The GDPR Checklist for Sales
Disclaimer: This article provides your with GDPR checklist for sales. It is not legal advice. This article about the European General Data Protection Regulation (GDPR), applicable from May 25, 2018, is for informational purposes only.
Why is GDPR important in sales?
Especially in times when violations of data protection are being prosecuted and punished more intensively than ever before, this topic should by no means be taken lightly. For companies that focus on outbound sales – i.e., actively collect data – compliance with this basic regulation is very important.
This article serves as a checklist for outbound sales and informs you about the application rules of the General Data Protection Regulation.
GDPR Checklist for Sales: How exactly you should proceed in sales
Ask yourself the following question: Which of the following sales channels do you use?
- Email Marketing
- Social media (LinkedIn and co.)
- Cold calls
- Letter marketing
If you are already actively using one of these sales channels, you will find a handy list at the end of the article. It shows what you must consider.
Not let’s move to the do’s and don’ts of the respective niche.
GDPR checklist for sales via e-mail marketing
E-mail marketing is one of most popular outbound sales activities. However, not everything that is technically possible is also allowed. First, you absolutely need the explicit consent of the potential customer.
The so-called “opt-in procedure” is usually used for this, i.e., a box that you can click to agree to receive the newsletter. It is important, that the customer actively decides in favor of your advertising.
Furthermore, some information about you and your company must be included in said checkbox with boxes:
- The identity of the sender
- the purpose of the data processing and the free right of withdrawal, which can be exercised at any time.
This information should also be picked up and addressed in your privacy policy. According to Art. 7 Para. 2 of the GDPR, everything must be written in easily understandable language.
Finally, in the footer of your e-mail, you should offer the recipient the opportunity to unsubscribe from your newsletter and thus from your database. This goes hand in hand with the free right of withdrawal at any time.
GDPR checklist for sales via social networks
Social media distribution is on the rise. If you want to remain visible, use should use social networks. Even in the B2B sector, social media is one of the most sought-after sales channels today. Here, too, you must stay compliant with the GDPR.
Ensure anonymity
You are allowed to collect and use social media data if you keep it anonymous. You can also place ads on Facebook, Instagram, and Co. without having to worry about a breach of data protection. Facebook keeps all personal data anonymous. They indicate according to the target group, but do not learn any names.
Agree to the appropriate data processing
On the other hand, you may not process any data if it leads from your homepage to your social networks. From a legal point of view, this already constitutes processing of personal data and requires consent, like e-mail distribution.
You can solve this leak with two clicks, by first agreeing to the appropriate data processing and then connecting to the social network.
GDPR checklist for outbound sales in cold calls
In the case of cold calling over the telephone, i.e., so-called cold calls, you must first and foremost distinguish whether you are calling private customers (B2C) or whether the acquisition is taking place in the business customer environment (B2B).
In the case of B2C contacts, the law generally prohibits calls without explicit consent. The same applies to all other sales platforms. You guessed it: for example, the e-mail channel but also SMS or WhatsApp.
In the B2B business area, you must also note that in addition to GDPR, unfair competition (UWG) also comes into play. This law provides, among other things, to prevent harassment and unreasonable burden by the advertiser. This applies to all market participants, i.e., competitors and consumers, i.e., suppliers and buyers.
The so-called balancing of interests also applies here across all distribution channels.
If you have not given your express consent to a call, you can assume that you have given us presumed consent. Here it is your responsibility or the responsibility of your company to keep the risk of an incorrect assessment as low as possible. You can ask yourself whether the person to be called expects a call from you or at least has a positive attitude towards it.
Is the form of acquisition customary in the industry?
There is also a clear interest, for example, if a producer absolutely needs a certain raw material that you produce for his production. Please note, however, that in such a case you may only use publicly accessible telephone numbers. Also think about whether the form of acquisition is customary in the industry or can at least be justified in this way. This can be of great use in the event of a dispute.
If you have observed all of this, according to the GDPR you are also subject to the information obligation for cold calling. Certain points in time must be observed here to make the procedure legally valid.
In theory, at the time of data collection, i.e., during the call, you must inform the person on the other end of the line about the collection and processing of their personal data.
