Subscribe
    Subscribe to The Art & Science of Complex Sales

    Are You Ready for GDPR? Here's What You Need to Know

    New Call-to-action

    Would a financial penalty equal to 4% of your annual turnover hurt your business? Do you ever collect information about any individuals who live in or are citizens of the EU? If you answer “yes” to both questions, then you need to understand the new GDPR regulation.

    The regulation covers all personal information collected on any EU citizen by any company, whether they operate in the EU or not. Penalties are steep for non-compliance, and every marketing and sales organization in the world that does any business in the EU is going to be impacted. You can’t afford not know the information I’m about to share, which includes:

    • What the GDPR is
    • The key changes from previous regulations
    • The key rights of individuals under the GDPR
    • What you need to do to comply
    • How we at Membrain are helping you comply

    What is the GDPR?

    GDPR stands for General Data Protection Regulation. It’s a new European privacy regulation that replaces the current EU Data Protection Directive as of May 25, 2018. The purpose of the GDPR is to strengthen the privacy rights of EU individuals, and it places higher demands on how companies manage and protect personal information used in their business.

    What are the key changes from previous regulations?

    Many of the provisions of the GDPR are similar to those of previous regulations, but there are some significant changes you need to be aware of. Those fall under three key areas:

    1. Consent
    2. Geographic scope
    3. Penalties

    Let’s take a look at each one.

    Consent

    Would a financial penalty equal to 4% of your annual turnover hurt your business?
    Henrik Öquist

    GDPR rules strengthen regulations around how, when, and why you can collect and save information about individuals, and their rights in determining what information they allow you to continue to maintain. At a high level this means you must:

    • Understand the information you collect, including why you do it, and what specific information you collect.
    • Communicate to the individual what information you collect, why, and how it helps them and your business. You must do so in a manner that is clear, understandable, and detailed.
    • Offer assurances on how you keep the information safe. You must minimize the risk of breach, and store information only for as long as you absolutely need to.
    • Be able to justify the existence and management of personal information with internal paper audits.
    • Be prepared to communicate to any individual at any time exactly what information you have about them, and deliver it to them in a portable format.
    • Be prepared to remove all of any individual’s information from all of your systems at any time at their request.

    Geographic scope

    The GDPR expands the geographic scope of previous regulations. The expansion means that any company anywhere in the world can be impacted by the regulation. Specifically, the regulation applies if you:

    • Are based in the EU
    • Do business in the EU
    • Collect information about citizens or residents of the EU

    I can’t overstate it enough that this means you do not have to be based in the EU to be impacted by the regulation. No one knows yet just how this will be enforced, but it’s clear that the EU intends to protect its citizens’ privacy, regardless of the company’s geographic origin.

    Penalties

    The penalties for non-compliance are one of the most aggressive changes under the GDPR. Consequences have increased significantly. For each instance of non-compliance, companies can be fined up to:

    • 4% of annual global turnover, OR
    • $20 million Euros

    The fine is equal to whichever number is the greater number. This signals that the EU is not messing around.

    In effect, the penalty has the potential to put a company out of business. This is why you may be noticing a massive movement among software companies, partnerships, and integrations to grapple with this issue.

    The good news is that with some best practices and careful attention, you can avoid the big scary monsters and continue operating effectively in the post-GDPR world.

    What are the key rights of individuals covered by the GDPR?

    The GDPR strengthens privacy rights for individuals by giving them more control over how companies handle their private information. The definition of private information is broad and covers: 

    • Names
    • Phone numbers
    • Email addresses
    • IP addresses
    • Photos
    • Physical addresses
    • And anything else that is personally identifiable or can be traced to an individual

    Any company that collects, stores, uses, or otherwise handles any private information must understand the provisions of the GDPR including legitimate need, breach notifications, right to access, right to be forgotten, data portability, and privacy by design.

    Legitimate need

    You have the right to collect personal information about individuals only if you can justify a legitimate business need to do so. So, for instance, as a sales organization, you can justify a legitimate need to collect names, addresses, job titles, contact information, and meeting notes, to name a few examples. 

