GDPR - Email prospection is dead?

Cedric Brun
Hi everyone,

I watched yesterday the Webinar 'Maximizing Marketing Success in the Era of the GDPR' and I had a questions that have not been taken during the event:

As EU company, are we allowed to keep sending prospecting emails to a contact database we've built on our own?
How Sales representative can contact prospects in that case via email?

That said, the webinar was very interesting, I recommend people to give it a watch to get prepared.

Thank you for your answers,



------------------------------
Cedric Brun
Head of Marketing & Lead Generation, Web Geo Services - Google Cloud Premier Partner
------------------------------
0

Comments

3 comments

  • Comment author
    Sandrine Duriaud
    Hi Cédric, 

    You can send emails to your database if you have the consent from each contact - with a time stamp. Otherwise you can just delete them. The best way is probably to collect their consent before May 25th. 
    As for sales prospection, that's one of the gray area. As long as the service we promote is in line with the job role of the contact, we understand that it's OK to send direct email, i.e. promoting IT services to a CIO or IT director should be OK. 

    Regards,

    ------------------------------
    Sandrine Duriaud-Leysens
    Marketing and Communication Manager, Southern Europe & UK, Global Cloud Xchange
    ------------------------------
    -------------------------------------------
    Original Message:
    Sent: 04-17-2018 09:40
    From: Cedric Brun
    Subject: GDPR - Email prospection is dead?

    Hi everyone,

    I watched yesterday the Webinar 'Maximizing Marketing Success in the Era of the GDPR' and I had a questions that have not been taken during the event:

    As EU company, are we allowed to keep sending prospecting emails to a contact database we've built on our own?
    How Sales representative can contact prospects in that case via email?

    That said, the webinar was very interesting, I recommend people to give it a watch to get prepared.

    Thank you for your answers,



    ------------------------------
    Cedric Brun
    Head of Marketing & Lead Generation, Web Geo Services - Google Cloud Premier Partner
    ------------------------------
    0
  • Comment author
    Sion Stedman
    Hi @Cédric Brun

    Like Act-On said themselves in the webinar, I am not a legal expert and you will need to take your own guidance as to what will work best for you, and what your company interprets as compliance with the law. But that said, I do have some things to share about my company's approach.

    • In the first instance, we always look to work on consent as our legal basis for marketing to contacts. We have created a communications preference management process, which you can read about in detail here. This process sits alongside our 'campaigns' and is the means by which we get people to consent to receive future marketing communications beyond the lifespan of any specific campaign. The list that these contacts are collected in serves as our 'master' consent list and enables us to communicate with people on a longer-term basis. All of our Act-On forms will record how the person consented, what they consented to, and when they consented.
    • Ahead of the GDPR taking effect, I have proposed to my marketing manager colleagues that they run a campaign to promote to existing contacts the benefits of opting in to receive marketing communications. We would then have a record of those who have opted in together in our 'master' consent list, which can feed automated programs to update other Act-On lists as necessary. This way, colleagues can get as many contacts as possible explicitly double opted in, and opted in to receive marketing communications (as required by the legislation).
    • In the summer we will have a tidy-up to remove from Act-On all individuals whose details we do not have consent to contact or hold for marketing purposes. We plan to do such a cleansing exercise every nine months thereafter.
    • Alongside these Act-On activities, we are updating the company Data Protection Policy, Privacy Policy and Cookie Policy. We will also have a specific Marketing Data Protection Policy which sets out the processes and policy that marketing colleagues are expected to adhere to.

    My biggest concern about the entire project is that of gaining consent from existing contacts. Elements of the four pieces of legislation we are following (the GDPR/the Data Protection Act/the PECR/the ePrivacy Regulation) are yet to be finalised. This means that we have no choice but to carry out our re-consent exercise based on a 'best guess' interpretation of legislation as it stands.

    And so, regarding existing contacts for whom you may not have GDPR-compliant evidence of their consent: remember that legitimate interest remains an option for marketers. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

    Where you are relying on legitimate interest as your legal basis for marketing, however, you are required to carry out a Legitimate Interest Assessment (LIA) and would be wise to document it. It isn't as simple as thinking 'this is reasonable; it is legitimate'. The existence of a legitimate interest would need careful consideration, including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.

