near future (around 12 months time) when the ePrivacy Regulation changes will replace the existing ePrivacy Directive.
You need to watch this space and make sure you and your team stay compliant when these changes are announced.
Regardless, the lesson here is clear – you need to be very careful about cold emailing.
Your legitimate interests are always weighed against the data subject’s right to privacy. If you can’t make it clear why this particular person might want to hear from you, you will likely fail this test.
This spells the end of purchased lists.
If you still rely on these for lead generation, you’ll need to develop a new approach before the GDPR deadline day.
On the positive side, any opt-in lists that you maintain will likely contain higher quality leads, leading to smaller but more impactful databases.
There is a particular exception. You are allowed to reach out to people whose email address you obtained in the course of a sale unless they have opted out (a fact you’ll need to record). However, even in this circumstance, you’ll need to prove the email you send is about products or features related to the initial sale.
#3. Email Tracking
A tracked email gives salespeople critical information to help with the decision on how to proceed with any given lead.
The data you collect about the recipient’s interactions with the email will now qualify as personal data – which means it will be subject to the GDPR.
The Article 29 Working Party (the EU body that issues guidelines on data protection) has specifically called out email tracking as a concern particularly due to the fact the recipient is unaware of the tracking.
Unfortunately, this is a significant blow you and your sales team will have to absorb.
The lack of transparency involved with email tracking is contrary to the GDPR. That’s why the Working Party is calling for you to gain explicit prior consent in these cases.
There is conjecture within the industry about how this email tracking legislation will be policed and whether this will be enforced. It is hard to give definitive advice on how to avoid any potential penalty. Transparency is the aim of the GDPR, so you need to be open and clear about this tracking.
At this point, it’s best to play it safe and start working on a way to gather consent for email tracking by the time the GDPR goes live.
How Pipedrive will help you manage the GDPR
With three offices and strong roots in Europe, the team at Pipedrive is well informed of the implications of the GDPR and we understand exactly how important these changes can be for Pipedrive users.
We’ve been preparing for a while now and we will continue to make improvements that are guided by the requirements and spirit of the GDPR.
Internally, we’ve added elements to our processes in the development and adoption of tools to make sure our features and integration partners meet GDPR requirements.
We have created a structured system to respond to data subject requests to delete, modify or transfer their data. We’re also in the process of moving EU customers’ databases to the EU datacenter in Frankfurt.
All of these specific changes are supported by extensive training efforts within the company so that we can make sure the GDPR compliant processes we’ve put in place are properly followed.
For further info on our efforts to upgrade and detailed explanations of GDPR compliance when using Pipedrive, make sure you read this article in our Support Center and circulate the info across your team.