Would a financial penalty equal to 4% of your annual turnover hurt your business? Do you ever collect information about any individuals who live in or are citizens of the EU? If you answer “yes” to both questions, then you need to understand the new GDPR regulation.
The regulation covers all personal information collected on any EU citizen by any company, whether they operate in the EU or not. Penalties are steep for non-compliance, and every marketing and sales organization in the world that does any business in the EU is going to be impacted. You can’t afford not know the information I’m about to share, which includes:
GDPR stands for General Data Protection Regulation. It’s a new European privacy regulation that replaces the current EU Data Protection Directive as of May 25, 2018. The purpose of the GDPR is to strengthen the privacy rights of EU individuals, and it places higher demands on how companies manage and protect personal information used in their business.
Many of the provisions of the GDPR are similar to those of previous regulations, but there are some significant changes you need to be aware of. Those fall under three key areas:
Consent
GDPR rules strengthen regulations around how, when, and why you can collect and save information about individuals, and their rights in determining what information they allow you to continue to maintain. At a high level this means you must:
Geographic scope
The GDPR expands the geographic scope of previous regulations. The expansion means that any company anywhere in the world can be impacted by the regulation. Specifically, the regulation applies if you:
I can’t overstate it enough that this means you do not have to be based in the EU to be impacted by the regulation. No one knows yet just how this will be enforced, but it’s clear that the EU intends to protect its citizens’ privacy, regardless of the company’s geographic origin.
The penalties for non-compliance are one of the most aggressive changes under the GDPR. Consequences have increased significantly. For each instance of non-compliance, companies can be fined up to:
The fine is equal to whichever number is the greater number. This signals that the EU is not messing around.
In effect, the penalty has the potential to put a company out of business. This is why you may be noticing a massive movement among software companies, partnerships, and integrations to grapple with this issue.
The good news is that with some best practices and careful attention, you can avoid the big scary monsters and continue operating effectively in the post-GDPR world.
The GDPR strengthens privacy rights for individuals by giving them more control over how companies handle their private information. The definition of private information is broad and covers:
Any company that collects, stores, uses, or otherwise handles any private information must understand the provisions of the GDPR including legitimate need, breach notifications, right to access, right to be forgotten, data portability, and privacy by design.
Legitimate need
You have the right to collect personal information about individuals only if you can justify a legitimate business need to do so. So, for instance, as a sales organization, you can justify a legitimate need to collect names, addresses, job titles, contact information, and meeting notes, to name a few examples.
However, if you capture information that falls into a “sensitive information” category, you must be able to justify it at a much higher and more detailed level. Sensitive information includes biometric data, genetic data, political opinions, membership in unions, race, religious and philosophical beliefs, sexual orientation, and medical data, to name a few. This list is by no means exhaustive, and we recommend you consult with an attorney for more information.
This means that you must institute policies internally to handle situations that may touch on sensitive data, such as when a contact communicates that they are on sick leave. This is considered medical data and under the GDPR, as a sales organization, you likely will not have a legitimate need to record that information. Thus, your salespeople must be trained not to enter that data into meeting notes.
Breach notifications
You must be prepared to notify all affected parties immediately in the event of a data breach, including what personal information of theirs was compromised by the breach.
Right to access
Under the GDPR, people have the right to see all information you have saved on them. Within a reasonable time frame of a request, you must be ready deliver that information to them in a legible and understandable format.
Right to be forgotten
The GDPR continues the previous regulation’s right to be forgotten, which means that individuals have the right to request that you permanently remove all information that you have recorded about them. It strengthens the regulation, requiring you to maintain a paper audit trail and prove that you have complied with the request.
Data portability
You must be able to provide all personal information to the affected individual in a format that is accessible to them in other formats. Excel, comma delimited, and text formats are examples of portable formats.
Privacy by design
The GDPR strengthens the requirement that companies take privacy seriously, and be thorough in designing their systems to keep information safe.
The key point you need to consider for compliance, is maintaining the appropriate balance between consent and business need. Ultimately, it’s not that big and scary of a change, if you simply consider these two points.
As a sales organization, you have a justifiable business need to collect information on people who interact with your team or have otherwise given you consent, such as via a form on your website. However, you must also balance that with the types of information you collect and the length of time you keep information.
In order to do this, it’s a good idea to pay attention to two key features of the way you work with private information:
At Membrain, we’ve segmented our information into three main categories, based on how long we need to keep information about an individual. In one category are individuals we’ve had minimal contact with. We delete information on these individuals quickly once we determine we no longer need it.
In another category are individuals we’ve interacted with extensively but who are not customers. We keep this information for longer than the previous category, but not as long as the last category.
In the final category are individuals with whom we do or have done business. This information we can justify as critical to our business functioning almost indefinitely, as long as there is a continuing relationship with those individuals.
Secondly, and very importantly, we’ve set up routines and training programs to ensure that everyone in our organization collects and manages information in a compliant manner.
Inside our software, we have updated some of our functions to make it easy for you to manage information inside our system in a compliant manner. We’ve done this in two key ways:
Easy to manage information
We’ve made it easy to collect and export all information on an individual that is contained inside our system to a compliant format with just a few clicks. Keep in mind, that you will need to have similar functionality inside all of your software platforms, as it’s possible Membrain will not be the only place you maintain information. For instance, email, Slack, and other applications will also contain customer information.
Ability to delete permanently
Previously, Membrain had an “archive” function for individual information, that would remove the information from your workflow but made it possible to recover that information when desired. This function still remains within Membrain, but now we’ve added a “delete permanently” option. When you delete permanently, all of the affected information will disappear from your system permanently. Neither you nor we will be able to retrieve that information. This is necessary to comply with the “right to be forgotten” portion of the GDPR.
We hope this overview of the GDPR is helpful to you. Keep in mind that we are not attorneys and that this information is provided only as a general overview, and not an authoritative source of definitive information. We recommend that you consult with your attorney to ensure full compliance.
If you’d like more information about the GDPR and how we’re helping you maintain compliance, see our webinar, or contact us today. If you would like to suggest features to further simplify your GDPR compliance efforts, please let us know!
COO for Membrain, the #1 sales effectiveness software for complex b2b sales. A father of three, a former game developer and dedicated to giving sales organizations better tools to achieve consistent sales performance. Henrik has helped companies from start-ups to large enterprises develop and operationalize sales processes and to use technology to make it easier to execute their sales strategy.
Find out more about Henrik Öquist on LinkedIn
From north to south, east to west, Membrain has thousands of happy clients all over the world.