    An LIA comprises a 3-stage test:

    1. Identify a Legitimate Interest.
    2. Carry out a Necessity Test – consider whether the processing of Personal Data is 'necessary' for the pursuit of your commercial or business objectives.
    3. Carry out a Balancing Test – you can only rely on a genuine Legitimate Interest where the rights and freedoms of the individual whose Personal Data will be processed have been evaluated AND these interests do not override the Controllers' Legitimate Interest.
    Accordingly, we have created a plain-language version of an LIA form to use for Sales campaigns, which asks the following questions:

    Before you contact a person or persons by email for the first time to talk about a product or service, you must think carefully about the following:

    1. How you found their contact information. Was the information presented in such a way as to invite contact from Sales staff?
    2. Fair use. Would the person(s) expect to be contacted about work matters at the email address provided?
    3. Identify the relevance of your message to the person(s). Does the person's place of work, job title and job role match that of a typical user of the product or service you will be promoting to them?
    4. In your email, do you explain your reason for contacting the person(s)?
    5. In your email, do you allow the person(s) to opt out of future communications?
    If you are not able to answer 'Yes' to all of the above, the person(s) should not be contacted.

    The Sales/Marketing teams will then keep a copy of this form on file, to serve as our evidence that we have given the campaign due consideration from a data protection perspective.

    The ICO's website has detailed guidance on legitimate interest and the Data Protection Network has also published guidance that includes an example LIA template. A further note: if you are considering relying on legitimate interest for the processing of existing customer data, to comply with the GDPR, you should notify individuals of this. In practice, this means putting in the footer of the email the reason why you are contacting the person(s).

    In due course, there will be another piece of EU-wide legislation that will sit alongside the GDPR: the ePrivacy Regulation. The ePrivacy Regulation as it is currently worded would require B2B marketing to use consent as a legal ground for electronic channels, just like B2C marketing at the moment. All companies should follow developments with the ePrivacy Regulation to see if legitimate interest will remain a legal basis for marketing. In the meantime, it makes sense to – as much as you can – put in place practices based on consent.

    Ultimately, 2018 will see the biggest change in data protection and privacy for two decades and will have a global impact on companies of all sizes; public sector and government organisations, charities, professional bodies and associations. The GDPR is setting the tone for data protection and although the enforcement date is 25 May 2018, the regulators accept that many organisations will struggle to fully compliant by then. It follows that if you're not 100% compliant, it's important that you can demonstrate to regulators that reasonable steps are being taken. We believe the sum of the above actions will help us in the event that we are asked to demonstrate compliance.


    ------------------------------
    Sion Stedman
    Idox Software Ltd
    ------------------------------
    -------------------------------------------
    Original Message:
    Sent: 04-17-2018 09:40
    From: Cedric Brun
    Subject: GDPR - Email prospection is dead?

    Hi everyone,

    I watched yesterday the Webinar 'Maximizing Marketing Success in the Era of the GDPR' and I had a questions that have not been taken during the event:

    As EU company, are we allowed to keep sending prospecting emails to a contact database we've built on our own?
    How Sales representative can contact prospects in that case via email?

    That said, the webinar was very interesting, I recommend people to give it a watch to get prepared.

    Thank you for your answers,



    ------------------------------
    Cedric Brun
    Head of Marketing & Lead Generation, Web Geo Services - Google Cloud Premier Partner
    ------------------------------
    0
  • Comment author
    Cedric Brun
    Hi @Sion Stedman

    What an answer! Thank you so much for this.
    I understand that emailing is not dead yet, but more the way we get the contact details which is still an issue to me as most of the contacts we have don't come from a form submission, at least for the moment as we are redesigning our digital strategy and our website will be more inbound friendly than we do today.

    Have a great day.

    Cheers


    ------------------------------
    Cedric Brun
    Head of Marketing & Lead Generation
    Web Geo Services - Google Cloud Premier Partner
    ------------------------------
    -------------------------------------------
    Original Message:
    Sent: 04-17-2018 10:58
    From: Sion Stedman
    Subject: GDPR - Email prospection is dead?

    Hi @Cedric Brun

    Like Act-On said themselves in the webinar, I am not a legal expert and you will need to take your own guidance as to what will work best for you, and what your company interprets as compliance with the law. But that said, I do have some things to share about my company's approach.

