Lead generation and GDPR dsgvo checkliste EU

New Customer Acquisition in the Age of GDPR

The GDPR, the EU’s General Data Protection Regulation, has been in force for all EU citizens since 25 May 2018. The two-year implementation period was an intense process for entrepreneurs examining personal data. Lead generation and GDPR is a complex topic and needs lots of attention.

It takes a good compliance strategy if you intend to successfully integrate the new data protection law into your company with impunity. Therefore, it is recommended to continually incorporate the requirements into every business process – including customer acquisition – by GDPR principles.

In this article, you’ll learn how to do it the easy way. Besides, you will receive a compact overview of changes and helpful hands-on tips.

Lead generation and GDPR: Caution when Handling Data

Latest from 25 May 2018, every company – be it a large enterprise or a start-up, a B2B or B2C – must deal with the new EU regulation on the protection of personal data of EU citizens, the General Data Protection Regulation.

Why? 

  • The new regulation strengthens the privacy rights of consumers concerning their personal data.
  • Personal data are, e.g. the name, birth date, place of birth and residence, employer, religious affiliation, contact data, address, credit card and passport number, IP addresses, location data, cookies. 
  • Data protection now applies to the smallest areas; company size does not matter: every business that processes personal data is affected. 

Here is why: 

  • The GDPR requires that companies handle personal data transparently and securely at all times. 

Hence, it does not matter where a company is located. Not just companies operating within the EU have to apply the GDPR. All organizations that process data from EU citizens are accountable for them. 

What the Data Protection Regulation Entails

You frequently organize raffles or send emails to people who have not yet registered with your company?

Until now, it was easy to collect and use this data. 

Previously, silence and inaction of customers were considered tacit consent. Thanks to the GDPR, this is no longer the case. 

Still unsure to what extent the GDPR is relevant for you? Put the following questions to yourself: 

  • Have you used purchased mailing lists previously?
  • Added business card contacts to your mailing lists habitually? 
  • Have you ever asked existing customers for recommendations? 

If any of the answers are “yes”, then you should familiarize yourself – in addition to the amendments – with the legal basis of the GDPR. You will find them at the end of this post. 

GDPR in the Context of Customer Acquisition

In this part, we will focus on the practical application of the GDPR for customer acquisition. 

Put simply:

  • Every work step involved with customers and suppliers must be re-evaluated in the light of the new data protection regulation.
  • Thorough attention must be paid to ensuring that every partner in your company will be informed of their rights when transferring personal data.
  • Evidence of this must be provided when required.

This has implicationsfor various areas of your B2B outbound lead generation. The GDPR applies to all types of direct advertising, be it: emails, brochures, catalogs, sales calls, product samples as well as data research and storage. 

How the GDPR is Changing Customer Acquisition

Data collection & obtaining approvals 

Typically, you obtain a person’s consent by using a web form, a link to your privacy policy, and a follow-up email. 

The GDPR enables customers to exercise their right to receive information at any time about the type of data collection, its purpose and intended use. 

Individuals may also request unrestricted information on the purpose and retention period of the storage of their data (see Article 13 and Article 14).

  • From the time of capture, you have 30 days to explicitly inform the person of your best practice and to explain your reasons. 

If a person responds to your confirmation and requests that you delete the data, you must do so immediately. 

However, you may still keep some anonymized data so that it will no longer be possible to approach the contact in the future.

Sounds easier than it is.

In some cases, you are obliged by law to retain certain personal data even though this person has asked you to delete his or her data.

In such cases, you need to inform the individual that you are required by law to retain this information. Always state the reasons for this.

You must not send any advertising to this person (unless the person has explicitly agreed).

  • Also, in this case, document the person’s consent. Well-documented consent is the foundation for your compliance with the GDPR.

Data Processing under the GDPR

Of course, if a potential customer has agreed to the data processing, you want to utilize the data. In light of the GDPR, this means that you must check the processing of these data.

Example: A potential customer calls your company and asks for a free version of your software. You then send him some emails to help him get started.

This is no longer permitted since May 2018. You will risk a fine for doing so.

In this way, you avoid fines:

  • Inform the prospect that you have saved his or her email address.
  • Make sure that the person concerned actively agrees or subscribes to a mailing list.
  • After a phone call, send a follow-up email. You will find more details in the following section.

Pitfalls: How Exactly Does Customer Acquisition Change with the GDPR?

In 2017, the Data Protection Conference, the independent data protection authority of the federal government, confirmed in a short paper that direct advertising is only possible if the addressee agrees to the measures.

Once you have obtained this consent, you can safely start the acquisition process. Without this consent, however, your hands are tied.

For most companies, it is common to use the data available to the organization. Direct advertising is, therefore, still permitted in most circumstances. But if you want to be on the safe side, ask your respective business partner to agree to your advertising measures.

  • You may want to consult a lawyer to determine whether direct advertising is permitted in an individual case.

When dealing with private consumers, section 7 of the German Unfair Competition Act (UWG) still applies. If you want to make telephone calls or send fax, email or SMS advertising, you must obtain the consent of the consumer.

