5 Questions to Ask Data Vendors Before You Buy

5 Questions to Ask Data Vendors Before You Buy

You wouldn’t buy a car without asking a few questions first. What’s the mileage like? When did it last pass inspection? Treat buying data with the same care and concern. 


In 2022, data is king. Good luck selling anything without it. However, not everyone can be a data expert, so we made this list of questions to ask potential data vendors so you can be confident the data you’re paying for is squeaky clean. 


Why do you need to ask your data vendor these questions? Because in a world where data regulations are always changing, it’s important to be sure the data you’re using won’t get you in trouble or alienate your customers. 

 “When target audiences lose faith in our ability to safeguard their interest, they’re far less likely to interact with our marketing engagement efforts, much less do business with our companies.”

– David Crane, Intentsify 

These questions are in reference to The General Data Protection Regulation (GDPR) released by the European Union. That being said, if you aren’t impacted by GDPR, if you’re dealing with data, regulations exist or are moving in quickly. With more and more countries, states, and regions enacting their own data regulations similar to our friends across the pond, it’s important to be forward-thinking when it comes to data quality. Don’t wait until it’s too late to get the best data available. Good data hygiene is always a solid investment. 

Want the bigger picture of how the GDPR is affecting the B2B marketing landscape?  We consulted marketing experts on how you can market and sell while remaining compliant.

1. Are they collecting and sharing personal data with you? 

Personal data is anything that is traceable back to an individual. So things like first and last names, email addresses, phone numbers, LinkedIn profiles, social IDs and more all count as personal data. 

2. Where is the personal data collected from? 

For example, LeadSift scrapes the public web. Personal data from the public web would include first and last names, which most people choose to provide on their social media profiles. Intent vendors, LeadSift included, may have relationships with publishers and content providers where members can opt-in to have their personal data processed. 

Data compliance is a spectrum, and there are a lot of grey areas. 

 “Some data providers will get your names and email addresses among intent-identified accounts using their own contact databases. This, however, is a gray area of compliance (and I’m being lenient here), because you don’t know if or how exactly these contacts opted into providing their information.”David Crane 

3. What is the lawful basis for collecting and processing the data? 

In total there are six lawful bases for collecting and processing personal data in the EU. However, for marketers and sales reps, the two you need to focus on are consent and legitimate interest

4. Do they have explicit consent and how do they get it?

GDPR outlines explicit consent as “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”


The individual has to be made aware of how their information will be used and given a clear opportunity to approve or disapprove of the processing. The data subject can’t be cornered or required to opt-in their data as a condition of using the service. “Silence, pre-ticked/checked boxes, or inactivity does not, therefore, constitute consent. That said, if you or any vendors you work with ensures that all contact-level data was acquired through such compliant means (typically by a clear opt-in or double opt-in process), you should be able to contact them via the normal marketing channels, as long as such uses were clearly stated when the individual opted in”, Says Crane. 


There are a few exceptions when it comes to data that is necessary for the provision of service. For example, credit card information and shipping addresses can be required for processing payments and product deliveries (GDPR.EU) 


If a vendor doesn’t have explicit consent, then they are likely using legitimate interest as the lawful basis to collect the data, which is why the next question is incredibly important to ask.

5. Can you see a copy of a legitimate interest assessment?  

When you receive a copy of a legitimate interest assessment (LIA) from a vendor, that’s a good sign. They are aligning themselves with data accountability and data hygiene. Two fantastic traits to look for in a vendor.  As a result, you can be confident you’re putting your budget in the right place. 


So what does a proper LIA look like? 


A good LIA will be specific and clear. The length of the assessment will be determined by specific circumstances surrounding the data collection practices and therefore will vary from vendor to vendor. The EU does not lay out specifics on how a legitimate interest assessment should be carried out. The UK’s data authority, the information commissioner’s office (ICO), suggests a three-part test that can help data processors determine their legitimate interest: 

  1. Purpose test (is there legitimate interest behind the processing?)
  2. Necessity test (is the processing necessary?) 
  3. Balancing test (does the individual’s interests and rights and freedoms override your legitimate interests.)

