The B2B data space is evolving at break-neck speeds and with it spanning wider and wider, data privacy is an increasing concern for consumers, businesses, and the people whose job it is to use that data.
One of the hardest parts is that people don’t know where to start. What is GDPR? How do I make sure the data I’m using won’t get me in trouble? How will this impact how I market and sell my solution?
After recently digging into our own compliance and completing a Legitimate Interest Assessment (LIA) for GDPR compliance, we reached out to data providers, marketing automation tools, programmatic advertising companies, and outbound sales tools to get their expertise on how GDPR affects B2B tech teams and what they can do to make sure everything’s compliant.
We interviewed leaders from B2B data and service providers to gain their perspectives on compliance. Answers range from what GDPR means for buyers and sellers now, how to make sure your data providers are up to standard, and how to effectively market and sell in a B2B landscape while remaining compliant.
We talked to:
- Tapajyoti (Tukan) Das, CEO, LeadSift
- David Crane, VP Marketing, Intentsify
- Sarah Hicks, Lead Coach, Predictable Revenue
- Logan Neveau, Sr. Director of Product Growth, Metadata
- Sathyanarain (Narain) Muralidharan, Director of Marketing, Outplay
Keep in mind, this article isn’t written by lawyers, but by providers who know the ins and outs by being compliant themselves, and ensuring their customers do the same.
For the sake of honesty, there are a few shameless plugs, but what can I say, it’s written by marketers across the industry. We wouldn’t be doing our jobs if we didn’t shout out our products at least a little bit.
So, what is GDPR?
GDPR, or General Data Protection Regulation, is a set of rules to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the EU can fully benefit from the digital economy.
Data Protection regulations outlined by GDPR include:
- Right of Access: you may request access to your personal information and obtain a copy of personal information.
- Right of Rectification: you may request to change, update or complete any missing data processed about you.
- Right to Erasure: you may at any time withdraw your consent to the processing of your personal information. In this case, if there is no overriding legitimate interest for continuing the processing of your personal information and the personal information is no longer necessary in relation to the purpose for which it was originally collected, we will erase your data.
- Right to Data Portability: You have the right to receive personal information in a structured, commonly used format.
Why is GDPR compliance crucial for B2B organizations?
Kicking our interviews off, we talked to Intentsify’s David Crane. Step one is covering why GDPR (and compliance in general) are not only important from a legal basis but help build a business customers want to work with.
“What’s good for customers is good for business. Unfortunately, as marketers, we’re often unaware of how secure (or insecure) data is when we capture, transfer, or use it. As it turns out, it’s often not all that secure. Not long ago, hackers gained access to information on 150 million users of Under Armour’s MyFitnessPal app. Soon after, Marriott announced a massive data breach, potentially affecting 500 million people. Identity theft is estimated to cost American consumers alone more than $16 billion annually” says Crane.
“When target audiences lose faith in our ability to safeguard their interest, they’re far less likely to interact with our marketing engagement efforts, much less do business with our companies.”– David Crane, Intentsify
“This all reverberates throughout the digital marketing space, hurting our organizations as well as our customers. When target audiences lose faith in our ability to safeguard their interest, they’re far less likely to interact with our marketing engagement efforts, much less do business with our companies.
Back in May of 2018, an Economist article succinctly corroborated the link between marketing practices and data privacy laws, stating the GDPR was the result of marketers’ (via their advertising tech) “insatiable hunger for personal data.
Businesses across the globe have largely failed to self-regulate. And the marketing industry’s pursuit to acquire as much data as possible, as quickly as possible, has put prospects and customers at risk. It’s for reasons such as these that government-implemented data-protection regulations are on the rise.
Now, we all know that these new regulations can place extra burdens on us as marketers (cleansing databases, revising opt-in language on landing pages, adjusting data-transfer processes, etc.). However, in the long run, the GDPR and other data privacy regulations like the CCPA will do businesses more good than harm.”
So, in what ways have new privacy regulations been good for businesses and consumers?