Section 7 (UWG) governs the exceptions to this rule. Your lawyer will assess whether you can use them for your communication.

Email Acquisition in the Age of the GDPR

Under no circumstances should you send automated, unsolicited emails to potential customers.

However, you may send individual emails if there is a legitimate interest. We recommend that you attach a link to your privacy policy to such an email. You should also state the reason why you are contacting the prospect.

Another way to properly acquire emails is to use a “keep me informed” button on the website. You should also use a double opt-in form in your newsletter registration process. Thirdly, there must be traceable records of the agreement.

Any pre-checked boxes or similar procedures that do not require active action by the potential client are not permitted.

  • To do: Include checkboxes into your form.

Telephone Acquisition in the Age of GDPR

You may still perform cold calling, as it does notfall under the GDPR.

However: You should explicitly ask for permission before saving the data of an interested party in your system.

  • Check on the phone if the potential customer would like to receive your newsletter.
  • Immediately email the link to the newsletter subscription (so you meet the double opt-in requirement).
  • The mail should mention whyyou called the customer, whatyou agreed to do, and whyyou sent the email.

By doing so, you are protecting yourself from all sides. It is not always easy to document phone calls unless they are recorded. With the procedure mentioned above, however, you can bypass this hurdle.

Some special rules apply to telephone calls in general.

  • If you wish to contact a private individual in the future, you must always obtain explicit consent.
  • When making sales calls, never suppress your phone number. If you violate this rule, you may be fined up to €10,000.
  • If you do not adhere to the overall guidelines, you could be fined up to €300,000.

The situation is different for traders: here, you only need a presumed consent. From experience, it can be assumed that you will receive the permission.

  • As you know, in online marketing, you obtain the necessary consent through a double opt-in form.
  • You cannot use this procedure for telephone advertising.

Why?

This method cannot ensure that the owner of the telephone number and the email addressee are the same person. A scammer could give you a phone number that belongs to another person.

Networking: Lead Generation under the GDPR

Those who sell go to trade fairs and events. There, the ambitious salesman collects business cards and contact data. Previously, it was hassle-free to add the collected contact data to the mailing lists and start advertising.

This is no longer permitted under the GDPR.

What you’re allowed to do:

To send a targeted email or make a call to an individual contact. The exchange of a business card is a legitimate interest in maintaining contact.

It’s going to be difficult here:

Suppose a friend of yours asks you to contact another entrepreneur because he needs your help. In the age of the GDPR, you can no longer contact this person by telephone acquisition, but only when you have received a written declaration of consent from the potential customer. This must state clearly that you may call him for advertising purposes.

Contact via Social Media

If you have acquired customers and recruited staff through LinkedIn so far, you may continue to do so. The GDPR does not prevent you from contacting potential customers.

The good news is that LinkedIn and Xing provide you with handy copy and paste templates for all your contact requests. After a successful initial contact, you may obtain consent for sending a newsletter and maintaining communication.

Please be careful: In case of doubt, you must be able to prove that you have received this permission from the potential customer. As in all other cases, “documentation” is key.

What Happens to the Data that You Have Already Collected?

The GDPR contains the “right to forget“. If a customer requests it, every company is obliged to delete already stored data.

  • Make sure that you make it easy for the customer to unsubscribe from your newsletters.
  • Under the GDPR, your contacts may request a copy of any personal data you have stored about them.

At any time, they may request you to correct or delete this information.

It is best to set up a procedure with which you can automatically meet such demands.

Interim Conclusion: Lead Generation and GDPR

If you still want to win new customers, remember the following checklist:

Private individuals: For fax, email, telephone and SMS advertising, prior consent is required. The legal basis has, therefore, not changed.

Companies: in this case, the presumed consent, according to Article 6 GDPR, is sufficient.

Email and online marketing: Protect yourself with a double opt-in form. Every email program offers this procedure.

Phone-advertising: Obtain express permission to store the data of a private person. Commercial calls are based on “legitimate interest”.

Section 7 (UWG) includes exceptions to this rule, and if an existing customer has given you consent through an earlier purchase, you may also promote similar products.

Lead generation and GDPR Best Practice: How to Avoid Violations of Data Protection Laws

Are there any situations in which you can waive a consent?

Suppose you want to send your new brochure to an existing customer. Because the customer is already in your database, you assume that the customer agrees.

Remember: In principle, nothing works without consent in matters of direct advertising.

However, the situation is slightly different for existing customers: As an entrepreneur, you may continue to offer him similar services and goods without having to obtain additional consent.

Practice shows, though, that the courts handle this exception rigorously. Hence, we recommend that you contact a lawyer in case of doubt to clarify the matter.

Correct training, avoid mistakes

Think about how you can train your sales staff to rule out legal violations. If in doubt, seek expert advice and organize in-company training.

The GDPR is founded on these legal principles

The following laws still govern direct promotional activities via telephone and email advertising:

  • German Civil Code (BGB)
  • Telecommunications Act (TKG)
  • Unfair Competition Act (UWG)
  • Federal Data Protection Act (BDSG)
  • General Data Protection Regulation (GDPR)

Here you will find an overview of the legal basis of the GDPR. They are divided into six areas that you should know.