Want to see how LeadSift stays compliant with GDPR? Meet with us and ask all these questions, and more! Go ahead and grill us, we can take it. 

LeadSift Acquired by IDGC

Today we are announcing that LeadSift has agreed to be acquired by IDG Communications, the leader in tech media, data and marketing services. We are beyond excited to join this family.

We started LeadSift in 2012 with the hypothesis that there is a massive amount of buying intent generated across billions of public web documents every day. We quickly realized that this data, if delivered in a timely manner, could be a game changer for businesses trying to connect with their customers. (P.S. we were talking about buying intent way before it was cool.) And over the last 9 years – across multiple product pivots and 100s of customers – we have always focused (almost obsessed) over the mission of “mining information from public web sources to help businesses identify and engage their customers in the buying journey.  

Being one of the leading B2B intent data providers and working with some of the savviest marketers, we got to see how big a role intent data was playing across the entire B2B demand generation process. From identifying buyers across the buying journey to engaging with the right message across multiple channels.

Since the inception of LeadSift and our pivot to a B2B intent data platform, we have had many champions and supporters of our mission who understood the power of intent data for B2B marketers, but few have understood as quickly and succinctly as Andre Yee, Chief Product Officer of IDG Communications. (N.B. When you start discussing a product roadmap in the middle of a corp-dev call with half a dozen executives, you know you have found your kindred spirit!) Right after our first meeting, we realized the incredibly powerful future for B2B marketers we could be building together with the IDG’s proprietary first-party and the marketing tech stack they were building (acquiring Triblio and KickFire is not a coincidence).

If you’re a LeadSift customer, partner or one of our prospective customers (P.S. we should chat now seriously!) here are 3 reasons why we are super excited about the future:

1. Data is King: It is obvious the company that has the most depth and breadth of data wins the B2B demand generation space. IDG.com being the #1 Tech Media company with troves of proprietary first-party intent-data across event attendance, engagement with editorial articles, branded conversations and human verified insights has a massive head start. Imagine how scalable and actionable our intent signals will be once we integrate our 3rd-party realtime web based intent signals with this proprietary first-party intent data stream.


2. Incredible Reach: Let’s be honest, being a small startup from Halifax, N.S. we’ve always had challenges in scaling demand generation programs for really large enterprises. By merging with IDG, a company with offices across the globe, we will have a lot more resources to be able to provide global reach and support at a level that we could not previously imagine.

3. Full Cycle Demand Generation: 3rd-party intent data is one piece (albeit a very important one) of the overall B2B marketing and demand generation puzzle. But what if you could know all the information about your first-party web visitors (IDG | Kickfire), cross-reference and prioritize them with 3rd-party intent signals (LeadSift + IDG proprietary first-party data), activate them seamlessly across digital channels (IDG | Triblio) and run highly targeted lead generation programs, all from one single dashboard! This is what Kumaran Ramanathan, president of IDG Communications says: “IDG’s goal of moving to the intersection of media and MarTech is to help B2B marketers navigate the customer journey across a dynamic ecosystem by leveraging unmatched data sets. . LeadSift’s technology is further enhancing our unique intent data that drives ROI for our customers.”

What does this mean for you as a current customer and partner?

As a current customer and partner nothing changes in terms of your subscription, but you can look forward to more and better intent data that includes information from first-party websites and offline sources such as event attendance and telemarketing! Stay tuned for all the exciting product developments we have planned.

What does this mean for the LeadSift team?

We’re closer to building out the most comprehensive and actionable intent data as a service to serve the savviest B2B marketers – and we could not be happier (video/picture). Our entire team is excited to embark on this next chapter of the journey to continue to focus on our mission of “mining information from public web + proprietary data sources to help businesses identify and engage their customers in the buying journey.”

Thank you,

Tukan and Sreejata

Q&A: The Future of GDPR in the Marketing Landscape

Q&A: The Future of GDPR in the Marketing Landscape

The B2B data space is evolving at break-neck speeds and with it spanning wider and wider, data privacy is an increasing concern for consumers, businesses, and the people whose job it is to use that data.

One of the hardest parts is that people don’t know where to start. What is GDPR? How do I make sure the data I’m using won’t get me in trouble? How will this impact how I market and sell my solution?

