Built with ❤ in CLE!
The answer is YES, assuming you have a ‘legitimate interest’ that is a ‘lawful reason’ to ‘process data’ compliant with GDPR. Get all that?
The General Data Protection Regulation (GDPR) is The European Union’s (EU) new 88-page privacy law. GDPR requires global data protection rights for individuals in the European Union that you may be prospecting whether you live in the EU or not. Specifically, GDPR regulates how you obtain, use and store personal data for their 750 million residents.
GDPR goes into effect on May 25th 2018 and non-compliance carries stiff fines.
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, credit card, posts on social networking websites, medical information, or even a computer IP address.” Personal data can even include data about an individual that has been hashed or encrypted.
Are you acting as a Data Controller, a Data Processor or both?
“Data Controller”: Anyone who is collecting data (ie- building prospect lists) and determining how it will be “processed” or used (ie – sending emails). As the Data Controller, you are responsible for safeguarding the data of your prospects and customers as they interact directly with you or your services.
“Data Processor”: Any third party gathering or processing information on behalf of the Data Controller. This could be your email verifier (ie – SellHack) or your cold emailing tech (ie – Replyify). The Data Processor is responsible for safeguarding your data and the data of your partners, customers, users, prospects, leads, etc.
For the purposes of this article being written for a BtoB salesperson, the EU authorities classify you as a Data Controller since you may need personal data to make calls, conduct meetings, and send emails.
This is complicated stuff, but for folks in sales, Article 6(1)(f) gives you a lawful basis for processing which can be broken down into a three part test. It’s important to document your Legitimate Interest Assessment (LIA) to demonstrate your accountability under Articles 5(2) and 24 if you’re ever questioned on the legitimacy of your data processing.
This three part test is used to define your ‘legitimate interest’ (ICO’s ‘Purpose Test’), your necessity to process the data (ICO’s ‘Necessity Test’), and whether your ‘legitimate interest’ balances out the individual’s right to privacy (ICO’s ‘Balancing Test’).
As a cold emailer, your legitimate interests are always weighed against the data subject’s right to privacy. You must make it clear why this particular person might want to hear from you. You must have a legitimate interest for each person you prospect which makes purchasing a list built by a third party could get you into trouble.
First, Identify the legitimate interest and be prepared to answer the question “how did you get my email address?”
Your response needs to clearly describe the method you used and your legitimate interest: