GDPR Compliance: Is Your Sales Team Ready?

Are You Ready For GDPR Compliance?

Any salesperson or marketer who hasn’t heard about the GDPR by now is in for a bumpy (and potentially litigious) ride.

The GDPR stands for the General Data Protection Regulation, a recent EU law that sets the rules for anyone handling personal data about EU residents.

You might think only IT teams and marketing specialists would need to worry about compliance with these news regulations. But the GDPR change could have significant implications for you and your sales team.

Even when you’re selling to a business, you interact with individuals and their personal data each and every day – meaning many of your activities fall under the GDPR scope.

When is the GDPR change (and why does compliance matter)?

GDPR enforcement will begin on 25 May 2018 and you don’t want to be caught off guard.

The authorities see salespeople as data controllers who bear the brunt of the responsibilities under the law. If you’re unprepared, you’ll feel the wrath – salespeople will receive no special treatment.

Failure to comply can lead to crippling fines of up to 20 million euros (a significant portion of annual turnover for even the largest of global companies).

How do you make sure of your sales team’s GDPR compliance?

Going through all 99 articles of the legislation is enough to frighten a team of well-practiced lawyers, let alone salespeople who have calls to make, meetings to hold, and emails to send.

There’s no need to panic. You shouldn’t feel like you need to put a pause on your business until you’re up to speed. You have plenty of time to make your processes compliant and you only need to understand a fraction of the legislation.

I’m about to simplify this potentially mind-numbing web of legal mystery so you know exactly what actions you need to take to prepare you and your sales team for GDPR compliance.

3 sales-specific GDPR lessons to keep your team safe

I want to help you find the needle you are looking for in the GDPR haystack.

Although it helps to have a broad understanding of the entire GDPR – you really need to make sure you understand the principles of the GDPR which are set out in Article 5.

In particular, salespeople need to follow the 3 key directives outlined below.

#1. Gather only data you need and make sure you have lawful grounds to process this

The GDPR includes a limited list of acceptable reasons for gathering data you do not need and “it might be useful at some point in the future” is not one of them.

Develop a process designed to generate as little data as possible. Regardless of the GDPR, minimizing the data collection process for a salesperson only makes her job easier (more time to chase down quality leads and less time spent managing admin).

If you need the data for your contract with the person or for your legitimate interests (according to GDPR Recital 47, direct marketing passes this test!) you should have no problems – as long as you define and explain your need to the data subject.

Otherwise, you must ask for consent.

Don’t underestimate the difficulty of this task. Gathering the proof points you need for consent is much more complicated than it sounds. Consent has to be freely given, specific, informed and unambiguous. This needs to come through an affirmative action (pre-ticked boxes aren’t allowed).

You’ll have to record the consent and you need to be prepared and able to remove the relevant data if the person changes their mind.

#2. Be open about your actions and prepare for data subject requests

Protecting the individual is a core purpose of the GDPR.

As a salesperson, you should make sure your customers are well informed of what you’re doing with their data and why you’re doing it.

You also need to be prepared for your customers exercising their right to have access to the data. You need to make this process possible, and you need to be able to delete this data on request of the contact.

#3. Keep the data safe and delete it when you’re finished with it

You cannot have privacy without security.

The GDPR requires you to make sure you have appropriate security for any personal data you process. This means strong passwords, access controls, and industry standard technical security measures are an absolute must.

Additionally, you should establish a system to make it clear when data needs to be deleted. Establish specific triggers when certain conditions are met to live up to that commitment and automate the deletion process – you’ll save time and reduce your anxiety in the long-term.

How the GDPR impacts 3 important sales situations

#1. Cold Calling

The GDPR does not currently prohibit you from making calls to potential customers but for accountability purposes, you should note down when you made the call and how long the call lasted.

You should also keep track of whether the person was open to being contacted again. Pipedrive’s activities feature will help you handle this easily. You can pair this with one of Pipedrive’s many calling integrations to help you make this recordkeeping as simple as possible.

#2. Cold Emailing

This is a tricky topic with interpretations varying from one source to another.

The recitals of the GDPR allow for direct marketing to be considered as a legitimate interest but more specific rules will be put in place with the ePrivacy Regulation which is set to replace the current ePrivacy Directive in a year or so.

At present, the GDPR does consider direct marketing as a legitimate reason for salespeople to collect data. However, more specific rules will be established in the near future (around 12 months time) when the ePrivacy Regulation changes will replace the existing ePrivacy Directive.

You need to watch this space and make sure you and your team stay compliant when these changes are announced.

Regardless, the lesson here is clear – you need to be very careful about cold emailing.

Your legitimate interests are always weighed against the data subject’s right to privacy. If you can’t make it clear why this particular person might want to hear from you, you will likely fail this test.