Legal basis of the GDPR:

  1. Legal obligations and compliance with statutory regulations
  2. Agreements
  3. (Vital) interests
  4. Acting in the public interest or under official authority
  5. Legitimate interests
  6. Consent of data subjects

The strictest, most accurate and ideal legal basis for the processing of the data controller is the existence of at least one lawful provision (Article 6(1)).

We can name many examples of this legal basis: 

  • Employment records
  • Accident reports for patient records 
  • Health and safety records
  • Etc.

2. Lead generation and GDPR : Agreements

One example is the processing of credit card information so that the customer can make a payment.

If, e.g. your customer requests service or product information by email or via social network, processing that customer’s personal information is permitted in order to answer her question.

3. (Vital) interests

“Vital interests” only refer to situations involving life-threatening emergencies. This category includes emergency services that receive a list of names and ages based on an emergency call.

It is permissible to process these data if a person is in critical condition. You can extend this requirement to affiliated persons, such as children or parents.

4. Acting in the public interest or under official authority

Example: the electoral register of a political party. This subsection covers that a party may be permitted to maintain a copy of the data.

5. Lead generation and GDPR : Legitimate interests

These cases are less clear. Legitimate interests allow you to develop a legal basis if you cannot identify the categories.

This includes procedures designed to prevent fraud and involving the transfer of data to other companies or entities of the contractor. Such is the case where there is a central body for internal administrative purposes. This case applies to customers or employees.

Based on this justification, you can process data without having to obtain the consent of the data subject. However, this only applies in situations where you do not endanger the rights, freedoms or interests of the data subject because it is in your interest.

To compare these potentially conflicting interests, you need to perform an “evaluation test”.

This legal basis must always reflect the interest of the data subject:

Consumer consent is a prerequisite. As the data controller, you must prove that you have been permitted to process the data. You must record this.

This legal basis is particularly important for customer acquisition under the GDPR because it covers the collection of a person’s contact data for marketing purposes, such as email newsletters.

The GDPR stipulates the circumstances under which this permit is valid and how it can be administered. Besides, the person concerned is allowed to withdraw this consent at any time and without considerable effort.

Interim conclusion:

For each of the six basic principles, a legally sound and transparently communicated processing standard is compulsory.

7. Short FAQ on GDPR

Lead generation and GDPR : What about cookies?

According to the GDPR, you must inform your website visitors that you use cookies. Make sure that you use the language your users understand. You could, for example, place different banners for two languages at different places on your website.

Point out that you record the surfing behavior with cookies. Users must give their consent to it.

Is cold calling still allowed?

In many cases, cold calling is still possible. It is crucial that you obtain the express permission of the persons concerned. If you do not have this consent for data storage, telephone acquisition is not permitted

Do other laws expire due to the GDPR?

In advertising, sanctions of the GDPR prevent the application of parts of the Federal Data Protection Act (BDSG). However, most of the previous sections of earlier legislation are still valid.

How do I handle social media?

For the end-user of social media platforms, nothing changes at the moment. Platform providers themselves must, however, update their terms of use and actively request consents.

Lead generation and GDPR: What if a contract already exists. Can I just contact the customer? 

The tying of measures is illegal. You are not permitted to conclude a joint contract with permission for data processing. In this way, you would force the consent of your contracting partner. The prohibition of tying shall revoke any consent.

Can I send new advertising materials to an existing customer?

If your current customers already appreciate your advertising efforts, you may continue to send them materials about similar products and services. Make sure, however, that your advertising complies with the GDPR. 

What does the GDPR mean for picture material?

By operation of law, nothing has changed significantly as a result of the GDPR. As before, you always need the prior consent of the person you are photographing.

Photos and videos that you want to use for private purposes do not represent an obstacle.

However, we advise Instagrammer, YouTuber and bloggers who photograph strangers to be more cautious here in the future.

Those who want to be sure always obtain the permission of the persons concerned.

Conclusion: Lead generation and GDPR

Latest since 25 May 2018, the GDPR requires a new approach to data protection. The GDPR intends to encourage companies to only contact individuals who wish to have an explicit relationship with your company.

No longer may you assume that you have permission to send campaigns simply because you have discovered an email address.

This must be done before each new data entry:

  • Phrase each request for consent unequivocally.
  • Explain explicitly how you will use customer data and how long it will be stored.
  • Define a process.

Opt-in procedures and subscription management tools are readily available, providing you assistance.

These changes are not popular with all companies. Small companies, in particular, fear of legal consequences. The GDPR is merely concerned with protecting consumer data and giving more weight to European fundamental data protection rights. Companies making money with user data need to protect it and manage it properly. To do so, the customer’s consent is required. Those who fail will be severely penalized and held accountable.

Image source: https://commons.wikimedia.org/wiki/File:Gdpr_Europe.jpg

Disclaimer: This article is only for non-binding information purposes and does not constitute legal advice.

Tags: ,