After recently digging into our own compliance and completing a Legitimate Interest Assessment (LIA) for GDPR compliance, we reached out to data providers, marketing automation tools, programmatic advertising companies, and outbound sales tools to get their expertise on how GDPR affects B2B tech teams and what they can do to make sure everything’s compliant.

We interviewed leaders from B2B data and service providers to gain their perspectives on compliance. Answers range from what GDPR means for buyers and sellers now, how to make sure your data providers are up to standard, and how to effectively market and sell in a B2B landscape while remaining compliant.

We talked to:

Keep in mind, this article isn’t written by lawyers, but by providers who know the ins and outs by being compliant themselves, and ensuring their customers do the same.

For the sake of honesty, there are a few shameless plugs, but what can I say, it’s written by marketers across the industry. We wouldn’t be doing our jobs if we didn’t shout out our products at least a little bit.

So, what is GDPR?

GDPR, or General Data Protection Regulation, is a set of rules to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the EU can fully benefit from the digital economy.

Data Protection regulations outlined by GDPR include:

  • Right of Access: you may request access to your personal information and obtain a copy of personal information.
  • Right of Rectification: you may request to change, update or complete any missing data processed about you.
  • Right to Erasure: you may at any time withdraw your consent to the processing of your personal information. In this case, if there is no overriding legitimate interest for continuing the processing of your personal information and the personal information is no longer necessary in relation to the purpose for which it was originally collected, we will erase your data.
  • Right to Data Portability: You have the right to receive personal information in a structured, commonly used format.

Why is GDPR compliance crucial for B2B organizations?

Kicking our interviews off, we talked to Intentsify’s David Crane. Step one is covering why GDPR (and compliance in general) are not only important from a legal basis but help build a business customers want to work with.  

“What’s good for customers is good for business. Unfortunately, as marketers, we’re often unaware of how secure (or insecure) data is when we capture, transfer, or use it. As it turns out, it’s often not all that secure. Not long ago, hackers gained access to information on 150 million users of Under Armour’s MyFitnessPal app. Soon after, Marriott announced a massive data breach, potentially affecting 500 million people. Identity theft is estimated to cost American consumers alone more than $16 billion annually” says Crane.

 “When target audiences lose faith in our ability to safeguard their interest, they’re far less likely to interact with our marketing engagement efforts, much less do business with our companies.”

– David Crane, Intentsify

“This all reverberates throughout the digital marketing space, hurting our organizations as well as our customers. When target audiences lose faith in our ability to safeguard their interest, they’re far less likely to interact with our marketing engagement efforts, much less do business with our companies.

Back in May of 2018, an Economist article succinctly corroborated the link between marketing practices and data privacy laws, stating the GDPR was the result of marketers’ (via their advertising tech) “insatiable hunger for personal data.

Businesses across the globe have largely failed to self-regulate. And the marketing industry’s pursuit to acquire as much data as possible, as quickly as possible, has put prospects and customers at risk. It’s for reasons such as these that government-implemented data-protection regulations are on the rise.

Now, we all know that these new regulations can place extra burdens on us as marketers (cleansing databases, revising opt-in language on landing pages, adjusting data-transfer processes, etc.). However, in the long run, the GDPR and other data privacy regulations like the CCPA will do businesses more good than harm.”

So, in what ways have new privacy regulations been good for businesses and consumers?

Here are just a few positive results of new regulations according to Crane:

1.They encourage account-based focus—Account-based marketing (ABM) requires marketers to focus their efforts, resources, and budget on fewer accounts and individuals. It shuns spray-and-pray email tactics and high-volume lead gen goals—both of which require marketers to scrape as much personal data as possible and are averse to data privacy. Data regulations and good ABM strategies strive to create quality prospect interactions by being customer-focused. This demands that marketers be respectful of prospect data and gain trust.

2. They cause businesses to focus on the metrics that matter—Recent and upcoming data-privacy regulations provide good arguments for marketing teams to shift goals down the funnel to focus on metrics like sales pipeline and revenue growth, rather than top-funnel lead volume, which encourages gathering as much contact-level data as possible.