This spells the end of purchased lists.

If you still rely on these for lead generation, you’ll need to develop a new approach before the GDPR deadline day.

On the positive side, any opt-in lists that you maintain will likely contain higher quality leads, leading to smaller but more impactful databases.

There is a particular exception. You are allowed to reach out to people whose email address you obtained in the course of a sale unless they have opted out (a fact you’ll need to record). However, even in this circumstance, you’ll need to prove the email you send is about products or features related to the initial sale.

#3. Email Tracking

A tracked email gives salespeople critical information to help with the decision on how to proceed with any given lead.

The data you collect about the recipient’s interactions with the email will now qualify as personal data – which means it will be subject to the GDPR.

The Article 29 Working Party (the EU body that issues guidelines on data protection) has specifically called out email tracking as a concern particularly due to the fact the recipient is unaware of the tracking.

Unfortunately, this is a significant blow you and your sales team will have to absorb.

The lack of transparency involved with email tracking is contrary to the GDPR. That’s why the Working Party is calling for you to gain explicit prior consent in these cases.

There is conjecture within the industry about how this email tracking legislation will be policed and whether this will be enforced. It is hard to give definitive advice on how to avoid any potential penalty. Transparency is the aim of the GDPR, so you need to be open and clear about this tracking.

At this point, it’s best to play it safe and start working on a way to gather consent for email tracking by the time the GDPR goes live.

How Pipedrive will help you manage the GDPR

With three offices and strong roots in Europe, the team at Pipedrive is well informed of the implications of the GDPR and we understand exactly how important these changes can be for Pipedrive users.

We’ve been preparing for a while now and we will continue to make improvements that are guided by the requirements and spirit of the GDPR.

Internally, we’ve added elements to our processes in the development and adoption of tools to make sure our features and integration partners meet GDPR requirements.

We have created a structured system to respond to data subject requests to delete, modify or transfer their data. We’re also in the process of moving EU customers’ databases to the EU datacenter in Frankfurt.

All of these specific changes are supported by extensive training efforts within the company so that we can make sure the GDPR compliant processes we’ve put in place are properly followed.

For further info on our efforts to upgrade and detailed explanations of GDPR compliance when using Pipedrive, make sure you read this article in our Support Center and circulate the info across your team.

Join Pipedrive CTA

Martin Ojala

Martin is Data Protection Officer at ‎Pipedrive.

  • Jack Lipp

    Very Interesting article – I found this very useful and a good guide I will keep in mind moving forward.
    Looking forward to more similar comms on this. Thank you.

  • Thanks for putting this article together Martin. This is probably the most well written and “down to earth” article that I’ve found on the topic.

  • Leland

    Great article Martin.

    Good to see you guys are still kicking much ass. 😉

  • Olivier Staquet

    Thanks Martin for this clarification. I finally found another realistic guy 🙂
    I also worked on “down to earth” (as said by Omar) plan for GDPR due to lack of clarity for small business.
    For readers interested, I published free templates on https://www.gdpr-handbook.eu to get ready and there is also an handbook on Amazon http://azon.ly/wybw .

  • Elina Nygård

    Thank you for the great post, Martin!

    Also for those who are interested in reading more about the changes, I found HubSpot’s GDPR info very useful, too!
    https://legal.hubspot.com/hubfs/Downloadable_Legal_Docs/HubSpot_Your_Data_and_You.pdf?hsCtaTracking=3420634d-c28d-4c63-8c1c-9e2902de1dc8%7C979cdc8e-376e-4977-bc94-d1f6a3e938c2

  • Erik van Dorp

    Hi! What procedures do you have in place related to Pipedrives e-mailtracking feature? Do I have to ask consent from each of my prospects/clients and ask if it is ok to track if he opens the mail and clicks in it? That would be very weird (and Mailchimp users would have a huge problem). Can you elaborate on this point please?

    • newton1977

      Martin, I’d also love clarification on Erik’s comment. I was hoping I could just include in my email disclaimer that all emails are tracked but obviously that assumes consent which is against GDPR rules.

    • Martin Ojala

      Hi Erik (and newton1977),
      Email tracking is indeed a complicated matter under the GDPR and we’ve had a similar question under the email tracking blog post. My explanation there was:

      “In 2006, the Article 29 Working Party did indeed express the opinion that email tracking should only be done with prior consent. While not binding, the WP29 opinions often indicate in how the laws are applied, so our first recommendation must be to follow these guidelines. At the same time, it should be noted that the primary concern raised in the WP29 opinion was the lack of transparency (a principal requirement of the GDPR) in email tracking, i.e. that the recipients are unaware that the emails are being tracked. Therefore, if a controller can prove sufficient transparency (that the recipient has been informed), then they should be able to track emails in accordance with other legal bases listed in Article 6 (1) as well.”

