What GDPR Means for B2B Advertising Sales Professionals
The article explains how the GDPR, effective May 25th, impacts B2B advertising sales professionals by outlining when the regulation applies—specifically if a company is established in the EU, offers goods or services to individuals in the EU, or monitors their behavior—and provides practical guidance for sales teams to comply with data protection rules while using sales intelligence tools like Winmo.
A Winmo Primer on GDPR and Marketing and Sales Data Protection Best Practices
The upcoming date of May 25th is on the minds of many advertising and media sales professionals: the day the new General Data Protection Regulation (GDPR) goes into effect. Winmo is a data processor, and we believe our customers are also data processors. With that in mind, many of our customers have asked how they should prepare–and how Winmo is preparing as well. This brief primer provides practical tips to help advertising sales teams be prepared and meet the changing regulations while also leveraging a sales intelligence solution like Winmo.
The GDPR deadline is looming. Does the GDPR apply to me?
Scope of the GDPR
The first question you need to ask is whether – and to what extent – the GDPR applies to you.
The GDPR applies to your processing of personal data if (1) your company is “established” within the European Union (EU), (2) you are processing data on persons in the EU to whom you are offering goods or services, or (3) you are “monitoring” the behavior of individuals in the EU. (General Data Protection Regulation, Regulation (EU) 2016/679, April 27, 2016 (“GDPR”), Article 3.)
If you’re established in the EU
“Established” means doing business in the EU through a branch or subsidiary, but the GDPR is clear that it is a substantive definition, not a formalistic one. If you have employees or contractors who work for you in the EU, you will want to analyze this more carefully.
If you’re not established in the EU
If you are not established in the EU, next you need to figure out if you are offering goods or services to data subjects (people whose data you possess) in the EU. The GDPR, based on its plain language, does not apply to B2B marketing under this test, because the offer is to the employer, not the employee. In basic terms, B2B companies are offering goods and services to companies, not the data subjects at those companies – their products and services are for the benefit of the company, not the consumer (data subject). Be cautious. This is a gray area that may require you to seek additional guidance.
If you’re “monitoring” persons in the EU
The GDPR applies to you if you are “monitoring” persons in the EU, which means tracking them on the internet in order to make decisions or predict preferences, behaviors, and attitudes. If you are simply processing business contact data and using it to reach out to prospects, that would not appear to constitute monitoring. But if you are doing something more sophisticated to predict what a particular person does based on their internet activity, you should look at this more closely.
In sum, if you have strictly U.S.-based operations and the extent of your EU data is business contact information for B2B sales and marketing, the GDPR may not apply to you.
Well, GDPR applies to me. What are the next steps? (Lawfulness of Processing)
Assuming GDPR applies to you, in order to process personal data, you need a lawful basis to do so. There are six different lawful ways to process personal data under the GDPR:
- Consent of the data subject
- Performance of a contract to which the data subject is party
- Compliance with a legal obligation of the controller
- Protection of the vital interests of the data subject or of another person
- Performance of a task carried out in the public interest or official authority
- For purposes of the “legitimate interests” pursued by the controller or by a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject
For the remainder of this article, the focus is on legitimate interests and consent, as most clients fall into one of these lawful bases.
1. Direct Marketing as a Legitimate Interest
A common myth about the GDPR is that consent is the only way to lawfully process personal information on EU subjects. While consent is one basis for lawful processing, it is not the only one. Most customers will process under the “legitimate interest” basis, which includes direct marketing purposes. In that case, you do not need to obtain consent, but you do still need to provide the person with a notice that you have their data. That notice needs to include all of the information from the section on consent above, plus (1) the fact that you are relying on direct marketing purposes as your legitimate interest and (2) the source of the data.
You are allowed to provide the notice the first time you communicate with the person (but no later than one month from when you obtained the data). So, if you obtain a list for email marketing, you can include the notice with your first message.
