Commercial prospecting and RGPD, what can we do?

To acquire new customers, when mastered, commercial prospecting can be a powerful weapon. Identifying your ideal customer, getting in touch directly, or even leading to the signing of a contract: the dream.

But a funny guy recently invited himself to the evening, and he is turning things around a lot: The GDPR.

What are its implications for your actions Outbound marketing ? Is it even legal to contact people under the GDPR?

The Far West era is over. At the end of this article, the implications of the GDPR in your marketing will no longer hold any secrets for you. Get ready to be smart at family meals.

Before getting to the heart of the matter, let's start with the basics:

And yes, remember that it is indeed the RGPD.

Although it may sound like a crackdown. It is a regulation, so we say “the” GDPR.

That one was a gift. Let's move forward.

Is commercial prospecting compliant with the GDPR?

The first question we ask ourselves is that of legality. If you listen to the sounds of the corridors, you could quickly believe that commercial prospecting has become an illegal activity since the arrival of the GDPR. I reassure you, gossip is often well off the mark. Today is no exception.

If companies were no longer allowed to contact each other, this could have a deplorable impact on economic activity, and therefore our GDP. Obviously, that is not the aim of the GDPR.

It is therefore completely legal to prospect, However, the RGPD imposes a framework on how to do this.

To conduct commercial prospecting in full compliance with the RGPD, you will have to check all of the following boxes, which we will see point by point in the rest of this article:

1. Prospecting for professional contacts only
2. Prospecting should be based on legitimate interest
3. One option to unsubscribe (opt-out) must be present
4. Your prospects can at any time request access and/or deletion of their data
5. Your prospects have the right to know the origin of their information (and this source must be GDPR compliant)
6. The information collected must limit yourself to the specific needs of the contact.
7. It is necessary to put safety measures for the data you process.
8. If this data were to leak, you are responsible for alerting the responsible authorities.

Points 1 to 3 are the essential points to remember, without them, no prospecting.

The RGPD, a short reminder in 2 words.

The RGPD, “General Data Protection Regulation” (GDPR in English), is a European regulation passed in December 2015 which has been in force since May 25, 2018 and regulates everything related to the processing of personal data on the territory of the European Union. More specifically, this regulation applies to any company that collects, processes and stores personal data whose use can directly or indirectly identify a person.

By “personal data” we mean “any information relating to an identified or identifiable natural person”.

This regulation thus harmonizes rules at the European level by offering a legal framework for activities, especially those related to digital technology, processing more and more personal information from users.

It is there to protect your privacy, until then, thank you the RGPD ✅

The key principles of the GDPR

The RGPD is based on 3 fundamental principles:

• Consent: Businesses must obtain consent before collecting and processing personal data.
• Transparency: individuals should be clearly informed about the use of their data.
• Limiting collection: Only data that is necessary for a specific purpose can be collected.

The rules to follow for commercial prospecting in accordance with the RGPD:

To get to the heart of the matter, here are in detail all the points to be respected:

1. Prospecting professional contacts only

The rules of application of the RGPD will depend heavily on your type of targets.

As you will have understood, the RGPD is particularly focused on personal data, so in B2C (Business to Consumer), the RGPD is strongly developed on the protection of consumer data.

As for the B2B (Business to Business), as much of the data is professional rather than private, the rules are thankfully less strict.

Thus, the first key point of digital prospecting in accordance with the RGPD is the type of data you use: private or professional data.

To contact a person via their private address (an address prénom.nom@gmail.com for example), it will be necessary for the person in question to have given their consent before being contacted. She should therefore have subscribed to your distribution list by itself.

💌 A Newsletter, for example, can therefore be sent to private addresses, if and only if these people have registered by themselves, or have given their consent in a free, specific, informed and unequivocal manner.

Okay, but the concept of prospecting is to contact people who have not given their consent, so what do we do? 🧐

To contact one person via a business address, the rules are thankfully less strict. As recalled by the CNIL (Commission Nationale de l'Informatique et des Libertés), prospecting to a professional address (such as nom@companyname.com) can be carried out if it is based on a legitimate interest.

2. Legitimate interest

But what do we mean by legitimate interest?

Although practical, the concept is still vague. And above all, it remains subject to interpretation by the managing power.

**Legitimate interest leads to the concept of a potential “fit” between two entities, due to the products or services offered on the one hand, and the interest on the other.

Legitimate interest thus makes a direct link with thoughtful and well-defined targeting, so that prospecting highlights products or services, which, in view of the company's activity or the role of the professional contacted, could be of real professional advantage.

It is thus a question of building your prospecting actions in a coherent way, with a message that makes sense for the target. The good news is that the GDPR only legally strengthens one of the essential conditions for an effective cold email.

example:

Contacting popsicles to sell them fridges 🧊: not ultra-legitimate.

Not against it, contacting a Head of Marketing with a SAAS proposal that allows better monitoring of advertising campaigns, that makes more sense.

The RGPD therefore allows prospecting, but not “massmailing” without thinking.

Ok, so you can contact professionals at their professional address, when there is a legitimate potential interest, but what about their right to no longer be contacted?

3. The Opt-Out, or the unsubscribe link

As we saw at the first point, when you contact a private person, they must have given their consent in advance, or “Opt-in” to future contacts.

Fortunately, the GDPR does not require consent (opt-in) in the context of B2B prospecting, because the objective is not to hinder the commercial practices of companies. On the other hand, you still have the right to ask not to be contacted anymore.

