This article addresses the impact of the European General Data Protection Regulation (GDPR) legislation on B2B marketing and sales, after it became enforceable in mid-2018. The European GDPR was developed in recognition of the need for more stringent regulations to protect the data security and privacy of citizens. This legislation imposes obligations and requirements on companies that collect consumer data in the European area.
Sales teams are one of the most affected groups by this regulation. In most B2B sales and marketing, personal data is key to reaching the right people at the right time. B2B data is utilized every day by large organizations who use outbound sales to grow.
Personal data includes anything that makes someone identifiable from the data the companies hold, including (but not limited to):
- Phone number
- Personal ID numbers
- IP address
- Biometric information
How the GDPR impacts B2B sales
The GDPR applies to the examples of personal data listed above. Companies can still market relevant services to individuals within a business, as long as they allow recipients to opt-out. Before sending that first cold email, they will need to verify that they are allowed to contact them under the GDPR. In fact, Article 6 of the GDPR establishes that companies need a “lawful basis” in order to process personal data.
There are six ways for a company to establish a lawful basis to process someone’s personal data and then contact them in the outbound sales process:
- Consent: The individual has given permission to the company to process their personal data for a specific purpose.
- Contract: The processing of an individual’s data must be related to the terms of the contract the company has with the individual, because they have asked the company to take specific steps before entering into said contract.
- Legal obligation: The processing is necessary for the company to comply with the law (not including contractual obligations).
- Vital interests: The processing is necessary to protect someone’s life.
- Public task: The processing is fundamental for the company to perform a task in the public interest or for its official functions (any task or function that has a clear basis in law).
- Legitimate interest: The processing is necessary for the company’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
So, if a company had a booth at a trade show and gained consent to email prospects via a sign up form, it is good to go because that would fall under Consent. Clearly, most sales teams won’t have a lawful base to contact people via Contract, Legal obligation, Vital interests, or Public task. Luckily, Legitimate interest means sales teams can still establish a lawful base for cold outreach. Legitimate Interest means that they are processing someone’s personal data because that person will care about why the company is contacting them. For B2B sales teams, this legitimate interest should already be well established, since they know what kind of customer usually buys from them.
Let’s look at a quick example of legitimate interest in practice: If the best customers of a company (i.e. those who get the most value from its product or service) are Human Resource Managers within FMCG companies, then asking its sales team to reach out to HR Managers at FMCG who aren’t yet customers is allowed. The company can establish that there is a legitimate interest due to similarity with its existing customers. The company must simply allow them to easily opt-out. So, the GDPR doesn’t put an end to using B2B data for outbound sales. But it means that sales teams need to ensure they’re emailing the right people, with a specific message that those contacts will be interested in learning.
Fines and penalties for GDPR non-compliance
Companies need to make sure that their sales process is GDPR compliant because the penalties for violating it can be quite severe.
The most egregious breaches of the GDPR can incur fines up to the greater of:
- 20 million Euros
- 4% of the firm’s global turnover
–while less-severe violations will still be punished quite harshly. For these, you should expect to pay up to the greater of:
- 10 million Euros
- 2% of the firm’s global turnover
There’s also a reputational cost of GDPR non-compliance. Consumers are becoming increasingly aware of the data collection habits of corporations. If a company fails to comply with laws designed to protect consumers, it could quickly develop a poor reputation, which could damage sales as a consequence.
Best practices for B2B marketing that comply with the GDPR
The European GDPR has brought many changes to how companies can market their products and services. In order to be compliant, any company can adopt the following best practices:
- Audit the mailing list to make sure that the data the company has meets all GDPR requirements—If a company started building its mailing list before the GDPR was instituted, it may need to delete a sizable portion of the list.
- Review data collection practices—Any company needs to make sure that all of its strategies align with the GDPR’s requirements.
- Add new ways for site visitors to provide you with their consent—Make sure you have explicit consent before collecting and utilizing B2B data.
- Educate sales and marketing teams—Following the requirements of the GDPR at a managerial level is a good first step, but it is also necessary that the relevant teams are aware of the requirements of this legislation. They may need to change some of their practices to ensure compliance.
- Update privacy statements—The GDPR has instituted specific requirements that all companies need to include in their privacy statements.