Five things every SaaS marketer should know about GDPR
As the countdown to General Data Protection Regulations (GDPR) continues, marketers everywhere can still be found scratching their heads in confusion as they try to decipher the directive’s requirements and its implications for processing lead data and marketing to EU residents.
Here are my Top Five actionable takeaways that every SaaS marketer needs to be aware of in the run-up to GDPR (May 2018). Remember, even if you're not an EU company, GDPR still applies if you're marketing to, or processing the data of, an EU resident.
1. Lead Scraping
Scraping target names from LinkedIn and using tools like Hunter.io to track down a business email has long been the backbone of any outbound prospecting engine. However, under GDPR, this practice could land you in hot water if the target is an EU resident, as you technically need consent from them before you even reach out.
In reality, a single introductory email is unlikely to cause too much concern, however do not add them to sustained marketing campaigns, and under no circumstances should you be adding them to your CRM and adding them to bulk email campaigns.
Of course you could just try connecting with them directly on LinkedIn (or using InMail).
2. You might need to overhaul your Opt-In strategy
If you operate globally, that means you’ll need to be tracking and logging geographical lead information to ensure you are compliant with EU visitors. Unfortunately, corporate VPNs mean relying on the visitor’s IP to determine location might not even be enough.
Maybe now’s the time to un-gate your content?
3. But then again, you might not
In addition to explicitly asking for consent, there are actually several lawful conditions for processing [lead] data. One of these is “The processing is necessary in relation to a contract which the individual has entered into; or because the individual has asked for something to be done so they can enter into a contract.”
So, if your landing page and lead form have the express purpose of allowing a lead to sign-up to a free trial or even to book a demo, you may legitimately use that lead data for marketing purposes (assuming that the content relates to the service they signed-up for).
I've written in detail about this here.
4. Do not rely on the "legitimate interests" clause
There’s a lot of noise from directing marketing firms stating that they can process and use data based on the “legitimate interests” clause. This states that the processing of personal data may be carried out for a legitimate interest.
This is not a get-out-of-jail free card. An organization must be able to show that the use of the data was a necessity and that seeking consent was not possible. In many sales and marketing scenarios, this will be difficult to prove. Likewise, GDPR asks whether the individual would reasonable expect their data to be used. It also sets-out that consent must be specific to each data processing event (ie: use of that data).
So, if you rely on buying lists from data brokers, do your due diligence to understand how they are making a lawful claim to use that data. Do they pass the necessary conditions for making that claim?
5. Always log consent in your CRM
Under GDPR, consent must be verifiable. That means you’ll be expected to log the lawful basis under which you are processing your lead data. If you are capturing opt-in consent, make sure that flows through to the lead record in your CRM. Likewise, if you are capturing leads through a trial or demo sign-up (see above), and not using an explicit opt-in consent field, make sure you record that action so you can prove that initial point of contact later if required.
Remember, GDPR not only applies to newly sourced lead information, but also to existing data sitting in your CRM. You will need to be able to show consent, or the lawful reason for using that data for sales and marketing purposes, If you can’t, then it might be time to clean house.
If you’re a SaaS business looking to understand how GDPR will impact your inbound (and outbound) marketing operations, then we can help by providing a simple audit of your operations and actionable plan to ensure you avoid a potentially costly fine.
Share your thoughts below (and, of course, share this article!)
* The content of this web page is a commentary on GDPR, as Boostwax Marketing Ltd interprets it, as of the date of publication. The application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled. As a result, this content is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation. You should work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.