Amplion is Committed to GDPR
Privacy and Data Protection
Amplion is a data processor, and we believe our customers are also data processors. With that in mind, many of our customers have asked how they should prepare their data, and how Amplion has prepared, as well. This brief primer provides practical tips to help sales and marketing teams navigate this regulation while leveraging a sales and marketing intelligence solution like Amplion.
Does GDPR Apply To Me?
The first question you need to ask is whether – and to what extent – the GDPR applies to you. The GDPR applies to your processing of personal data if: your company is “established” within the EU, you are processing data on persons in the EU to whom you are offering goods or services, or you are “monitoring” the behavior of individuals in the EU.
SO, GDPR APPLIES, WHAT SHOULD I DO?
Assuming GDPR applies to you, to process personal data, you need a lawful basis to do so. There are six different lawful ways to process personal data under the GDPR: (a) consent of the data subject; (b) performance of a contract to which the data subject is party; (c) compliance with a legal obligation of the controller; (d) protection of the vital interests of the data subject or of another person; (e) performance of a task carried out in the public interest or official authority; (f) for purposes of the “legitimate interests” pursued by the controller or by a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject.
For the remainder of this document, we are going to focus on legitimate interests and consent as we believe our clients will most often fall into one of these lawful bases.
DIRECT MARKETING IS A LEGITIMATE INTEREST
One myth about the GDPR is that consent is the ONLY way to lawfully process personal information on EU subjects. While consent is one basis for lawful processing, it is not the only one. Most of our customers will process under the “legitimate interest” basis, which includes direct marketing purposes. “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” (GDPR Art. 6(1)(f), Recital (47)
) In that case, you do not need to obtain consent, but you do still need to provide the person with a notice that you have their data.
The good thing is that you are allowed to provide the notice the first time you communicate with the person (but no later than one month from when you obtained the data). So, if you obtain a list for email marketing, you can include the notice with your first message.
Consent requires you to get the data directly from the data subject. Perhaps a prospect provided their information when visiting your website. In order to use that data, you need to make sure the consent is clear and unambiguous. You also need to provide certain information at the time you obtain the consent, including (1) who you are, (2) the purposes for which you will use the data, (3) who you will be transferring it to (if anyone), (4) if you are in the EU and intend to transfer it out of the EU, the countries where you intend to transfer it and the existence or absence of an adequacy decision by the European Commission with regard to the safeguards such countries have in place for the protection of personal data, (5) how long you intend to keep it, (6) the person’s right to correct the data or have it erased and to withdraw their consent, (7) the right to lodge a complaint with the supervising authority, and (8) whether you are using any automated decision-making or profiling.
RIGHTS OF THE DATA SUBJECTS
Whenever you are processing someone’s data, they have certain rights under GDPR. They always have the right to ask you what data you have on them, and for the other information that’s required in the above-mentioned notices. They also have the right to make you correct the data if it is wrong, or delete it or object to processing. If you have transferred it to anyone else and the person requests deletion, you also need to tell whomever you transferred it to that the data subject requested deletion.
You are also required to implement “appropriate technical and organizational measures” to ensure you are complying with GDPR, including appropriate compliance policies. These measures may take into account what is appropriate given the nature of the data and the purpose for which it is processed. The regulation as a whole seems clear that processing business contact information for B2B marketing does not require procedures that are as stringent as those that would need to be in place for processing, for example, sensitive health information.
You also need to maintain records of compliance, which include maintaining much of the information already discussed with respect to particular data. However, you are not required to maintain these records if your organization has fewer than 250 employees.
If there is a data breach, GDPR imposes notification requirements, both to the data subjects and to the supervisory authorities. However, notification is not required if the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” If we are talking strictly about business contact information, we think a breach notification may not be required.
The GDPR is very extensive and very complicated. We have tried to summarize a few key areas, but we cannot explain the entire regulation here. This guidance is intended to apply to your use of business contact information for your own B2B marketing purposes. Other uses and other kinds of data may impose significant additional obligations. As always, you should consult with an attorney for a full analysis of your rights and obligations under applicable law.
I’m In Sales and/or Marketing. What are Some Best Practices for My Data Protection Approach?