      Strictly based on the 2006(!) opinion, you should obtain prior explicit consent, i.e. the email that you use to ask for consent should not be tracked. I believe if the authorities stick to this more than a decade old understanding when they start the enforcement of the GDPR, then it would spell the end of email tracking for all practical purposes (which, in my personal opinion, would not benefit the data subject as the feature can also enable salespeople to know when to NOT bother the data subject).

  • Michael Pimminger

    Thank you for that article!
    You wrote about specific triggers that can be automated when certain conditions are met – how can I implement those triggers in pipedrive?

    Thank you in advance.

    • Martin Ojala

      Hi Michael,
      The easiest way to automate certain functions that Pipedrive does not yet have is an integration called Zapier. Essentially, you could set up a filter in Pipedrive to identify the contacts you should delete (use update time, open deals count, etc. as conditions, as appropriate) and then when that condition is met, Zapier will perform an action either in Pipedrive or send you a notification through one of the many communications services supported by Zapier. Then you’ll know to look at the filter results in Pipedrive and delete them.

  • Jonas Kehrbaum

    How about the Google Drive Integration to store data? I love Google Drive and it has always been an issue. Any idea?

    • Martin Ojala

      Hi Jonas,
      Google Drive can be used (Google is Privacy Shield certified so that is one less hurdle) but the challenge with Google Drive is that it is so good at what it is designed to do – keeping all your data. From experience, people’s Google Drive accounts quickly get cluttered and packed with all sorts of old/outdated files that are actually no longer necessary. As the tool keeps most data by default and, to my knowledge, does not have any automations for privacy compliance, it is likely a matter of having internal procedures in place to regularly clean up the accounts.

  • Jørn Olsen

    Hi, We have sometimes been using the analytics part of pipedrive when sending a proposal. I guess this is something that is not legal to use anymore? Pipedrive is not set up to ask for consent prior and sending an email to get consent to see how long people are reading different parts is strange with a potential client. Any comments?

    • Martin Ojala

      Hi Jørn,
      I guess you are also referring to the email tracking feature discussed above with Erik and newton1977 – it is a complicated issue as you can see from my explanation above. I also believe that sending an email just to ask for consent will be awkward. If consent is to be asked, then it should already be done when you are collecting the data, e.g. if you’re using Pipedrive’s Web Forms, then you can create a custom multiple option field where the people filling the form can tick the actions they consent to (one of which could be email tracking).

  • The what to do with your customer data is the easy part. It’s all the reporting compliance, classification of the org and types of consent required that’s the challenge. We know we should treat customer info as gold and it’s good to log consent. But GDPR requires you to select a classification for the type of data your collecting from ~10 classifications. It requires you to identify who’s a controller, processor and sub-processor of data and that must be part of the informed consent in most cases. Consent must be explicit and opt in in most cases, depending on the classification. No individual tool or product can solve GDPR compliance. I’m glad Pipedrive is making this work within but it’s just one piece of a complex customer data puzzle most modern businesses have.

  • Steven Segaert

    Hi Martin! Under the new rules, it seems we would need to have a Data Processing Agreement with your company. Will you make something available?

    • Martin Ojala

      Hi Steven,

      We have recently updated our Terms of Service and Privacy Policy in order to make sure that these cover all GDPR requirements. One of the most important motivations for the update was to have the Terms of Service include everything that the GDPR stipulates for data processing agreements (in particular the requirements of Article 28 (3)). Also, according to GDPR Article 28 (9), this agreement can be in electronic form (the only requirement is that it is in writing, i.e. not oral).

      For the sake of clarity, I’ll also point out that Article 28 (3) does not require the contract to be specifically signed but rather stipulates that the contract must be binding. Our Terms of Service are binding upon Pipedrive and its users as stipulated in the first paragraphs of the document. As such, the Terms of Service (incorporating the Privacy Policy by reference) constitute the data processing agreement for the purposes of the GDPR and there should be no need to sign an additional data processing agreement.

      I hope this clarifies things. Let me know if you have any further questions.

  • Tristan Griffiths

    Thank you so much for sharing this – very valuable, and useful.

  • Norman Younger

    The DMA has given guidelines and it covers existing lists . My understanding from this is that an existing list that people have received several emails from over time demonstrates some sort of relationship allowing you to continue without them specifically opting-in. What do you say to this ?

    • Alexander Diatlov

      It’s a good question. @@martinojala:disqus it is not really clear what to do with existing sales databases. Basically, these are potential clients which we reached out before and have some relationship. Can we continue to send them emails and product updates?