How will GDPR affect your agency’s new business efforts?
Like it or not, the new GDPR regulations are just a few months away now. Unless you’ve been living in a cave it is almost impossible to avoid the constant bombardment of information and advice from all directions about what your business needs to do to be compliant by the 25th of May 2018.
This article is written on the premise that you are working within a marketing services agency of some description – an increasingly broad arena these days, with the ever-evolving communication channels and innovation in our industry.
Don’t worry – this blog is not going to overload you with even more legal speak about your obligations. It will just be looking at a few practical issues in terms of how you manage your outbound B2B new business campaigns. Specifically, this feature will focus on outbound calling, since that is our specialist subject.
First things first though, let’s look at the basics.
What is personal data in a B2B context?
Anything that can identify an individual within an organisation, including (but not limited to) an email address – including business email address, a direct dial telephone number or a mobile number.
What is NOT personal data in a B2B context?
A generic email address (such as info@), a switchboard number, a job title without a contact name attached to it – e.g. Marketing Manager, Company X, as opposed to John Smith, Marketing Manager, Company X.
How do you store your data?
So, ignoring the fact that programs like Outlook (or whatever email system you use) will be full of personal data, let’s presume that most companies will also have a database of some sort and this is the main source of contact information you use to target prospective clients you would like to work with. Whether it’s an all bells and whistles database, a huge unwieldy excel spreadsheet or a box of index cards with handwritten notes detailing customer information on it from the 1980s, the principle is the same. If you have any of these things, you are technically “the Data Controller”.
The Data Controller
Put simply, the Data Controller is in charge of the data. If you are the Data Controller, you need to:
• know exactly where the data came from
• know when it was last verified
• know whether you are justified to still use it
• keep it secure.
On top of this you will need to deal with issues such as:
• ensuring you remove anybody who has asked to be
• provide the relevant details in a timely manner to an individual who makes a subject access request about the personal data you hold on them.
The Data Processor
Anyone who is using data you have given them access to can be considered a Data Processor. Perhaps you sub-contract to a company or individual to help with your new business efforts, for example. It is essential that any Data Processor is aware of their responsibilities and treats any data they have access to accordingly. You don’t want negligence on their part (whether intentional or not) to come back to haunt you.
How do you generate new business?
Most agencies are likely to use a variety of methods to try and win new clients, whether that is telesales, email, content driven incoming enquiries, events, etc. Pretty much all these methods will still involve collecting and storing personal data of some description, so you need to make sure this is carefully managed, securely stored and that you have permission to use it.
To some degree, outbound B2B calling is an easier beast to manage than other outbound channels.
You will need to ensure that you have screened your data against the Corporate TPS list to avoid making marketing calls to those who have registered with the TPS – but presumably you have been doing this for the last 15 years or so already. However, I am constantly amazed by the number of professional companies that don’t. If you don’t screen already, you will need to start doing so. There are various ways of screening numbers (any reputable list broker will provide data that indicates which numbers are registered), but one of the most effective ways is to have your phone system routed through software that blocks you from calling a TPS registered number in the first place. This is the method Alchemis has used for the last 14 years and it is seemingly fool proof.
You will need to know when and where you collected the data you hold. A lot of databases will timestamp information in a data field each time you make an entry, so this will help but remember any database is only as good as the data going into it in the first place. Any users (Data Processors) will need to follow best practice to maintain the integrity of any data you hold.
You may need to prove you have a legitimate interest to contact the people on your database. There could be many variables to this depending on your business model, customer profile, etc and my guess is there may be a few test cases once GDPR comes into force where courts may decide what counts as reasonable within the scope of “legitimate interest”. This DMA article gives a brief outline on this subject.
You will need to ensure you take any requests from people who have asked to be removed from your database seriously. Again, speaking from personal experience, there are a few companies who think “remove me from your list” means “try me again next week in case I changed my mind” and the penalties for ignoring this are likely to be more severe than previously. Of course, this aspect will be subject to both the behaviour of the Data Processor and potentially the functionality of any database you are using.
However, broadly speaking, if you are compliant with the above, any outbound B2B calling you are doing should run relatively smoothly.
Using a new business agency to manage your calling campaign – a practical example
In the scenario that you are an agency running your own outbound new business campaigns, you will be the Data Controller. You will need to know when, where and how you gathered the personal information that you hold on the people you are targeting and why you have a legitimate interest to use it. On top of this you will need to be confident that it is secure and know exactly who has access to it.
If you use any outsourced organisation or individual to help run your campaigns you will need to be confident that they are compliant with the new regulations. They would act as the Data Processor (although may also be considered a Data Controller in some circumstances, as outlined below).
Let’s look at Alchemis as an example.
We are running outbound new business campaigns for multiple agencies at any one time. Our database holds information that has been either bought or researched by ourselves, along with a certain amount of data that various clients may have provided specifically for their own campaign. In this respect Alchemis could be considered both Data Controller and Data Processor.
Therefore our database is (and has always been) ringfenced in terms of what detail our Account Managers can access for their clients. For example, if Jane is the Account Manager for Client X, she would not be able to see any notes that John has input on the database against a prospect for Client Y.
Due to the sheer volume of calls Alchemis makes every day, this data is constantly cleaned and updated, with timestamps showing last contact for each piece of personal data.
Whilst company level details (such as site address, switchboard numbers, website, etc) are available to all Account Managers, there are robust systems in place to manage the collection, storage and use of personal information as this level of detail will be dictated by each individual campaign. Legitimate interest will undoubtedly be different when approaching a prospect on behalf of one client than it will from another for a myriad of factors.
Whilst using an outsourced company or freelancer to run outbound business development campaigns can reduce the headache for some agencies, it is important that you choose wisely. After all, it could be more than just your reputation on the line as the new legislation comes into effect.
Alchemis are one of the only New Business Agencies that are actually DMA members, so we need to ensure we practice what we preach in terms of data integrity and compliance.
Undoubtedly, the subject of GDPR will be increasingly in the news over the coming months. I suspect there will be a few high-profile cases of big name organisations hit with hefty fines for some misdemeanour or other. On top of this, there is an ever-increasing industry blossoming offering various compliance solutions to companies – some no doubt necessary and some blatant opportunism playing on people’s fears in order to generate revenue. However, GDPR is something that will affect every company in Britain and the EU. As ever, the market will adapt and evolve as necessary.