Skip to main content

GDPR and sales teams – three steps to compliance

(Image credit: Image Credit: Docstockmedia / Shutterstock)

Remember ‘big data’? Back in 2012/2013, Silicon Valley saw an explosion in startups dedicated to compiling, protecting and analysing data. Companies across almost every sector began to integrate ‘big data’ principles into their business models. Historians of web 2.0 may well argue that this was data’s halcyon years - unimpeded, uninterrupted data proliferation, creation, and analysis.    

It wasn’t long before big data became just ‘data’. All data was, in some sense, ‘big’ and regulators began to catch up to what was an ever-growing industry. In April 2016, the European Parliament adopted the General Data Protection Regulation (GDPR), seeking to regulate how data is used by companies. It began a process that leads up to 25th May this year, when GDPR comes into force. It will be a watershed moment for European business across all sectors.    

Like the proverbial ostrich, it’s probably fair to say that most companies have buried their head in the sand on GDPR. That would be the wrong approach. Any salesperson or marketer who hasn’t heard about the GDPR by now is in for a bumpy (and potentially litigious) ride.  

You might think only IT teams and marketing specialists would need to worry about compliance. But the GDPR change could have significant implications for sales teams in particular.    

Modern sales teams, even in small businesses, rely on data. When you’re selling to a business you interact with individuals and their personal data each and every day. That excel spreadsheet of contacts? That falls within GDPR. There probably isn’t a sales team in the UK that won’t be affected.  

The primary issue is that GDPR sees salespeople as ‘data controllers’. This means sales teams will be directly responsible for enforcing GDPR principles. If you’re unprepared, you’ll be at real risk of breaching tough rules. Salespeople will receive no special treatment and failure to comply can lead to fines of up to 20 million euros - a significant portion of annual turnover for even the largest of global companies.  

At over two hundred pages long, the complete GDPR is far from a page-turner. And sales teams could be forgiven for not pouring over all 99 articles of the legislation.

But you’ll be glad to hear there’s no need to panic. Yet. There’s plenty of time to make your processes compliant and you only need to understand a fraction of the legislation. Here’s what sales teams need to know.   

Three steps to GDPR safety 

It’s useful to have a broad overview of the overarching principles of GDPR, but your three steps to GDPR safety are laid out primarily in Article 5, which makes things a little bit easier. In particular, salespeople need to follow the three key directives outlined below. 

1. Gather only data you need and make sure you have lawful grounds to process it.

The GDPR includes a limited list of acceptable reasons for gathering data you do not need. Unfortunately “it might be useful at some point in the future” is not one of them.

We would advise sales teams to bake in processes that generate as little data as possible. Aside from just GDPR compliance, there is a clear business case for this - minimizing the data collection process for a salesperson only makes their job easier, giving more time to chase down quality leads and less time spent managing admin.

Collecting data necessary for a contract with a prospect, or for your ‘legitimate interests’, will mean you have no problems under the legislation. The good news is that according to GDPR Recital 47, direct marketing passes this test. Always ensure you define and explain your need to the data subject.  

Otherwise, you must ask for consent.  

This is easier said than done. Gathering the proof points you need for consent is complicated and consent has to be freely given. It must be specific, informed and unambiguous, and it can’t be concealed in any way. It needs to come through an affirmative action and, unsurprisingly, pre-ticked boxes aren’t allowed.  

You’ll also need to fully record the consent and you need to be prepared to remove the relevant data if the person changes their mind. The ability to remove consent must be clear and easy and you will need to act on it accordingly.   

2. Be open about your actions and prepare for data subject requests. Protecting the individual is a core purpose of the GDPR. 

As a salesperson, you should make sure your customers are kept informed of what you’re doing with their data, and why you’re doing it.  

You need to be prepared for your customers exercising their right to have access to the data you have stored on them. You need to make this process possible, and you need to be able to delete this data on request of the contact.  

Again there is a clear business case here, aside from just compliance. Making it clear that you’re handling data responsibly will help prospects build trust in your business.   

3. Keep the data safe and delete it when you’re finished with it. You cannot have privacy without security.  

Unsurprisingly, data security is at the heart of GDPR and you will need to have appropriate and sufficient security for any personal data you process. That spells the end of USBs lying around the office, or using unlocked Google Sheets for sales prospect data. What this does mean is strong passwords, access controls, and industry standard technical security measures.  

In addition, you need to be able to remove the data from your system once you no longer have a legitimate use for it. Establish specific triggers when certain conditions are met and automate the deletion process – you’ll save time and reduce your anxiety in the long-term. 

Need more help? 

With three offices and strong roots in Europe, the team at Pipedrive is well informed of the implications of the GDPR and we understand exactly how important these changes can be for Pipedrive users.  

We’ve been preparing for a while now and we will continue to make improvements that are guided by the requirements and spirit of the GDPR. And it’s not just us, speak to legal professionals or your CRM provider for more information. The key is not leaving it too late. As you’ll hopefully have seen there is a lot to think about and, for some businesses, there will be a lot to do to bring your company up to compliance.    

The best news is that much of what GDPR requires is fundamentally good business sense, and good data housekeeping. You may find that once you have reached full compliance, your business, and your sales strategies and processes, are stronger for having gone through the process.    

Martin Ojala, Data Protection Officer at Pipedrive 

Image Credit: Docstockmedia / Shutterstock

Martin Ojala is the Data Protection Officer at CRM software provider Pipedrive.