If you’re reaching out to contacts in Europe, you’ll need to comply with GDPR regulation. In this article we will summarize the things you need to think about as a data controller when reaching out to prospects.
Can I still do outbound sales in the European Union?
If you have explicit consent from the data subjects (prospects) about opting in to receive marketing and sales correspondence the answer is yes.
If you don't have explicit consent from the data subjects, you need to take an extra responsibility to make sure if it would make sense to contact the prospects in the basis of "Legitimate Interest".
Legitimate interest under GDPR refers to any interest that provides a mutual benefit for the parties involved in the processing of data. In order to stay compliant with the "Legitimate interest" clause you should try to identify prospects that could really benefit from your product or service - a good way to guarantee this is by leveraging all the signals and search criteria on amplemarket to identify which companies and people could benefit the most from the problems you are trying to solve.
It also helps to provide data disclosure statements when reaching out to prospects in order to stay compliant with "Legitimate interest". These disclosures can be written at the top of emails, or spoken at the beginning of calls, explaining where a prospect’s data was acquired and why they are being contacted. For instance: "Hi John, I'm reaching out because I saw on LinkedIn that you are attending Dreamforce this week and you're also a Salesforce customer. At CompanyX we help startups with Salesforce setup..."
You sent out an outbound email and someone mentioned that you're not GDPR compliant. How to handle that.
If someone complaints about your sales efforts not being in accordance with GDPR, you should respond within 30 days and explain the reason for the initial outreach and also give the data subject an option to erase all their data from your system.
If you contacted the data subject in the context of "Legitimate Interest" here's something you could say (disclaimer: this response is a suggestion and might need to be adapted based on each individual case):
Thank you for your email, I wanted to address your concerns regarding data privacy in the context GDPR. The outreach was done following as much as possible the guidelines for legitimate interest of the GDPR (Article 21), which contemplates situations in which there might be a mutual benefit for the parties involved in the processing of data.
If you wish to not be contacted again by us, please let us know and we will process your Data Subject Access Request (DSAR) to make sure that all your data is erased from our system and you are not contacted again in the future.
Following this, you should make sure you proceed with erasing all the data on the subject and make sure the person is not contacted again (this can be accomplished in amplemarket by adding the person to the exclusion list)
Note: it might also help to setup on amplemarket the "Hard No" smart action to automatically detect cases in which the prospect asks you to not be contacted again and add the person to the exclusion list.
Additionally, you can also easily provide an opt-out method to your prospects by adding an unsubscribe option to your emails via your Account Settings.
Finally, if you do not want to reach out to European prospects you can use Amplemarket’s searcher and exclude Europe from your search results.
A prospect just made a data subject request (DSAR). How to handle it.
DSAR is a submission by an individual (data subject) to a business asking to know what personal information of theirs has been collected and stored as well as how it is being used. DSARs request need to be responded within 30 days.
- Data subjects may ask for all the data you have on them and how did you get it
- Data subjects may ask to have all their personal data deleted
from your systems
You will need accurate records of each and every instance a prospect’s data has been used, even if they consented to receive communications from your company in order for you to communicate that to the data subject and erase it if needed.
If the data came from amplemarket you can send the following email to the data subject:
"Your contact data was obtained using a software called amplemarket (www.amplemarket.com)
Amplemarket has collected data from the publicly available source: LinkedIn. Amplemarket has the following data: your first name, your last name, your job title and the name of your employer. Further, Amplemarket has been able to guess your email by trying a combination of your name and using the domain of your employer.
If you wish to know more about your data in the context of amplemarket please contact: email@example.com
Once again I’m very sorry about any inconvenience this may have caused you."