2. Consent
Consent requires you to get the data directly from the data subject. For example, if a prospect provided their information when visiting your website. To use that data, you need to make sure the consent is clear and unambiguous. You also need to provide certain information at the time you obtain the consent, including:
- 1.Who you are
- 2.The purposes for which you will use the data
- 3.Who you will be transferring it to (if anyone)
- 4.If you are in the EU and intend to transfer it out of the EU, the countries where you intend to transfer it and the existence or absence of an adequacy decision by the European Commission
- 5.How long you intend to keep it
- 6.The person’s right to correct the data or have it erased and to withdraw their consent
- 7.The right to lodge a complaint with the supervising authority
- 8.Whether you are using any automated decision-making or profiling
3. Rights of the Data Subjects
Whenever you are processing someone’s data, they have certain rights under GDPR. They always have the right to ask you what data you have on them, and for the other information that’s required in the above-mentioned notices. They also have the right to make you correct the data if it is wrong, or delete it or object to processing. If you have transferred it to anyone else and the person requests deletion, you also need to tell whomever you transferred it to that the data subject requested deletion.
4. Compliance Protocols
You are required to implement “appropriate technical and organizational measures” to ensure you are complying with GDPR, including appropriate compliance policies. These measures may take into account what is appropriate given the nature of the data and the purpose for which it is processed. The regulation as a whole seems clear that processing business contact information for B2B marketing does not require procedures as stringent as those for processing sensitive health information.
You also need to maintain records of compliance, which include maintaining much of the information already discussed with respect to particular data. However, you are not required to maintain these records if your organization has fewer than 250 employees.
5. Breach Notifications
If there is a data breach, GDPR imposes notification requirements, both to the data subjects and to the supervisor authorities. However, notification is not required if the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” If you are strictly dealing with business contact information, a breach notification may not be required.
6. (Another) Disclaimer
The GDPR is extensive and complicated. This guidance is intended to apply to your use of business contact information for your own B2B sales and marketing purposes. Other uses and other kinds of data may impose significant additional obligations. You should consult with an attorney for a full analysis of your rights and obligations under applicable law.
I’m in Advertising or Marketing Sales, so what should I be thinking about when crafting my general data protection approach?
Data is at the heart of prospecting. Although there are new regulations on the road ahead, data management should already be a part of your sales and marketing operations. The impending GDPR effective date should be seen as an opportunity to implement better data management practices, which will also help establish and maintain trust with your customers.
Here are GDPR best practices (if it applies to you)
If you’re just getting started, here are some key best practices to consider.
1. Establish a Data Management Team
A data management team should consist of the core stakeholders who are impacted by your company’s use of data. The team should be established to focus on maintaining the integrity and protection of your prospect database.
2. Evaluate Your Current Data Practices
The data management team’s first task is to evaluate:
- What data do we collect and store, and what is its nature (what data points do we have)?
- How/when do we collect the various types of data (i.e. through websites, tradeshows, third-party data providers)?
- What are the purposes for which we intend to use the data we collect?
- Where data is stored, and how does it move through our organization?
- Who has access?
- What security measures do we have in place with regard to the data?
3. Understand the Data Protection Practices of Your Sales & Marketing Systems
If you use a Marketing Automation or CRM tool, you should understand what your chosen vendor is doing to protect your prospect and customer data, including access controls, regulatory compliance, and information and application security processes and tools. Explore existing functionality that may be helpful in preserving your data, such as roles and permissions of users, history of user activity and/or data updates, and the ability to enable/disable automatic data capture. Documenting the flow of data throughout your systems may be necessary to visualize what and who has access.
4. Understand the Nature of the Data
It is important to be aware of the type of data that is being collected and stored within your database. Processing sensitive information, versus simply business contact information, carries with it additional obligations. Sensitive information includes:
- Government ID and financial account numbers
- Health, genetic, and biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation or preferences
Generally speaking, B2B sales and marketing does not require processing sensitive personal information; however, if you do possess any of the foregoing types of data on your prospects, keep in mind that your legal obligations to obtain consent and to protect the security of that data are much higher under the GDPR and other laws.