Here are just a few positive results of new regulations according to Crane:
1. “They encourage account-based focus—Account-based marketing (ABM) requires marketers to focus their efforts, resources, and budget on fewer accounts and individuals. It shuns spray-and-pray email tactics and high-volume lead gen goals—both of which require marketers to scrape as much personal data as possible and are averse to data privacy. Data regulations and good ABM strategies strive to create quality prospect interactions by being customer-focused. This demands that marketers be respectful of prospect data and gain trust.
2. They cause businesses to focus on the metrics that matter—Recent and upcoming data-privacy regulations provide good arguments for marketing teams to shift goals down the funnel to focus on metrics like sales pipeline and revenue growth, rather than top-funnel lead volume, which encourages gathering as much contact-level data as possible.
3. They improve prospect and customer data quality—The fact that the GDPR requires consent for specific uses of data will lead to an improved understanding of prospect needs. In other words, marketers will gain more specific, accurate prospect data with which they can further qualify, nurture, and convert leads into opportunities.
4. Enhance program transparency—Regulations certainly create barriers to marketing-funnel entry. But this is a good thing. This barrier acts as a filtration device, limiting the amount of bad data that can muddy your database and skew your program measurement, analysis, and optimization. With a cleaner database, you’ll gain a better understanding of which engagement tactics are resonating with your target audiences.
5. Increase marketing (and sales) efficiency—When prospect data is of higher quality, your team doesn’t need to waste as many resources trying to convert leads that should never have been in your database, to begin with. You can reallocate time and effort to more strategic, revenue-driving activities.”
Intent Data and GDPR
How to find compliant contact-level data
Next, we talked to Crane about GDPR in the context of intent data specifically. This is his wheelhouse and he did not fail to give great insights. Here’s what he had to say.
“There are a few ways to find and use contact-level data, some more compliant than others,” says Crane.
“For example, some data providers will get you names and email addresses among intent-identified accounts using their own contact databases. This, however, is a gray area of compliance (and I’m being lenient here), because you don’t know if or how exactly these contacts opted into providing their information.”
Crane also proposes some solutions and services that provide data that is compliant, more transparent, and ethical in approach. Two compliant options he suggests are:
- LeadSift—Since LeadSift’s tech derives data only from public sources, such as social media platforms, they have identified legitimate interest, a pillar of GDPR compliance, therefore they can provide intent data at the contact level.
- Intentsify’s demand gen solution—While Intentsify’s intent data is purely account-level data, their demand gen solution allows you to distribute your branded content among intent-identified accounts, and targeted personas can then opt-in to providing their contact info to access the content. Not only is this GDPR compliant, but it also shows a further level of intent.
Questions to ask your third-party data provider
At LeadSift, we just went through the process of making sure we’re doing the right things. This means double and triple checking our data and processes and completing a Legitimate Interest Assessment (LIA) to make sure we’re doing all we can to be compliant.
That’s why we answered the next question in-house and asked LeadSift Co-founder and CEO, Tukan Das, about how to make sure the data you buy fits the bill.
“The most important question to ask your data provider is if they are processing and sharing any personal data with you? Personal data from a B2B perspective includes first name, last name, email, phone, LinkedIn, social IDs, etc. If they are dealing with personal data then ask them where they are collecting the data from and ask for the lawful basis of them collecting and processing the data?”
“If they have explicit consent from the data subjects (i.e. professional contacts) ask them how they collected the opt-in and any additional context (terms of service etc.) around it. If they don’t have consent – then they’d probably use legitimate interest as their lawful basis to process the data (most third-party providers would fall under it). Ask them to provide a detailed LIA for their data collection and processing.
In addition to a completed LIA, ask them if they can support blocking of contacts and also providing a full-trail of the personal data they have stored on the contacts in a human-readable format.”
If these boxes are all checked, you’re probably good to go. At the end of the day, transparency is key here.
What are the compliance implications of account vs contact-level data?
Back on track with Intentsify’s David Crane, we also pulled in Metadata’s Logan Neveau, we talked about the difference between buying and using company vs contact data under the lens of compliance.
“Both types of data are important. As my old colleague and friend, Scott Vaughan would often say (almost ad nauseum, but important nonetheless): ‘Companies don’t buy anything, people do.’ Despite the fact that I liked to debate this by saying ‘Well, companies do buy things, but people sign the checks,’ Scott’s point is absolutely correct—account-level data doesn’t mean much if you can’t find and have conversations with the right people.” says Crane.