    However, if you capture information that falls into a “sensitive information” category, you must be able to justify it at a much higher and more detailed level. Sensitive information includes biometric data, genetic data, political opinions, membership in unions, race, religious and philosophical beliefs, sexual orientation, and medical data, to name a few. This list is by no means exhaustive, and we recommend you consult with an attorney for more information.

    This means that you must institute policies internally to handle situations that may touch on sensitive data, such as when a contact communicates that they are on sick leave. This is considered medical data and under the GDPR, as a sales organization, you likely will not have a legitimate need to record that information. Thus, your salespeople must be trained not to enter that data into meeting notes.

    Breach notifications

    You must be prepared to notify all affected parties immediately in the event of a data breach, including what personal information of theirs was compromised by the breach.

    Right to access

    Under the GDPR, people have the right to see all information you have saved on them. Within a reasonable time frame of a request, you must be ready deliver that information to them in a legible and understandable format.

    Right to be forgotten

    The GDPR continues the previous regulation’s right to be forgotten, which means that individuals have the right to request that you permanently remove all information that you have recorded about them. It strengthens the regulation, requiring you to maintain a paper audit trail and prove that you have complied with the request.

    Data portability

    You must be able to provide all personal information to the affected individual in a format that is accessible to them in other formats. Excel, comma delimited, and text formats are examples of portable formats.

    Privacy by design

    The GDPR strengthens the requirement that companies take privacy seriously, and be thorough in designing their systems to keep information safe.

    What do you need to do to comply?

    The key point you need to consider for compliance, is maintaining the appropriate balance between consent and business need. Ultimately, it’s not that big and scary of a change, if you simply consider these two points.

    As a sales organization, you have a justifiable business need to collect information on people who interact with your team or have otherwise given you consent, such as via a form on your website. However, you must also balance that with the types of information you collect and the length of time you keep information.

    In order to do this, it’s a good idea to pay attention to two key features of the way you work with private information:

    1. Segmenting
    2. Routines and policies

    At Membrain, we’ve segmented our information into three main categories, based on how long we need to keep information about an individual. In one category are individuals we’ve had minimal contact with. We delete information on these individuals quickly once we determine we no longer need it. 

    In another category are individuals we’ve interacted with extensively but who are not customers. We keep this information for longer than the previous category, but not as long as the last category.

    In the final category are individuals with whom we do or have done business. This information we can justify as critical to our business functioning almost indefinitely, as long as there is a continuing relationship with those individuals. 

    Secondly, and very importantly, we’ve set up routines and training programs to ensure that everyone in our organization collects and manages information in a compliant manner.

    How does Membrain help you with compliance?

    Inside our software, we have updated some of our functions to make it easy for you to manage information inside our system in a compliant manner. We’ve done this in two key ways:

    Easy to manage information

    We’ve made it easy to collect and export all information on an individual that is contained inside our system to a compliant format with just a few clicks. Keep in mind, that you will need to have similar functionality inside all of your software platforms, as it’s possible Membrain will not be the only place you maintain information. For instance, email, Slack, and other applications will also contain customer information. 

    Ability to delete permanently

    Previously, Membrain had an “archive” function for individual information, that would remove the information from your workflow but made it possible to recover that information when desired. This function still remains within Membrain, but now we’ve added a “delete permanently” option. When you delete permanently, all of the affected information will disappear from your system permanently. Neither you nor we will be able to retrieve that information. This is necessary to comply with the “right to be forgotten” portion of the GDPR.

    We hope this overview of the GDPR is helpful to you. Keep in mind that we are not attorneys and that this information is provided only as a general overview, and not an authoritative source of definitive information. We recommend that you consult with your attorney to ensure full compliance.

    If you’d like more information about the GDPR and how we’re helping you maintain compliance, see our webinar, or contact us today. If you would like to suggest features to further simplify your GDPR compliance efforts, please let us know!

    Click here to schedule a personalized demo of Membrain

    Subscribe
    Henrik Öquist
    Published April 25, 2018
    By Henrik Öquist

    COO for Membrain, the #1 sales effectiveness software for complex b2b sales. A father of three, a former game developer and dedicated to giving sales organizations better tools to achieve consistent sales performance. Henrik has helped companies from start-ups to large enterprises develop and operationalize sales processes and to use technology to make it easier to execute their sales strategy.

    Find out more about Henrik Öquist on LinkedIn