This results in an obligation to include an “Opt-out”, which is an unsubscribe link in all unsolicited communications. The CNIL ('National Commission for Informatics and Liberties') ****recommends that it be direct, visible and systematic.

Thus, B2B e-mailing (prospecting) therefore works in “Opt-out” mode (without consent), while B2C e-mailing (Newsletters) works in “Opt-in” mode (mandatory consent).

👉 We will talk about “Opt-in” for B2C, and “Opt-out” for B2B.

4. The right to access and to be forgotten

Since the RGPD allows contact without prior “Opt-in”, but that its primary purpose is the protection of personal data, it seems legitimate that each of us can ask to no longer be contacted.

The RGPD thus requires that targeted persons have access to their data. They thus have the right to modify (if necessary), or to delete all information concerning them (professional or private) except that they no longer wish to be contacted.

5. Transparency on the data collected

Since the RGPD aims to regulate the collection, storage and processing of personal data, the origin of this data will obviously be a key point in order to stay within the rules.

For example, if you buy B2B contact lists, you are carrying out a data processing operation. You are therefore responsible for ensuring that these are in accordance with the RGPD. You will not be able to turn back to the provider saying that this is their role, because under the GDPR, you are responsible for the source of your data as well as for their use.

So pay close attention to where your data comes from to remain “compliant” ✅

You are also supposed to inform your prospect about the origin and use of their data as well as their rights in terms of use of it.

The reality is that to be brief and concise in a cold email, including all of this is impossible. On the other hand, if the prospect asks you for information on this subject, you are responsible for informing them transparently.

Compliance of commercial prospecting emails

To continue on the issue of lists, beyond the legal aspect, I don't recommend buying contact lists for 3 reasons:

1. Professionals are changing jobs much more frequently today. After only 1 year following the creation of the list, nearly 30% (on average) of it will already no longer be valid.
2. Most email services have algorithms that can detect the use of widely overused lists. You are thus at risk of being blacklisted., and so that Your emails all end up in SPAM.
3. Very few lists (or almost none) are built on the basis of a system in accordance with the RGPD. Quite simply because data security is a key point, and because the resale of a nominative basis is strictly prohibited without an “opt-in” agreement from the persons concerned.

To ensure the compliance of your prospecting emails, the ideal solution is therefore to turn to “live” enrichment services, which do not store or resell data, but rather work on an algorithmic basis, and validate the data with test servers.

Among them, you will find Dropcontact, Datagma, Hunter,... among many others.

6. Information should be limited to the needs of the contact

When you contact a prospect, you may be tempted to know the name of their aunt, their favorite color, and the name of their goldfish. But basically it's not ultra-useful, and a bit intrusive.

The GDPR follows the same logic. In B2B, you are allowed to use the data necessary to contact your target, but not to use other data that is not linked to it.

Sorry Maurice, but don't push the envelope too far!

7. The security of the data collected

As you will have understood, if some people do not play the game, contact data can quickly circulate and continue to be misused. According to the RGPD, you are therefore responsible for implementing security measures to protect the personal data of your prospects as well as your customers.

And of course, it is strictly forbidden to distribute or resell them.

8. Alert the authorities in case of a leak

This point follows the same logic as the previous one. As long as you are responsible for data security, you are also responsible for data leaks.

Should the case nevertheless arise, you will be responsible for informing the competent authorities in the event of a personal data breach.

So no “discreet” file sharing, smart guys, we're watching you 👀

What are the risks of non-compliance with the GDPR?

Obviously a rule without sanctions, well that's... not very effective.

Here we are no exception to the rule, for each breach, whether or not there was material or moral damage, you risk a heavy penalty.

It can go up to 4% of your annual turnover or 20 million euros (taking the higher of the two, otherwise it's not funny 😬).

The subtlety of “global” business contacts

By paying attention so far, you will have noticed the recurrence of the formula “personal data” when it comes to regulations. A certain flexibility exists in the RGPD when we talk about so-called “firmographic” data, i.e. data that refers to legal persons (companies).

Thus, the company name, the address, the activity, the range of products/services,... but also generic contact data such as info@company.com are not affected by the RGPD.

Email addresses that do not directly identify a natural person are also not affected (instance: press@company.com, contact@company.com, event@company.com,...)

If you want to play Rambo, and send emails in all directions (which we obviously don't recommend, but everyone likes it 🤨), you can do it on global addresses without risking consequences in terms of GDPR. Moreover, these addresses are often entered directly on the websites of the companies in question.

Even if you are authorized, this does not mean that it will never be crazy for your brand image, or for your deliverability. So put away your Rambo 🔫 gun.

It is time to conclude without blunders

To summarize, it is therefore entirely possible to prospect to develop your commercial acquisition despite the RGPD. However, this regulation provides a framework for activities that until now were sometimes a bit too carried out in “Cowboy” mode by some to try to develop their project.

Where mass prospecting and the resale of personal data were common, the GDPR imposes a more thoughtful and respectful approach for everyone.

By targeting your campaigns correctly,

By creating comprehensive lists,

By enriching in a qualitative way,

By approaching with a message that resonates with their needs,

And by respecting the rules mentioned above,

You will be able to become the king of the Far West without obstructing any law.

Welcome to the compliant side of prospecting, cowboy!

‍

‍