The GDPR, the EU’s General Data Protection Regulation, has been in force for all EU citizens since 25 May 2018. The two-year implementation period was an intense process for entrepreneurs examining personal data. Lead generation and GDPR is a complex topic and needs lots of attention.
It takes a good compliance strategy if you intend to successfully integrate the new data protection law into your company with impunity. Therefore, it is recommended to continually incorporate the requirements into every business process – including customer acquisition – by GDPR principles.
In this article, you’ll learn how to do it the easy way. Besides, you will receive a compact overview of changes and helpful hands-on tips.
Latest from 25 May 2018, every company – be it a large enterprise or a start-up, a B2B or B2C – must deal with the new EU regulation on the protection of personal data of EU citizens, the General Data Protection Regulation.
Here is why:
Hence, it does not matter where a company is located. Not just companies operating within the EU have to apply the GDPR. All organizations that process data from EU citizens are accountable for them.
You frequently organize raffles or send emails to people who have not yet registered with your company?
Until now, it was easy to collect and use this data.
Previously, silence and inaction of customers were considered tacit consent. Thanks to the GDPR, this is no longer the case.
Still unsure to what extent the GDPR is relevant for you? Put the following questions to yourself:
If any of the answers are “yes”, then you should familiarize yourself – in addition to the amendments – with the legal basis of the GDPR. You will find them at the end of this post.
In this part, we will focus on the practical application of the GDPR for customer acquisition.
This has implicationsfor various areas of your B2B outbound lead generation. The GDPR applies to all types of direct advertising, be it: emails, brochures, catalogs, sales calls, product samples as well as data research and storage.
The GDPR enables customers to exercise their right to receive information at any time about the type of data collection, its purpose and intended use.
If a person responds to your confirmation and requests that you delete the data, you must do so immediately.
However, you may still keep some anonymized data so that it will no longer be possible to approach the contact in the future.
Sounds easier than it is.
In some cases, you are obliged by law to retain certain personal data even though this person has asked you to delete his or her data.
In such cases, you need to inform the individual that you are required by law to retain this information. Always state the reasons for this.
You must not send any advertising to this person (unless the person has explicitly agreed).
Of course, if a potential customer has agreed to the data processing, you want to utilize the data. In light of the GDPR, this means that you must check the processing of these data.
Example: A potential customer calls your company and asks for a free version of your software. You then send him some emails to help him get started.
This is no longer permitted since May 2018. You will risk a fine for doing so.
In this way, you avoid fines:
In 2017, the Data Protection Conference, the independent data protection authority of the federal government, confirmed in a short paper that direct advertising is only possible if the addressee agrees to the measures.
Once you have obtained this consent, you can safely start the acquisition process. Without this consent, however, your hands are tied.
For most companies, it is common to use the data available to the organization. Direct advertising is, therefore, still permitted in most circumstances. But if you want to be on the safe side, ask your respective business partner to agree to your advertising measures.
When dealing with private consumers, section 7 of the German Unfair Competition Act (UWG) still applies. If you want to make telephone calls or send fax, email or SMS advertising, you must obtain the consent of the consumer.
Section 7 (UWG) governs the exceptions to this rule. Your lawyer will assess whether you can use them for your communication.
Under no circumstances should you send automated, unsolicited emails to potential customers.
Another way to properly acquire emails is to use a “keep me informed” button on the website. You should also use a double opt-in form in your newsletter registration process. Thirdly, there must be traceable records of the agreement.
Any pre-checked boxes or similar procedures that do not require active action by the potential client are not permitted.
You may still perform cold calling, as it does notfall under the GDPR.
However: You should explicitly ask for permission before saving the data of an interested party in your system.
By doing so, you are protecting yourself from all sides. It is not always easy to document phone calls unless they are recorded. With the procedure mentioned above, however, you can bypass this hurdle.
Some special rules apply to telephone calls in general.
The situation is different for traders: here, you only need a presumed consent. From experience, it can be assumed that you will receive the permission.
This method cannot ensure that the owner of the telephone number and the email addressee are the same person. A scammer could give you a phone number that belongs to another person.
Those who sell go to trade fairs and events. There, the ambitious salesman collects business cards and contact data. Previously, it was hassle-free to add the collected contact data to the mailing lists and start advertising.
This is no longer permitted under the GDPR.
What you’re allowed to do:
To send a targeted email or make a call to an individual contact. The exchange of a business card is a legitimate interest in maintaining contact.
It’s going to be difficult here:
Suppose a friend of yours asks you to contact another entrepreneur because he needs your help. In the age of the GDPR, you can no longer contact this person by telephone acquisition, but only when you have received a written declaration of consent from the potential customer. This must state clearly that you may call him for advertising purposes.
If you have acquired customers and recruited staff through LinkedIn so far, you may continue to do so. The GDPR does not prevent you from contacting potential customers.
The good news is that LinkedIn and Xing provide you with handy copy and paste templates for all your contact requests. After a successful initial contact, you may obtain consent for sending a newsletter and maintaining communication.
Please be careful: In case of doubt, you must be able to prove that you have received this permission from the potential customer. As in all other cases, “documentation” is key.
