The GDPR rolled out in May of 2018, riding in on a tsunami of compliance solutions designed to help companies avoid some pretty scary fines and penalties should they fail to protect their European customers’ data appropriately. And the penalties are significant. At the top of the scale, they can be in the range of $20 million, which for most companies would represent a major setback.
Sounds scary, right?
In truth, the GDPR is not all that terrible. Compliance with the legislation can actually help you improve your IT and your data security. The only companies that may have been against the wall would be those that had not completed any kind of digital transformation.
At almost a year in, the dust has finally settled. If managed appropriately, the GDPR is not much scarier than a sock puppet.
Still not entirely clear on what the GDPR is and why you should care? Read on.
What is the GDPR?
The GDPR (General Data Protection Regulation) is a new data protection legislation in the that applies to any company who does business with citizens of the European Union (EU). It replaces earlier data protection laws, which were handed down in 1995 – an eternity ago, in terms of what IT is today.
Since it applies to EU citizens and companies, this means that if you do business with ANY citizen of the EU, you have to follow these rules. Hotels, anybody in tourism, global e-commerce – if you have even one customer that is an EU citizen, you must comply.
The purpose of the GDPR is to protect the data of EU citizens, and it sets out very specific rules for organizations that collect, process, and otherwise leverage personal data. This data can include payment card information, but it also includes names, addresses, phone numbers, contact information, or any kind of personal data that you might have occasion to collect in the course of doing business. In short, ANY type of personal data, even emails or phone messages, is at issue.
If you do business with EU citizens, the GDPR will most definitely have an impact on you. If you are in the realm of sales and you have occasion to do some cold calling, this should be of particular interest to you, and that’s what this post is all about.
GDPR compliance: what you need to know
If you use a cold-calling strategy in your business, there are still perfectly legal ways you can leverage personal data to get the job done. In order to comply with the GDPR, one of the following situations (found in article 6(1) of the GDPR) must apply:
A. The individual or entity has consented to the processing of their data for one or more purposes. This is pretty straightforward. If the person is okay with you processing their data, you’ve got the green light. It is fairly specific, however, in that if the person only consents to receive emails, you can’t call them on the phone. You need to obtain explicit consent for the activities you want to conduct.
B. Processing the customer’s data is required to satisfy a contract to which the party has agreed or is needed prior to entering into said contract.
C. Processing the customer’s data is required to comply with a legal agreement the subject has entered into.
D. Processing is required in the interest of protecting the interests of the data subject or another EU citizen.
E. Processing is required to perform a task that is in the public interest or in the execution of an official matter for which the data controller has a vested interest.
F. Processing is required in the pursuit of legitimate interests by the data controller or a third party, except in the case of such interests that could be overridden by the fundamental rights, safeties, and freedoms of the data subject which may summarily require the protection of an individual’s personal data, particularly where the data subject is a minor child.
The articles B through E are quite clear to state that if you are “qualified” to in these ways, you are within your legal rights. Bear in mind that there could be a lot of additional information needed to back up these qualifications, but it should give you an idea of what you need to focus on for compliance purposes.
If none of these reasons fit your situation, then 6.1.f. is your only way out, to wit: operating a company is your fundamental right, and the GDPR cannot stop you from doing so. It can, however, make it more difficult for you by forcing you to produce a backup argument as to why using this personal data is vital to running your operation. You need to be able to prove that your company and its methods are not undermining the fundamental rights of the person you are reaching out to.
Article 6.1: How to Manage it
Managing Article 6.1 is, admittedly, a bit of a balancing act.
On the one hand, you have legitimate reasons for processing and handling a customer’s personal data. This requires some documentation on your part, as to what benefits you seek by doing so.
On the other hand, there is the issue of privacy and the “right to be forgotten” by your data subject.
In a nutshell, you are legally obligated to ensure you are doing your best to minimize any negative impact that could result as a result of holding this data. If the harm outweighs the good, you won’t have much of a case.
The GDPR and Ofcom (the UK’s communications regulator) has issued a statement on data misuse that goes into great detail as to what constitutes “harm and distress” in the context of personal data handling – highly suggested reading, though you might want to do so in bed if you have trouble with insomnia. Simply riveting.
Validation for GDPR compliance in sales situations
Once you have balanced your policies against the regulation, there are three additional steps that you need to complete to achieve GDPR compliance.
1. Conduct balancing tests
Each time you change your use or collection of personal data, you should conduct a balancing test to ensure that your reasons for collecting said data align with the privacy rights of the data subject. Since the ICO might inspect your documentation – or it could even be used in court – it is crucial that you have this process well in hand.
2. Allow data subjects to object and abide by their decision
Your customer must be afforded the opportunity to object to their data being used by you. If they do, you must respect their wishes, unless you have reasons in place as outlined in article 6.1. Offering the ability to opt-out is therefore highly recommended.
3. All collected data must be accessible
Your data subjects are allowed to request a copy of all the personal and payment data you are holding for them. If so requested, you have 30 days to comply and cannot make any changes after they have made their request. The person or entity in question also has the “right to be forgotten,” in other words, they can request immediate deletion of their data, and you must comply.
GDPR non-compliance: is it worth it?
Complying with the GDPR is far less risky—and costly—than not doing so. You could be liable for fines of €20 million (US$22,566,860) or more, so the onus is on you to get it right.
If you are unsure of your position on the matter, it is always advisable to speak to an expert. This will ensure that you have your ducks in a row, so to speak, and that you are ready to answer any issues that might arise as a result.
In conclusion, this post really only scratches the surface of the GDPR and how it might affect your sales process. If you would like to learn more about what you can do to protect your company from GDPR penalties, reach out today.