Data Privacy: How to Sell Without Breaking the Law

It is important to know what you can and can’t when marketing to prospective customers.

After an on-going and escalating series of high-profile data breaches over the last decade, many governments around the world have given up waiting for businesses to take action. Hence why we are seeing increasing legislation around data privacy policies—Canada’s Anti Spam Law (CASL), General Data Protection Regulation (GDPR), and California Consumer Privacy Act (CCPA) to name a few.

How do these regulations impact an organization’s ability to market and sell their products and services to buyers?

Clearly, businesses not in compliance with state or regional legislation like CCPA or GDPR need to adjust the way they obtain, use, and store data to mitigate the risks of facing punitive actions including hefty fines and class-action lawsuits. But the reality is this is only the beginning … more legislation is coming so all businesses need to rethink their customer acquisition strategy and the key role data plays in this strategy.

For many companies who rely heavily on demand generation to drive inbound leads as their core marketing initiative, this is especially painful. These organizations will need to retool and invest in different outreach strategies to acquire customer data and get their permission to engage.

Below is a summary of four key components sales and marketing teams need to address in this brave new data world.

1. Data Ownership

First and foremost, the wave of new privacy regulation forces businesses to rethink how they acquire data, whom the data belongs to, and perhaps most importantly, who has the rights to that data.

Before GDPR companies treated amassed personal data as opt-in and theirs to do with as they pleased—to buy and sell as they saw fit with no say by the person from whom the data was collected. If data breaches occurred, companies might wait months before revealing the breach (if they ever did, that is) and the consequences to the people affected usually outweighed the impact on the company.

Now, however, companies are being held responsible for the data they hold. They must safeguard this data, keep track of where it goes. Now, and most importantly, the prospect has a great deal of authority in what happens with their data. What does this mean? Be respectful of how you use it and what you do with it.

2. Emails

The days of sending out mass emails to everyone on your list has come and gone. Under GDPR and CASL, companies are no longer able to send emails without the consent of the receiving party. Also, opt-ins will be replacing opt-outs where there isn’t a currently existing business relationship.

Inbound data also needs to be handled differently than before. Let’s say you attend an event and leave with a business card from someone you met. Before GDPR, you might have added this person’s contact information to your database and included them in the next mass email. That isn’t allowed with these new regulations. You can, however, call the prospect to engage in conversation or send an introductory email and offer content suggestions you think they might find helpful and ask if you can send that information along.

3. Data Deletion Requests

This goes back to the ownership of the data—and simply put, it needs to be honored. Many businesses have been treating personal data as permanent and when asked to remove someone from a list (or from their database), companies have typically just noted the contact as “Not Interested” but might still include them in their next campaign.

Not only will companies need to delete personal data when requested, but they will also need a way to delete duplications (“dedupe”) against fresh data imports unless the person opted-in for potential follow up (e.g., through a marketing event).

This is the rule of law but the real strategy here for sales and marketers is to stay relevant, be respectful and not oversaturate your prospects so you don’t get “deletion” requests in the first place. Again, we have seen too many clients rely on blasting marketing emails to prospects with all of their great content. The problem is they are not updating or managing their data as a strategic asset—adding buyer persona or job level information so you are communicating the right message to the right target at the right time.

4. Data Transmission

List data in your organization was probably transmitted in an unsecured spreadsheet format attached to an email. If the email was intercepted or a server was hacked, there was nothing protecting the data from an unintended party. As I’ve mentioned before, in this post-GDPR, CASL, CCPA world businesses are now responsible for data security and protection. With that, two ways to ensure more secure data transmission include:

  • Password protecting data—set a password to open files so if the data is intercepted in transit, or is accessed by an unauthorized employee, it’s not easily accessible.

  • Encrypting data—use a virtual private network (VPN) or other method of providing secure transmission of data, not just within a company, but between companies.

This doesn’t mean you need to completely change how you transfer lists in your organization. For example, if all lists are put into a shared Google Drive folder in your organization, you are still able to do that—you just need to restrict access to those files so only those with approved access are able to see it.

Final Thoughts

Sales, and specifically sales development, has without a doubt been impacted by GDPR and other new data privacy acts. But, are the changes really that drastic for all companies?

Even if the majority of the people you target are in unaffected regions, you still need to be cautious of prospects in areas where these data privacy acts are prevalent. To recap, a few changes you can make in your sales and marketing efforts to appease these regulations include:

  • Instead of sending an introductory email to a cold list like you might have done previously, you must now call the prospect and get consent to send them more information.

  • You must delete data entirely if you’re asked (although we all hope it never comes to that).

  • Adjust the way you transmit data in your organization to avoid risks or confusion on how, when, and where the data was generated

These data privacy regulations do make some aspects of sales development a little tougher and lengthier, but overall these changes are good. People should be in charge of their personal data and these regulations are put in place to make sure that happens. Although this means that on the sales development side a few extra steps need to be taken once in a while, it could also lead to better results since the people you are contacting have a choice in whether or not they want to be contacted by you.

Casey O'Leary