5. Maintain Data on Your Data
Part of complying with data protection obligations is showing that you understand where your data comes from, how it is maintained, and the legal justification for processing it. This means you need to consider tracking additional data points on your prospecting records. For example, Lead Source may already be a value tracked within your database. Depending on the number of data sources feeding an individual contact record, you may need to expand this out to account for additional sources of data. In addition, it should be noted when and how data was obtained (i.e. via form fill, badge scans at an event, 3rd party data appending). Most Marketing Automation (MAT) and Customer Relationship Management (CRM) tools have the ability to timestamp the population or update of individual fields.
6. Implement an Ongoing Database Health Program
Once you understand the data you have, how you collect it, and are tracking the appropriate metadata, you should develop clear policies that outline your data practices and your plan for compliance. Your data protection plan should address issues around data gathering, notification requirements (if any) and practices, the purposes for which data will be used, practices for updating data and purging old data, and security practices and procedures.
What is Winmo doing to address data protection regulations?
Winmo is dedicated to GDPR compliance, and has GDPR and privacy experts on the executive team who are working to ensure full compliance with the regulation in data practices. These include U.S.-based General Counsel, U.K.-based Specialty Counsel, and the Vice President of Product & Content.
Winmo will continue to process only business contact information for US and UK contacts: company, job title, work email address, work phone number, etc. Winmo does not provide sensitive personal information of any kind, such as health information, political or religious ideology, internet search history, etc. Only information typically found on a business card, an email signature block, or a public professional profile is provided.
Winmo has also nominated the Vice President of Product & Content to serve as the company’s Data Protection Officer. This person will be responsible for:
- Maintaining comprehensive records of all data processing activities conducted by the company
- Serving as the point of contact between the company and GDPR Supervisory Authorities
- Educating the company and employees on important compliance requirements
- Conducting audits to ensure compliance and address potential issues proactively
- Training staff involved in data processing
Related
Winmo Privacy Policy and Data Protection
Winmo, LLC's October 2024 Privacy and Cookies Policy outlines its commitment to GDPR compliance by collecting only necessary personal data under legitimate interests, maintaining transparent data processing records, using GDPR-compliant software, and regularly updating its policy, while also addressing its current non-applicability to CCPA thresholds.
Scaling Your Adtech Platform Overview
Winmo is an adtech sales intelligence platform that helps tech providers and startups scale by providing exclusive, human-verified data on 36,000+ advertisers and agencies, enabling users to target ideal companies and contacts based on revenue, media spend, and buying behavior, generate accurate lead lists integrated with CRM tools, and leverage WinmoEdge’s predictive analytics to identify sales opportunities 3-18 months in advance with 80% accuracy.
MediaRadar Privacy Notice
MediaRadar, Inc. and its affiliates collect and process personal data from users on their websites—including information provided via forms, correspondence, surveys, site visit details, IP addresses, and cookies—using this data for system administration, user experience improvement, and statistical analysis, while also employing third-party service providers to operate and enhance their services, all detailed in their comprehensive privacy notice.
Winmo for Ad Sales Overview
Winmo is a comprehensive, researcher-verified sales intelligence platform that connects ad sales professionals with over 230,000 verified media buying decision-makers across brands and agencies managing $100 billion in ad spend, providing real-time media buying insights, direct contact information, and predictive sales alerts to help users efficiently identify and close qualified advertising sales leads.
Winmo Culture: Passion, Growth, and Fun
Winmo fosters a passionate, innovative, and growth-oriented culture centered on empowering sales professionals in media and advertising, emphasizing community involvement, fearless pursuit of success, strong team connections, and celebrating achievements to create a happy, healthy, and fulfilled workforce that delivers an unfair advantage to clients.
Free vs. Paid: Marketing and Business Intelligence Tools - Winmo
The article compares eight marketing and business intelligence tools across CRM, CMS & inbound, project management, and sales intelligence categories, highlighting that while Salesforce is a leading but costly CRM option, Zoho CRM offers a robust free version for up to 10 users and affordable upgrades, making it a better choice for entrepreneurs and small businesses starting out.