The GDPR contains the “right to forget“. If a customer requests it, every company is obliged to delete already stored data.
At any time, they may request you to correct or delete this information.
It is best to set up a procedure with which you can automatically meet such demands.
If you still want to win new customers, remember the following checklist:
Private individuals: For fax, email, telephone and SMS advertising, prior consent is required. The legal basis has, therefore, not changed.
Companies: in this case, the presumed consent, according to Article 6 GDPR, is sufficient.
Email and online marketing: Protect yourself with a double opt-in form. Every email program offers this procedure.
Phone-advertising: Obtain express permission to store the data of a private person. Commercial calls are based on “legitimate interest”.
Section 7 (UWG) includes exceptions to this rule, and if an existing customer has given you consent through an earlier purchase, you may also promote similar products.
Are there any situations in which you can waive a consent?
Suppose you want to send your new brochure to an existing customer. Because the customer is already in your database, you assume that the customer agrees.
Remember: In principle, nothing works without consent in matters of direct advertising.
However, the situation is slightly different for existing customers: As an entrepreneur, you may continue to offer him similar services and goods without having to obtain additional consent.
Practice shows, though, that the courts handle this exception rigorously. Hence, we recommend that you contact a lawyer in case of doubt to clarify the matter.
Correct training, avoid mistakes
Think about how you can train your sales staff to rule out legal violations. If in doubt, seek expert advice and organize in-company training.
The following laws still govern direct promotional activities via telephone and email advertising:
Here you will find an overview of the legal basis of the GDPR. They are divided into six areas that you should know.
The strictest, most accurate and ideal legal basis for the processing of the data controller is the existence of at least one lawful provision (Article 6(1)).
We can name many examples of this legal basis:
One example is the processing of credit card information so that the customer can make a payment.
If, e.g. your customer requests service or product information by email or via social network, processing that customer’s personal information is permitted in order to answer her question.
“Vital interests” only refer to situations involving life-threatening emergencies. This category includes emergency services that receive a list of names and ages based on an emergency call.
It is permissible to process these data if a person is in critical condition. You can extend this requirement to affiliated persons, such as children or parents.
Example: the electoral register of a political party. This subsection covers that a party may be permitted to maintain a copy of the data.
These cases are less clear. Legitimate interests allow you to develop a legal basis if you cannot identify the categories.
This includes procedures designed to prevent fraud and involving the transfer of data to other companies or entities of the contractor. Such is the case where there is a central body for internal administrative purposes. This case applies to customers or employees.
Based on this justification, you can process data without having to obtain the consent of the data subject. However, this only applies in situations where you do not endanger the rights, freedoms or interests of the data subject because it is in your interest.
To compare these potentially conflicting interests, you need to perform an “evaluation test”.
This legal basis must always reflect the interest of the data subject:
Consumer consent is a prerequisite. As the data controller, you must prove that you have been permitted to process the data. You must record this.
This legal basis is particularly important for customer acquisition under the GDPR because it covers the collection of a person’s contact data for marketing purposes, such as email newsletters.
The GDPR stipulates the circumstances under which this permit is valid and how it can be administered. Besides, the person concerned is allowed to withdraw this consent at any time and without considerable effort.
For each of the six basic principles, a legally sound and transparently communicated processing standard is compulsory.
Point out that you record the surfing behavior with cookies. Users must give their consent to it.
In many cases, cold calling is still possible. It is crucial that you obtain the express permission of the persons concerned. If you do not have this consent for data storage, telephone acquisition is not permitted
In advertising, sanctions of the GDPR prevent the application of parts of the Federal Data Protection Act (BDSG). However, most of the previous sections of earlier legislation are still valid.
The tying of measures is illegal. You are not permitted to conclude a joint contract with permission for data processing. In this way, you would force the consent of your contracting partner. The prohibition of tying shall revoke any consent.
If your current customers already appreciate your advertising efforts, you may continue to send them materials about similar products and services. Make sure, however, that your advertising complies with the GDPR.
By operation of law, nothing has changed significantly as a result of the GDPR. As before, you always need the prior consent of the person you are photographing.
Photos and videos that you want to use for private purposes do not represent an obstacle.
However, we advise Instagrammer, YouTuber and bloggers who photograph strangers to be more cautious here in the future.
Those who want to be sure always obtain the permission of the persons concerned.
Latest since 25 May 2018, the GDPR requires a new approach to data protection. The GDPR intends to encourage companies to only contact individuals who wish to have an explicit relationship with your company.
No longer may you assume that you have permission to send campaigns simply because you have discovered an email address.
This must be done before each new data entry:
Opt-in procedures and subscription management tools are readily available, providing you assistance.
These changes are not popular with all companies. Small companies, in particular, fear of legal consequences. The GDPR is merely concerned with protecting consumer data and giving more weight to European fundamental data protection rights. Companies making money with user data need to protect it and manage it properly. To do so, the customer’s consent is required. Those who fail will be severely penalized and held accountable.
Image source: https://commons.wikimedia.org/wiki/File:Gdpr_Europe.jpg
Disclaimer: This article is only for non-binding information purposes and does not constitute legal advice.