The General Data Protection Regulation (GDPR) will be enforced from May 2018 and looks set to transform the way every business collects and stores personal data.
There are very few – if any – modern businesses that don’t store some form of customer data. In order to generate new business, leads need to be generated, and from May this year (2018), your organisation will be placed under even greater scrutiny about the way it does so.
If you haven’t already, you’ll need to put robust lead qualification techniques and checks in place in order to become compliant with the GDPR.
In this post, we’re going to list twelve things you need to know if you’re to ensure your lead generation techniques are GDPR ready!
1. You need to be clear on intent
Under the GDPR, personal data is defined as being information that can be used to identify an individual, be it about their professional, public or private life.
This means if you intend to collect the name, home address, email address or medical information belonging to someone, you need to be clear in all communication exactly why you’re doing so.
2. People have the right to control their personal data
Ok, so you’re storing the personal data of your clients on a web server deep underground somewhere, but that doesn’t mean the owners of said data can’t access it.
Under GDPR rules, you’re duty bound to allow owners of personal data to control it, by finding out what you intend to do with it, gain confirmation of what you’re storing and requesting deletion.
3. It needs to be exportable
The personal data you store needs to be encrypted, but it also needs to be exportable, should there be a requirement (issued by either the owner or law enforcement) to transfer it into a readable file.
4. You need to be crystal clear on sign-up forms
If part of your lead generation process includes a sign-up form on your website whereby interested parties can send you their details in order to receive communications from your marketing team, you need to dispense with any vague or ambiguous small print.
Instead, it needs to be made abundantly clear what type of data you’re collecting and how it might be processed. As Article 12 of the standard states, you need to provide an “easily visible, intelligible and clearly legible….and meaningful overview of the intended processing”.
5. You’ll need to appoint a data protection officer (DPO)
Once the GDPR regulation comes into effect (although, ideally, beforehand), you’ll need to appoint a DPO.
The DPO’s tasks are varied, but they’re principally required to be a point of contact for the public in order to provide data on request (although they may also need to deal with the relevant authorities should there be a data breach).
6. The ‘right to be forgotten’
Under the GDPR, every owner of personal data has the right to be forgotten. That means if you currently store the details of a potential customer and they decide they’d rather not be within your database, you’re duty bound to remove them upon request, unless you have a lawful reason to keep their details on file (i.e. Account & invoice details need to be kept up to 6 years).
For our final six GDPR-ready things you need to know, we’re going to focus on consent, as this is a primary function of gaining new leads.
Under the General Data Protection Regulation, there are six lawful bases under which you can legitimately request to store the personal data of an individual:
7. Legitimate interests
This is the most flexible basis on which you can process personal data and particularly useful for lead generation.
With legitimate interest, you can collect, store and process personal data providing there’s a good reason to do so; for instance, if their age relates to a specific product type that is most suitable.
8. A specific purpose
Under GDPR rules, people need to positively opt-in for their personal data to be stored and used. This means you may need to provide several options when signing up that are linked to a specific purpose.
For example, in order for a new lead to be contacted via telephone, you clearly need their number. Equally, if you’re offering a service for children, parental consent (and therefore their own personal details) will be required.
9. Contractual necessity
Sometimes, you need specific personal data from a customer in order for a contract obligation to be met.
Thankfully, this option covers you even if a contract isn’t in place, which is particularly useful for the sales process. For example, if you need someone’s home address in order to produce and send a hard-copy quotation, there’s a contractual necessity to obtain that data.
10. Legal obligation
There might be statutory obligation or common law that forces you to process certain types of personal data.
Just bear in mind that if you can reasonably comply with the law during the sales process without processing that personal data, this basis doesn’t apply.
If you decide to ask for the data on a lawful basis, you’ll need to document and justify your decision to do so and the reasoning behind it.
11. Protection of vital interests
If the service you provide relates to the protection of someone’s life (the most obvious examples being insurance or medical care), your business will likely have to collect personal details of leads in order to protect their interests.
12. Public interest
Although unlikely to be relevant to many sales processes, there will be a lawful basis under the GDPR where personal data can be collected if it is within the public interest to do so.
Equally, if your sales process requires your team to perform a function that has a clear basis in law, you can legitimately ask for personal data on the basis of official duty.
The fines for non-GDPR compliance are steep (from €10 million or 2% of annual revenue, to an upper limit of €20 million or 4% of annual revenue). For that reason, you need to be informed, plan well and start putting into action the elements above that impact your sales lead process.
Do you need GDPR read lead generation? Talk to Pelham Heath today!