The trick to acting on contact-level data under GDPR is understanding that the privacy regulations are highly focused on the rights of the individual, so you have to be vigilant along every step of the data’s journey through your business.
Metadata’s Logan Neveau had a similar thing to say concerning the countries GDPR applies to, “You have to be 100% confident that every single person who’s going to see your ad is not a European Union citizen.”
He dives deeper explaining, “They don’t hold double citizenship. They’re not on vacation, and they’re not using a VPN because the VPN can screw with where they’re actually located. So it’s practically impossible. By default, everyone should be treated as if GDPR applies to them if you want to be safe from a legal perspective.”
When it comes to targeting at the contact-level using email addresses from an ads perspective, Neveau says “When you want to target contacts you don’t get to see the Personal Identifiable Information (PII), it’s hashed, encrypted, and passed directly to the API for the data set to Facebook or LinkedIn. So we’re not exposing any PII until you opt-in and you consent saying let’s have a conversation, then we can unmask who that person is.”
What’s allowed and not allowed within GDPR compliance?
Now that we’ve talked a bit about the implications of GDPR compliance, we can dive into what we can do with data.
“First, I’m not a lawyer, and any business dealing with these issues should have an attorney look into their specific circumstances. That said, here’s the main, high-level stuff to know from my perspective as a marketer.” explains Crane.
“There are six ‘Lawful Bases’ by which organizations can acquire and process personal data in the European Union. The two that matter most to marketers are consent and legitimate interest (the other four bases will rarely if ever, affect marketing efforts).
Obtaining consent should be the primary legal basis by which marketers use personal data. This largely means requiring contacts to opt into a specific use of their personal info. Specifically, the GDPR states that consent should be given by:
“Clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” [https://www.legislation.gov.uk/eur/2016/679/contents]
Silence, pre-ticked/checked boxes, or inactivity does not, therefore, constitute consent. That said, if you or any vendors you work with ensures that all contact-level data was acquired through such compliant means (typically by a clear opt-in or double opt-in process), you should be able to contact them via the normal marketing channels, as long as such uses were clearly stated when the individual opted in.” explains Crane.
How will these laws affect data providers moving forward? How will this shape the future of intent?
Crane says “I think data-privacy regulations are good for the industry as a whole, including data providers (at least the diligent, ethical ones, which are the ones you want anyway). Any data provider that can’t perform under such new rules is simply less equipped to support their customers’ needs. Consequently, they won’t succeed. That’s just capitalism working as it should, and it’s good for marketers, businesses, consumers, and society in general.”
GDPR and Outbound Sales
We’ve said it before and we’ll say it again. Data is only as good as its action plan. So now that we know what it takes for intent to be compliant. How does GDPR impact the processes intent ebbs and flows into?
Does GDPR mean you can’t do Outbound Prospecting?
“It doesn’t!” says Predictable Revenue’s, Sarah Hicks, “But it does mean you have to play by the rules.”
“GDPR requires permission from the individual to collect, store, and use their personal data. That means that if you’re purchasing lists from a data provider or having someone research/scrape to find data for you – you need to make sure that data is GDPR compliant.”
How can SDR’s still be compliant with their email outreach?
Hicks explains that “Article 47 of GDPR states that ‘direct marketing purposes may be regarded as carried out for legitimate interest.’”
“Outbound prospecting falls under the umbrella of direct marketing in this context. If you have researched a company and/or buyer persona and write a one-to-one email to a prospect expressing relevant ways you can help them solve an issue or achieve a goal – that probably counts as legitimate interest. What you can’t do under GDPR is send out mass, spray and pray outreach via email. This blog post can help you determine whether your outreach meets the legitimate interest criteria.”
How will laws like GDPR affect outbound activity in the future?
This industry changes quickly and without remorse. It’s important to not only consider how your outbound sales activities are compliant today, but how SDRs can be compliant without interruption moving forward. Here’s Hicks’s advice.
“Data security and privacy laws and regulations are becoming increasingly strict. Each region has its own set of privacy acts that are being amended and added to all the time. At the moment, the EU and California have some of the most extensive data privacy regulations in place with GDPR and CCPA, but Canada is close behind with new regulations proposed. As individuals spend more and more time online, they become more concerned about their data security and privacy, and the legal and regulatory systems in countries are catching up.
