All things GDPR with DataGrail’s Daniel Barber

Collin Stewart, CEO
1 June 2018
If you’re selling to the European Union – or plan to one day, once you conquer the United States – there’s a good chance your thoughts are consumed with these four letters right now: GDPR.

What is it? Can I still prospect to the EU? Will I get in trouble? How do I protect my business?

To be fair, the implementation of GDPR (formally the General Data Protection Regulation) is a substantial change to how personal data is shared, held, and used. As a result, your fine-tuned sales and marketing teams, the departments tasked with keeping the lights on, will need to alter some of their processes. So, it’s understandable if this new regulation has got you wondering (worrying?) about the changes your company will need to undergo.

But, according to Daniel Barber, CEO and Co-Founder of Bay Area-based compliance firm DataGrail, GDPR legislation shouldn’t be looked at as a nuisance or a hurdle impeding your success.

GDPR is being put in place to protect people’s data, and their privacy. That motive should be respected.

“GDPR does provide increased transparency for how your data is used. And that is a good thing,” says Barber, on a recent edition of The Predictable Revenue Podcast.

“But, it does create some friction, and that is what we are seeing now.”

The basics

Like any sizeable piece of legislation, GDPR can seem daunting. But, due to the headline-grabbing privacy stories (cough, Facebook, cough) in the news this year, it shouldn’t be a surprise. GDPR is a logical extension of the heightened expectation society has regarding how businesses treat personal data. It was only a matter of time before new policy arrived.

Under GDPR regulations, any data that can identify someone is now considered personal data, and will require a business to disclose where that data was gleaned from, and obtain consent from an individual to use it.

(For example, the title “CEO of SAP,” even though it is readily available publicly, is considered personal data because it immediately identifies an individual).

Personal data now includes (amongst others examples):

Personal and corporate info (email address, office address, phone number etc.)
Employee info (title etc.)
IP address

So, what does that mean for the boots on the ground? How does GDPR affect for your day to day?

Simply put, GDPR will change how your business communicates with prospects based in the EU, both from an inbound and outbound perspective.

Generally speaking, high volume outbound teams have used data providers such as ZoomInfo to provide them with the contact information – email address, phone number, title etc. – of the prospects they wish to sell to. Using that as a foundation, SDRs have built tailored lists, and dropped those leads into a cadence to be worked.

As mentioned above, outbound teams reaching out to prospects in the EU will now need to disclose to those leads where they obtained their personal data within 30 days, as well as ask for their consent to be sold to. That disclosure can happen via email or over the phone.

“This isn’t legal advice, but I would advise you provide the disclosure in advance of putting someone in a sequence,” adds Barber.

“If you don’t ask in advance, you may annoy someone. So, doing that disclosure requirement upfront could help you out a lot.”

If a lead declines to be prospected to, you must remove them from your outbound cadence immediately, and ensure your marketing team removes that prospect from any marketing automation as well. That has huge ramifications for marketing teams – your company can’t try and get consent via other channels once outbound proves unsuccessful.

What’s more, if a person requests that you delete their information, you must remove their data from every system in your organization. That can be a big job – DocuSign, for example, uses 200 different tools for various processes. That person’s data cannot exist in any of them. An EU resident can also request that an organization make available to them every instance their data appears in their systems.

Companies have 30 days to comply with either request.

Organizations that host events or webinars can also no longer simply sell or make attendee lists available to other vendors. Hosts will have to obtain clear consent from the attendees that their information will be shared. The vendors that access that data will, again, have to disclose where they got the information from.

“So, I won’t name the name, but they are a leading consulting firm in the Bay Area. They hosted an event recently that I attended. And they shared my information. So, now I am being communicated with by all vendors – there is about 10 of them sending me emails. That will get you in a lot of trouble on both sides: the vendors and the consulting firm,” says Barber.

“So, the traditional method of getting a webinar list and emailing them, you will have to take extra steps there to be compliant. And, for good reason, right? I’m now getting emails from 10 different vendors because of that conference, and it is not a good experience.”

Data providers

Just as sales and marketing teams are expected to be compliant and gain consent when needed, according to GDPR rules, so too are data providers. And, thus far, that is proving difficult.

ZoomInfo, amongst the most well-known data providers, stopped maintaining its EU data set as of May 4. That’s because it was sourcing contact information from people’s email signatures, via their inbox. Extracting data using that method is not compliant with GDPR regulations.

And Barber suspects other data providers will soon follow suit.

“This is something we should expect to see from other data providers in the EU,” says Barber.

“That is largely because that the expectation is that those providers must explicitly provide where that information was collected from. That will be extremely challenging for them to provide that information in an explicit fashion.”

That said, outbound teams can continue to access ZoomInfo’s EU contacts. However, they must accept full legal responsibility for using that data and, if penalized, pay the substantial penalty that comes with it.

“ZoomInfo is just not maintaining their EU database. So, you can still use it. That is possible,” says Barber.

“But doing so comes with a huge caveat: The fines and penalties for non compliance are up to 4% of revenue or $20 million, whichever is greater. That is probably something people would not like to see.”

Legitimate interest

This is a grey area in GDPR legislation. The concept of legitimate interest revolves around a salesperson’s ability to reach out to a prospect if the prospect has indicated on a public forum that they are looking for a good or service the salesperson provides.

For instance, you frequent procurement boards and groups because you sell procurement software. And, sure enough, you read a post from a procurement officer saying they’re in the market for new software.

This would qualify as a legitimate business interest. Unfortunately, says Barber, GDPR legislation isn’t clear, yet, on how it plans to handle such a situation. There will be a “balancing test,” that, when drafted, will determine whether a salesperson is working within accepted parameters if they use that information to sell to you.

“That is an area I can’t provide context to yet. We don’t have it from the regulation,” says Barber.

“That specific point around the balancing test, has not been clearly stated by current regulators. That will provide clear information on that kind of situation. The idea is that you will be able to contact them.”

Social media

Thus far, we’ve discussed outbound prospecting only in terms of emails and phone calls. Of course, modern prospecting involves a host of different ways to reach out to leads. One particularly popular method is leveraging social media to connect with prospects.

Outbound teams routinely use LinkedIn InMails to send messages to people they aren’t connected with. In that case, Barber says, you should consult LinkedIn’s terms of service before proceeding. Twitter, on the other hand, requires someone to follow you back before you can send a direct message. That relationship may satisfy the basis for legitimate interest.

Both Twitter and Linkedin have recently updated their terms of service recently (as you may have noticed).

“I would imagine that there will be increased pressure on LinkedIn to update their terms of service again, as people move to LinkedIn because they can’t call or send over email,” says Barber.

“That will cause it’s own problems.”

For more on Barber’s best practices for correctly navigating GDPR, check out his recent chat on The Predictable Revenue Podcast.