    • In the first instance, we always look to work on consent as our legal basis for marketing to contacts. We have created a communications preference management process, which you can read about in detail here. This process sits alongside our 'campaigns' and is the means by which we get people to consent to receive future marketing communications beyond the lifespan of any specific campaign. The list that these contacts are collected in serves as our 'master' consent list and enables us to communicate with people on a longer-term basis. All of our Act-On forms will record how the person consented, what they consented to, and when they consented.
    • Ahead of the GDPR taking effect, I have proposed to my marketing manager colleagues that they run a campaign to promote to existing contacts the benefits of opting in to receive marketing communications. We would then have a record of those who have opted in together in our 'master' consent list, which can feed automated programs to update other Act-On lists as necessary. This way, colleagues can get as many contacts as possible explicitly double opted in, and opted in to receive marketing communications (as required by the legislation).
    • In the summer we will have a tidy-up to remove from Act-On all individuals whose details we do not have consent to contact or hold for marketing purposes. We plan to do such a cleansing exercise every nine months thereafter.
    • Alongside these Act-On activities, we are updating the company Data Protection Policy, Privacy Policy and Cookie Policy. We will also have a specific Marketing Data Protection Policy which sets out the processes and policy that marketing colleagues are expected to adhere to.
    My biggest concern about the entire project is that of gaining consent from existing contacts. Elements of the four pieces of legislation we are following (the GDPR/the Data Protection Act/the PECR/the ePrivacy Regulation) are yet to be finalised. This means that we have no choice but to carry out our re-consent exercise based on a 'best guess' interpretation of legislation as it stands.

    And so, regarding existing contacts for whom you may not have GDPR-compliant evidence of their consent: remember that legitimate interest remains an option for marketers. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

    Where you are relying on legitimate interest as your legal basis for marketing, however, you are required to carry out an assessment (LIA) and would be wise to document it. It isn't as simple as thinking 'this is reasonable; it is legitimate'. The existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.

    An LIA comprises a 3-stage test:

    1. Identify a Legitimate Interest.
    2. Carry out a Necessity Test – consider whether the processing of Personal Data is 'necessary' for the pursuit of your commercial or business objectives.
    3. Carry out a Balancing Test – you can only rely on a genuine Legitimate Interest where the rights and freedoms of the individual whose Personal Data will be processed have been evaluated AND these interests do not override the Controllers' Legitimate Interest.
    Accordingly, we have created a plain-language version of an LIA form to use for Sales campaigns, which asks the following questions:

    Before you contact a person or persons by email for the first time to talk about a product or service, you must think carefully about the following:

    1. How you found their contact information. Was the information presented in such a way as to invite contact from Sales staff?
    2. Fair use. Would the person(s) expect to be contacted about work matters at the email address provided?
    3. Identify the relevance of your message to the person(s). Does the person's place of work, job title and job role match that of a typical user of the product or service you will be promoting to them?
    4. In your email, do you explain your reason for contacting the person(s)?
    5. In your email, do you allow the person(s) to opt out of future communications?
    If you are not able to answer 'Yes' to all of the above, the person(s) should not be contacted.

    The Sales/Marketing teams will then keep a copy of this form on file, to serve as our evidence that we have given the campaign due consideration from a data protection perspective.

    The ICO's website has detailed guidance on legitimate interest and the Data Protection Network has also published guidance that includes an example LIA template. A further note: if you are considering relying on legitimate interest for the processing of existing customer data, to comply with the GDPR, you should notify individuals of this. In practice, this means putting in the footer of the email the reason why you are contacting the person(s).

    In due course, there will be another piece of EU-wide legislation that will sit alongside the GDPR: the ePrivacy Regulation. The ePrivacy Regulation as it is currently worded would require B2B marketing to use consent as a legal ground for electronic channels, just like B2C marketing at the moment. All companies should follow developments with the ePrivacy Regulation to see if legitimate interest will remain a legal basis for marketing. In the meantime, it makes sense to – as much as you can – put in place practices based on consent.

    Ultimately, 2018 will see the biggest change in data protection and privacy for two decades and will have a global impact on companies of all sizes; public sector and government organisations, charities, professional bodies and associations. The GDPR is setting the tone for data protection and although the enforcement date is 25 May 2018, the regulators accept that many organisations will struggle to fully compliant by then. It follows that if you're not 100% compliant, it's important that you can demonstrate to regulators that reasonable steps are being taken. We believe the sum of the above actions will help us in the event that we are asked to demonstrate compliance.


    ------------------------------
    Sion Stedman
    Idox Software Ltd
    ------------------------------

    Original Message:
    Sent: 04-17-2018 09:40
    From: Cedric Brun
    Subject: GDPR - Email prospection is dead?

    Hi everyone,

    I watched yesterday the Webinar 'Maximizing Marketing Success in the Era of the GDPR' and I had a questions that have not been taken during the event:

    As EU company, are we allowed to keep sending prospecting emails to a contact database we've built on our own?
    How Sales representative can contact prospects in that case via email?

    That said, the webinar was very interesting, I recommend people to give it a watch to get prepared.

    Thank you for your answers,



    ------------------------------
    Cedric Brun
    Head of Marketing & Lead Generation, Web Geo Services - Google Cloud Premier Partner
    ------------------------------
    0

Please sign in to leave a comment.