There are certain business development thought leaders that believe that cold emails will be made completely illegal within the next decade and some that cold calls are a thing of the past thanks to increasingly tight regulations and personal attitudes that find these methods of communication invasive. I think it’s totally plausible that, in future, SDR/BDR activity will be limited to 1 to 1, researched, customized, and relevant outreach. “ says Hicks.
Outplay’s Sathyanarain (Narain) Muralidharan goes on to explain “A multi-channel outbound sales strategy is really a powerful way to work within the rules of GDPR. The key is to get permission from a prospect before sending them an outbound sales email.
Once you have your account list, it is always a great practice to warm the prospect up via various channels like social media, and even channels like text messages and cold calls. A multi-channel sales engagement platform like Outplay lets you execute such a sequence at scale across your team of sales reps to ensure you operate within the rules of GDPR.”
GDPR and B2B Advertising
From an advertisement perspective, how will laws like GDPR and CCPA impact B2B marketers?
“The B2B advertising landscape for most of the ABM tools has all been very display focused. There’s a ton of data that you can get within a Display Side Platform (DSP) particularly on cookies and individual user tracking. But with Google’s changes coming to get rid of the ‘cookie-pocalypse’, paired with GDPR, it’s really hard to get that granularity and that visibility. So companies like 6Sense, Demandbase, and Terminus, which have all that intent data based on ad interaction data risk losing that visibility and those signals because you won’t be able to track third-party users via cookies on Chrome” says Neveau.
“Now that we’re working from home, IP is harder to track. And honestly, in GDPR, if you pair it with anything else, it’s no longer uniquely identifiable. So there’s a gray area in GDPR. Is it PII or is it not? Well, I don’t know. It depends. What’s the context? And so there’s hesitation to use IP addresses.”
How will Display Advertising be impacted?
“It’s already been impacted because you can’t target by specific PII signals. The only thing that makes it different is when you’re on Facebook and LinkedIn, you have accepted their terms and conditions, you have to be anonymized yourself in a display environment you have not,” explains Neveau.
“Right now the only way to target someone in a display network is by IP address. So if someone from within this IP address is visiting, show me that. We have lost individual-based targeting and display in the EU because of GDPR.”
How do you see GDPR impacting advertising outside of intent?
“Immediately when GDPR went into effect, you could no longer target an individual user on display in the EU. It’s IP address only so now you’re targeting an entire company. But, in a closed environment like social media, users have logged in, they’ve consented to share their information with Facebook or LinkedIn, platforms know who users are. Because of this, we can still target an individual user within social media. These walled gardens are going to become immensely more valuable in B2B marketing to continue to retain your targeting.“
Neveau goes on to say, “The downside about this is that LinkedIn knows where you work because you’ve told them so they can say, ‘hey, this account has seen your ad X and Y amount of times.’ Facebook or Quora does not. You can still target individuals there, but you can’t report in an ABM fashion. That’ll be quite scary soon because that is one of the metrics that a lot of these ABM platforms report, penetration on these accounts.
So we shouldn’t set up our marketing to drive clicks and impressions, we shouldn’t be reporting on an account-based lift, because it’s not in our favour, it’s only going to get worse. So instead, we want to say, ‘we’ve gotten impressions and clicks in front of these accounts, go ahead and send that to your sales team,’ but don’t hang your hat on that metric. There are holes in those numbers that you could drive a bus through. Use it as a leading indicator, but you should be rolling out, ‘we drove this many qualified inbound requests, we now have a first-party relationship with that user 100%.’”
- When buying data, have open conversations with your provider about where it’s coming from.
- Data privacy and compliance are good for everyone. For providers, it improves data quality and holds everyone accountable to the metrics that matter.
- Compliance at all stages matters. It’s not just about how to acquire data, it’s about using it in compliant ways.
- GDPR and other regulatory bodies aren’t going anywhere. Figuring out a compliant strategy now, and being adaptable as regulations evolve is the pinnacle to success.
Want to read how we use our own data in a GDPR compliant way?