This turns out to be difficult in practice. Especially if the potential lead is not interested in your offer. This can be remedied by transferring information in a temporal context, provided you have an e-mail address or postal address.
In such a case, you can direct the person to a website or send them the information in an e-mail. Unfortunately, there are no better solutions here.
GDPR checklist for outbound sales for letter marketing
Postage stamping is associated with costs but has advantages. Sending advertising letters to customers or leads takes time and effort but offers the option of addressing them personally and is highly suitable for customer retention.
Studies have shown that the average conversion rate for postal mailings is 3.9 percent. A study by Optilyzon postal advertising in existing customer marketing shows a similar value at 3.7 percent.
Some companies are of the opinion that such letter marketing is always permissible, after all you can just throw away the mail, right?
Unfortunately, it’s not quite that simple.
Keep this in mind according to the GDPR checklist for outbound sales
Basically, the address data of the potential leads must be collected properly. A balancing of interests must then take place. If the data owner has given his consent that the letter form or similar is generally permitted, the latter is of course no longer necessary. The required recital in the GDPR provides that the processing of personal data for the purpose of direct advertising meets with a legitimate interest and can therefore be justified.
Distinguish between your own addresses and third-party addresses. Own addresses have been collected by your company and can be used for self-promotion, but also for third-party offers – so-called “friend advertising”.
The balancing of interests already mentioned also applies here, but it is anything but clear. In many cases, this is also publicly accessible address data, which offers additional scope for argumentative justification.
It is often the case that data is collected by third parties. This refers to external service providers – mostly agencies. It is also possible to purchase data from large data pools, often for a limited period. If such data transfer to third parties is the case, then legal permission is required. The service provider is strictly bound by instructions and should act without its own decision-making authority.
The information obligation
Finally, the said information obligations to protect the data subject also apply here. Like e-mail marketing, you must properly inform about the right to information, correction, deletion, and restriction as well as the right to object.
In addition, you must be explicitly named as an advertiser. Inform that the right to object also includes and prevents the disclosure of your own data. This can be done using a multi-level approach, in which only the most important information is clearly displayed on the first level. You can then link to a website that contains more detailed information to make things easier to understand.
What you are allowed to do and what you should avoid – short and compact
Below is the quick GDPR checklist for outbound sales with the key points related to different sales methods.
What are you allowed to do? What should you avoid?
| Sales channel | do’s | don’ts |
| opt-in procedure | Automated use of data without consent | |
| Indication of your identity | Anonymous newsletters | |
| Indication of purpose of data processing | Unknown or misleading purpose of data processing | |
| Free right of withdrawal | Impossible to prevent the use of data | |
| Possibility to unsubscribe from the newsletter |
| Social media | Manual research | Processing of data without consent |
| Identification of leads based on visible data | Data processing in CRM software, for example purely based on personal data | |
| “Two-click consent” from homepage to social network |
| Cold Calls | Calling, when the call is likely to have at least a positive reception | Spam or unreasonable frequency of calls |
| Consider and use interest in calls that is customary in the industry | No explanation of the origin of personal data, etc. | |
| Release of information about personal data and their collection | No obviously justified assumption about the interest of the potential lead | |
| Compliance with the short deadline for the release of information | No explicit consent in B2C |
| Letter marketing | Proper data collection | Dubious data processing |
| Weighing of interests with subsequent consideration | newsletter spam or similar | |
| Own use of personal data as well as referrals | Data trading with third parties without consent and authorization | |
| Use of public addresses with honest weighing of interests | No information about the rights of the person concerned, such as the option to unsubscribe from the newsletter | |
| Transmission to service providers bound by instructions without decision-making authority | Lack of insight into the advertising purpose or the identity of the advertiser | |
| Information obligation: right to information, correction, deletion etc. | ||
| Multi-level approach for informational purposes |
Bottom Line: Here’s what you can take away from this GDPR checklist for sales
A lot has changed since May 25, 2018. The General Data Protection Regulation has crept into the well-known distribution channels and made them more complicated.
This article has summarized the most important points for you so that you know exactly what to look out for in sales and marketing.
Just because it is now the case that you only must act subject to a legitimate interest, you should not shy away from sales channels, but acquire knowledge and use it properly. This is much more effective than following leads at random.