3. They improve prospect and customer data quality—The fact that the GDPR requires consent for specific uses of data will lead to an improved understanding of prospect needs. In other words, marketers will gain more specific, accurate prospect data with which they can further qualify, nurture, and convert leads into opportunities.

4. Enhance program transparency—Regulations certainly create barriers to marketing-funnel entry. But this is a good thing. This barrier acts as a filtration device, limiting the amount of bad data that can muddy your database and skew your program measurement, analysis, and optimization. With a cleaner database, you’ll gain a better understanding of which engagement tactics are resonating with your target audiences.

5. Increase marketing (and sales) efficiency—When prospect data is of higher quality, your team doesn’t need to waste as many resources trying to convert leads that should never have been in your database, to begin with. You can reallocate time and effort to more strategic, revenue-driving activities.”

Intent Data and GDPR

How to find compliant contact-level data

Next, we talked to Crane about GDPR in the context of intent data specifically. This is his wheelhouse and he did not fail to give great insights. Here’s what he had to say.

“There are a few ways to find and use contact-level data, some more compliant than others,” says Crane. 

“For example, some data providers will get you names and email addresses among intent-identified accounts using their own contact databases. This, however, is a gray area of compliance (and I’m being lenient here), because you don’t know if or how exactly these contacts opted into providing their information.”

Crane also proposes some solutions and services that provide data that is compliant, more transparent, and ethical in approach. Two compliant options he suggests are:

  • LeadSift—Since LeadSift’s tech derives data only from public sources, such as social media platforms, they have identified legitimate interest, a pillar of GDPR compliance, therefore they can provide intent data at the contact level.  
  • Intentsify’s demand gen solution—While Intentsify’s intent data is purely account-level data, their demand gen solution allows you to distribute your branded content among intent-identified accounts, and targeted personas can then opt-in to providing their contact info to access the content. Not only is this GDPR compliant, but it also shows a further level of intent.

Questions to ask your third-party data provider

At LeadSift, we just went through the process of making sure we’re doing the right things. This means double and triple checking our data and processes and completing a Legitimate Interest Assessment (LIA) to make sure we’re doing all we can to be compliant.

That’s why we answered the next question in-house and asked LeadSift Co-founder and CEO, Tukan Das, about how to make sure the data you buy fits the bill.

“The most important question to ask your data provider is if they are processing and sharing any personal data with you? Personal data from a B2B perspective includes first name, last name, email, phone, LinkedIn, social IDs, etc. If they are dealing with personal data then ask them where they are collecting the data from and ask for the lawful basis of them collecting and processing the data?”

“If they have explicit consent from the data subjects (i.e. professional contacts) ask them how they collected the opt-in and any additional context  (terms of service etc.) around it. If they don’t have consent – then they’d probably use legitimate interest as their lawful basis to process the data (most third-party providers would fall under it). Ask them to provide a detailed LIA for their data collection and processing.

In addition to a completed LIA, ask them if they can support blocking of contacts and also providing a full-trail of the personal data they have stored on the contacts in a human-readable format.”

If these boxes are all checked, you’re probably good to go. At the end of the day, transparency is key here.

What are the compliance implications of account vs contact-level data?

Back on track with Intentsify’s David Crane, we also pulled in Metadata’s Logan Neveau, we talked about the difference between buying and using company vs contact data under the lens of compliance.

“Both types of data are important. As my old colleague and friend, Scott Vaughan would often say (almost ad nauseum, but important nonetheless): ‘Companies don’t buy anything, people do.’ Despite the fact that I liked to debate this by saying ‘Well, companies do buy things, but people sign the checks,’ Scott’s point is absolutely correct—account-level data doesn’t mean much if you can’t find and have conversations with the right people.” says Crane.

The trick to acting on contact-level data under GDPR is understanding that the privacy regulations are highly focused on the rights of the individual, so you have to be vigilant along every step of the data’s journey through your business.

Metadata’s Logan Neveau had a similar thing to say concerning the countries GDPR applies to, “You have to be 100% confident that every single person who’s going to see your ad is not a European Union citizen.”

