Understanding GDPR: Consent vs. Legitimate Interest and What It Means For ABM
There’s been a lot of fear-mongering around GDPR lately. And it’s understandable – there’s no doubt that GDPR can threaten organizations that aren’t ready for it. That’s why many companies are investing huge sums of money to prepare.
However, smart marketing teams are facing GDPR with a different purpose: Not simply to avoid the fall-out of non-compliance with the new regulation, but to prepare their organizations for the inevitable transformation from old batch-and-blast practices to complete permission-based marketing. In fact, many teams are already headed this direction using Account Based Marketing (ABM) strategies. This is the right move because GDPR simply marks the beginning of a global trend toward customer-controlled data.
GDPR isn’t the “end all, be all” of data privacy regulations
The number of countries with data privacy and electronic marketing regulations in place is growing quickly – and most regulations carry stiff penalties for violations. GDPR is simply one, albeit huge, wave among a rapidly developing set of data privacy regulations. More are sure to follow around the world. It’s wise to see GDPR as an opportunity to develop more precise, efficient demand generation practices, rather than simply creating quick-fix patches that will only apply to this specific EU regulation. At its core, ABM relies on the same type precision and efficiency that GDPR requires.
Defining personal data
Organizations must understand the definition of personal data in every jurisdiction they target with their marketing communications and engagement activities.
Notice the drastic extent to which the definitions of personal data differ between the US and EU:
6 lawful bases for processing personal data, and the 2 that matter
There are 6 “Lawful Bases” by which organizations can acquire and process personal data. However, only two of them will typically affect B2B marketing efforts: consent and legitimate interest.
Consent should become the “best practice” for acquiring personal data of EU individuals. This largely means requiring contacts to opt into specific uses of their personal data. Consent should be given by:
a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
Notice than “an oral statement” (i.e., a verbal agreement) constitutes consent and is thereby compliant. However, you’ll need to be able to document compliance, which isn’t easy to do with an oral statement. That’s why it’s recommended to send confirmation emails after an oral statement received during a trade show or by a sale rep. Yes, you read that right. And no, getting their business card doesn’t count as record of consent either.
In certain cases, B2B marketers will want to rely on legitimate interest as their lawful basis to process personal data. This legal basis assumes,
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Julian Archer, Sr. Research Director at SiriusDeciions, and I have had numerous conversations around this topic and agree that the incorrect use of legitimate interest is likely to get many marketers in trouble.
Acquiring personal data and using it to email contacts because it’s in your company’s interest to generate demand and you think these contacts would be interested in your product or services does not constitute legitimate interest.
Here’s an example of where a company could rely on legitimate interest as a lawful basis for processing data: Say an individual applies for a credit card, but before issuing the card, the credit card company needs to check the individual’s credit by sending the individual’s data to a third-party credit-checking agency. This would qualify as legitimate interest because the individual’s requested service (gaining a line of credit) couldn’t occur without it. Hence the card company doesn’t need to ask for consent, though they should notify the individual that this type of personal data processing will occur.
This is a very specific scenario, and you may find your company in similar situations. However, it’s best to speak to your in-house or external legal counsel about what constitutes legitimate interest for your specific purposes. The safest bet is setting up processes by which gaining consent is your go-to lawful basis for processing personal data.
Applying Consent to Your Account-Based Marketing Efforts
If you’re far from GDPR-ready, you’re not alone
During a recent webinar with SiriusDecisions, we took a couple polls. The webinar had nearly 400 individuals tuned in, so this is a fairly good sample size.
This first poll question inquired into the current level of GDPR preparedness among participants. We found that most were pretty far from complaint.
Events – With events, it’s going to be very easy for you and sales to get oral consent for follow-up communication. The challenge is in proving consent through documentation, as mentioned above, which won’t be easy. Your best bet for compliance and showing consent is sending out an opt-in confirmation email to contacts that were generated at events. Another option would be to collect written or digital opt-in on site. Also, check with the event organizer – some events do obtain opt-in/opt-out from all attendees in advance, and might be able to provide documentation for you.
Account build-out – One of the good things about ABM is that GDPR doesn’t restrict you from acquiring and processing company data – you can gather all the data you need to hone your account list down to effective targets. However, strict opt-in requirements for EU individuals mean it’ll no longer be permissible to scrape LinkedIn or other data tools for additional contacts at your target accounts.) You’ll need a way to secure their opt-in before you start engaging them with marketing or sales outreach. This makes value-add landing pages a critical necessity for your inbound marketing strategy (just make sure you include a country field and remove any pre-checked boxes). Third-party lead gen is another great option, but comes with its own set of considerations…
Third-party lead gen – This pertains to any external channel that’s generating leads for your team. Such lead sources and media partners are getting very good at targeting prospects at specific accounts, so this is a valuable channel for many B2B marketing teams looking to scale their account-based strategies. Your vigilance over this channel, however, is key. If a third party is generating leads on your behalf, you’re still liable for their non-compliance. So, it’s important that you start having discussions with all your lead providers as soon as possible; inquire into their GDPR preparedness, ask when they’ll be ready, and then have legal write up an agreement to be signed by the third party, stating that they’re GDPR-compliant. It will also be imperative to thoroughly review the language, forms, landing pages, etc. – anything they’re using to generate leads for you – and make sure consent language conforms. Lastly, make sure the way they send you the data is complaint; un-encrypted Excel spreadsheets are non-compliant, encrypted lead files are acceptable, secure connection are the best. If this sounds impossible, see if your software can help.
Direct Mail – Similar opt-in and opt-out rules apply to direct mail. Ever seen a mail piece with clear direction on how to opt-out of future mail? Me neither. Luckily, it’s fairly easy to get people to opt into receiving exciting mail, so hopefully you only need to ask once. Managing the contact data and opt-in is probably more logistically challenging – and don’t forget to ensure your vendor processing the shipments is compliant in handling your data too.
GDPR Is Just As Much Opportunity As Threat
Rather than treating GDPR as a one-off situation to deal with, seeing it as a catalyst to prepare for marketing’s inevitable evolution toward permission-based prospect engagement will give your organization a major leg-up going forward.
Some of the wisest B2B marketing experts I know keep reiterating one very important point: GDPR, while causing some stress now, will lead to more efficient and effective marketing and sales down the road. Creating and executing a comprehensive and detailed account-based strategy will only help you in your journey toward GDPR-compliance.
If you want to learn more about how to use GDPR to your organization’s advantage, be sure to register for the upcoming Engagio and Integrate webinar, “Don’t Let GDPR Disrupt Your Pipeline – Get Proactive with ABM.”