Data is essential to prospecting. Although there are new regulations, data management should already be a part of your sales and marketing operations. GDPR should be seen as an opportunity to implement better data management practices, which will also help establish and maintain trust with your customers.
If you are just getting started, here are some key best practices to consider.
ESTABLISH A DATA MANAGEMENT TEAM
A data management team should consist of the core stakeholders who are impacted by your company’s use of data. The team should be established to focus on maintaining the integrity and protection of your prospect database.
EVALUATE YOUR CURRENT DATA PRACTICES
The data management team's first task is to evaluate:
- What data do we collect and store, and what is its nature (what data points do we have)?
- How/when do we collect various types of data (i.e. through websites, trade shows, third-party data providers)? Where data is stored, and how does it move through our organization?
- Who has access?
- What security measures do we have in place with regard to the data?
UNDERSTAND THE DATA PROTECTION PRACTICES OF YOUR SALES & MARKETING SYSTEMS
If you use Marketing Automation and/or CRM software, you should understand what your chosen vendor is doing to protect your prospect and customer data, including access controls, regulatory compliance, and information and application security processes and tools. In addition, explore existing functionality that may be helpful in preserving your data. This may include roles and permissions of users, history of user activity and/or data updates, and the ability to enable/ disable automatic data capture. Documenting the flow of data throughout your systems may be necessary to visualize what and who has access. If there is a data breach, GDPR imposes notification requirements, both to the data subjects and to the supervisory authorities. However, notification is not required if the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” If we are talking strictly about business contact information, we think a breach notification may not be required.
UNDERSTAND THE NATURE OF THE DATA
It is important to be aware of the type of data that is being collected and stored within your database. Processing sensitive information, versus simply business contact information, carries with it additional obligations. Sensitive information includes:
- Government ID and financial account numbers
- Health, genetic, and biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation or preferences
Generally speaking, B2B sales and marketing does not require processing sensitive personal information; however, if you do possess any of the foregoing types of data on your prospects, keep in mind that your legal obligations to obtain consent and to protect the security of that data are much, much higher under the GDPR and other laws.
MAINTAIN DATA ON YOUR DATA
Part of complying with data protection obligations is showing that you understand where your data comes from, how it is maintained, and the legal justification for processing it (discussed below). This means you need to consider tracking additional data points on your prospecting records. For example, Lead Source may already be a value tracked within your database. Depending on the number of data sources feeding an individual contact record, you may need to expand this out to account for additional sources of data. In addition, it should be noted when and how data was obtained. Most MAT and CRM tools have the ability to timestamp the population or update of individual fields.
Part of complying with data protection obligations is showing that you understand where your data comes from, how it is maintained, and the legal justification for processing it (discussed below). This means you need to consider tracking additional data points on your prospecting records. For example, Lead Source may already be a value tracked within your database. Depending on the number of data sources feeding an individual contact record, you may need to expand this out to account for additional sources of data. In addition, it should be noted when and how data was obtained (i.e. via form fill, badge scans at an event, 3rd party data appending). Most MAT and CRM tools have the ability to timestamp the population or update of individual fields.
IMPLEMENT AN ONGOING DATABASE HEALTH PROGRAM
Once you understand the data you have, how you collect it, and are tracking the appropriate metadata, you should develop clear policies that outline your data practices and your plan for compliance. Your data protection plan should address issues around data gathering, notification requirements (if any) and practices, the purposes for which data will be used, practices for updating data and purging old data, and security practices and procedures.
What Is Amplion Doing To Address Data Protection Regulations?
Amplion is dedicated to GDPR compliance. Amplion continues to process only business contact information for all of our contacts: company, job title, work email address, work phone number, etc. We do not provide sensitive personal information of any kind, e.g. health information, political or religious ideology, internet search history, etc. We simply provide the type of information that is typically found on a business card, an email signature block, or a public professional profile. In fact, most of our data is extracted from publicly available sources such as PubMed, ClinicalTrials.gov and other biomedical evidence sources.
Notice: This is for discussion purposes only. Amplion is not qualified to provide legal advice of any kind and is not an authority on the interpretation of the GDPR or any other rule or regulation. To understand how the GDPR or any other law impacts you or your business, you should seek independent advice of qualified legal counsel.