He dives deeper explaining, “They don’t hold double citizenship. They’re not on vacation, and they’re not using a VPN because the VPN can screw with where they’re actually located. So it’s practically impossible. By default, everyone should be treated as if GDPR applies to them if you want to be safe from a legal perspective.”

When it comes to targeting at the contact-level using email addresses from an ads perspective, Neveau says “When you want to target contacts you don’t get to see the Personal Identifiable Information (PII), it’s hashed, encrypted, and passed directly to the API for the data set to Facebook or LinkedIn. So we’re not exposing any PII until you opt-in and you consent saying let’s have a conversation, then we can unmask who that person is.”

What’s allowed and not allowed within GDPR compliance?

Now that we’ve talked a bit about the implications of GDPR compliance, we can dive into what we can do with data. 

“First, I’m not a lawyer, and any business dealing with these issues should have an attorney look into their specific circumstances. That said, here’s the main, high-level stuff to know from my perspective as a marketer.” explains Crane.

“There are six ‘Lawful Bases’ by which organizations can acquire and process personal data in the European Union. The two that matter most to marketers are consent and legitimate interest (the other four bases will rarely if ever, affect marketing efforts). 

Obtaining consent should be the primary legal basis by which marketers use personal data. This largely means requiring contacts to opt into a specific use of their personal info. Specifically, the GDPR states that consent should be given by:

“Clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” [https://www.legislation.gov.uk/eur/2016/679/contents]

Silence, pre-ticked/checked boxes, or inactivity does not, therefore, constitute consent. That said, if you or any vendors you work with ensures that all contact-level data was acquired through such compliant means (typically by a clear opt-in or double opt-in process), you should be able to contact them via the normal marketing channels, as long as such uses were clearly stated when the individual opted in.” explains Crane.

How will these laws affect data providers moving forward? How will this shape the future of intent?

Crane says “I think data-privacy regulations are good for the industry as a whole, including data providers (at least the diligent, ethical ones, which are the ones you want anyway). Any data provider that can’t perform under such new rules is simply less equipped to support their customers’ needs. Consequently, they won’t succeed. That’s just capitalism working as it should, and it’s good for marketers, businesses, consumers, and society in general.”

GDPR and Outbound Sales

We’ve said it before and we’ll say it again. Data is only as good as its action plan. So now that we know what it takes for intent to be compliant. How does GDPR impact the processes intent ebbs and flows into?

Does GDPR mean you can’t do Outbound Prospecting?

“It doesn’t!” says Predictable Revenue’s, Sarah Hicks, “But it does mean you have to play by the rules.”

“GDPR requires permission from the individual to collect, store, and use their personal data. That means that if you’re purchasing lists from a data provider or having someone research/scrape to find data for you – you need to make sure that data is GDPR compliant.” 

How can SDR’s still be compliant with their email outreach?

Hicks explains that “Article 47 of GDPR states that ‘direct marketing purposes may be regarded as carried out for legitimate interest.’”

“Outbound prospecting falls under the umbrella of direct marketing in this context. If you have researched a company and/or buyer persona and write a one-to-one email to a prospect expressing relevant ways you can help them solve an issue or achieve a goal – that probably counts as legitimate interest. What you can’t do under GDPR is send out mass, spray and pray outreach via email. This blog post can help you determine whether your outreach meets the legitimate interest criteria.”

How will laws like GDPR affect outbound activity in the future?

This industry changes quickly and without remorse. It’s important to not only consider how your outbound sales activities are compliant today, but how SDRs can be compliant without interruption moving forward. Here’s Hicks’s advice.

“Data security and privacy laws and regulations are becoming increasingly strict. Each region has its own set of privacy acts that are being amended and added to all the time. At the moment, the EU and California have some of the most extensive data privacy regulations in place with GDPR and CCPA, but Canada is close behind with new regulations proposed. As individuals spend more and more time online, they become more concerned about their data security and privacy, and the legal and regulatory systems in countries are catching up.

There are certain business development thought leaders that believe that cold emails will be made completely illegal within the next decade and some that cold calls are a thing of the past thanks to increasingly tight regulations and personal attitudes that find these methods of communication invasive. I think it’s totally plausible that, in future, SDR/BDR activity will be limited to 1 to 1, researched, customized, and relevant outreach. “ says Hicks.

Outplay’s Sathyanarain (Narain) Muralidharan goes on to explain “A multi-channel outbound sales strategy is really a powerful way to work within the rules of GDPR. The key is to get permission from a prospect before sending them an outbound sales email.

Once you have your account list, it is always a great practice to warm the prospect up via various channels like social media, and even channels like text messages and cold calls. A multi-channel sales engagement platform like Outplay lets you execute such a sequence at scale across your team of sales reps to ensure you operate within the rules of GDPR.”

GDPR and B2B Advertising

Speaking of evolving industries, as many of us know B2B advertising changes constantly. Specifically, as we move away from the use of cookies and evolving Google regulations, maintaining compliance and what marketers can do with ads change constantly. To give us a better picture of what’s happening and what to do about it, we asked Metadata’s, Logan Neveau.

From an advertisement perspective, how will laws like GDPR and CCPA impact B2B marketers?

“The B2B advertising landscape for most of the ABM tools has all been very display focused. There’s a ton of data that you can get within a Display Side Platform (DSP) particularly on cookies and individual user tracking. But with Google’s changes coming to get rid of the ‘cookie-pocalypse’, paired with GDPR, it’s really hard to get that granularity and that visibility. So companies like 6Sense, Demandbase, and Terminus, which have all that intent data based on ad interaction data risk losing that visibility and those signals because you won’t be able to track third-party users via cookies on Chrome” says Neveau.

“Now that we’re working from home, IP is harder to track. And honestly, in GDPR, if you pair it with anything else, it’s no longer uniquely identifiable. So there’s a gray area in GDPR. Is it PII or is it not? Well, I don’t know. It depends. What’s the context? And so there’s hesitation to use IP addresses.”

How will Display Advertising be impacted?

“It’s already been impacted because you can’t target by specific PII signals. The only thing that makes it different is when you’re on Facebook and LinkedIn, you have accepted their terms and conditions, you have to be anonymized yourself in a display environment you have not,” explains Neveau.

“Right now the only way to target someone in a display network is by IP address. So if someone from within this IP address is visiting, show me that. We have lost individual-based targeting and display in the EU because of GDPR.”

How do you see GDPR impacting advertising outside of intent?

“Immediately when GDPR went into effect, you could no longer target an individual user on display in the EU. It’s IP address only so now you’re targeting an entire company. But, in a closed environment like social media, users have logged in, they’ve consented to share their information with Facebook or LinkedIn, platforms know who users are. Because of this,  we can still target an individual user within social media. These walled gardens are going to become immensely more valuable in B2B marketing to continue to retain your targeting.“

Neveau goes on to say, “The downside about this is that LinkedIn knows where you work because you’ve told them so they can say, ‘hey, this account has seen your ad X and Y amount of times.’ Facebook or Quora does not. You can still target individuals there, but you can’t report in an ABM fashion. That’ll be quite scary soon because that is one of the metrics that a lot of these ABM platforms report, penetration on these accounts.

So we shouldn’t set up our marketing to drive clicks and impressions, we shouldn’t be reporting on an account-based lift, because it’s not in our favour, it’s only going to get worse. So instead, we want to say, ‘we’ve gotten impressions and clicks in front of these accounts, go ahead and send that to your sales team,’ but don’t hang your hat on that metric. There are holes in those numbers that you could drive a bus through. Use it as a leading indicator, but you should be rolling out, ‘we drove this many qualified inbound requests, we now have a first-party relationship with that user 100%.’”

Key Takeaways

  • When buying data, have open conversations with your provider about where it’s coming from.


  • Data privacy and compliance are good for everyone. For providers, it improves data quality and holds everyone accountable to the metrics that matter.


  • Compliance at all stages matters. It’s not just about how to acquire data, it’s about using it in compliant ways.


  • GDPR and other regulatory bodies aren’t going anywhere. Figuring out a compliant strategy now, and being adaptable as regulations evolve is the pinnacle to success.

Want to read how we use our own data in a GDPR compliant way?