The General Data Protection Regulation (GDPR), which came into force on May 25, 2018, intends to improve data protection for individuals in the EU. As a data processor and a data controller, we have worked hard to ensure our compliance.
However, as an Overloop user, are you GDPR compliant? Well... Let's find out!
This article will raise important points about how and why you are GDPR compliant by prospecting and/or by sending cold email campaigns.
Prospecting and GDPR
You are GDPR compliant when you're prospecting on a website or LinkedIn without your prospect's agreement. However, the GDPR requires companies to have a "legal basis" for processing personal data about EU residents:
Article 6 of the GDPR allows the collection of data without consent if you have a legitimate interest in doing the processing.
Article 6 (paragraph F) says, «Processing shall be lawful only if […] processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the […] fundamental rights […] of the data subject".
The term "legitimate interest" is not clearly defined. The recital 47 of the GDPR states that a legitimate interest may provide a legal basis for processing data (except "where such interests are overridden by the […] fundamental rights […] of the data subject").
There are 3 crucial questions you need to ask yourself:
Do I have a valid legitimate interest?
Is prospecting necessary to pursue that interest?
Am I violating any fundamental rights to pursue that interest?
If your answers are respectively yes, yes, and no, then you're GDPR compliant as far as prospecting is concerned.
Cold emailing and GDPR
Here again, valid legitimate interest is the key. Sending cold email campaigns is GDPR compliant if you send emails to people who you can reasonably expect to find their content useful.
In this respect, some requirements need to be fulfilled:
The topic of the email must be clearly identified.
There must be a clear way to opt out of future emails.
A genuine physical address must be included in the email.
The sender must be clearly identified.
Let's develop these points.
A. The topic of the email must be clearly identified.
You can legally reach out to someone you haven't been in touch with before if you have reason to believe they would benefit from interacting with you. But you can only justify that interaction if you clearly state the reason you're reaching out about in your message and if your subject line isn't deceptive – which it should never be in any case.
B. There must be a clear way to opt out from future emails.
From a legal standpoint: you must always allow your prospects to opt out easily. The best way is to add an unsubscribe link to your emails.
However, it doesn't necessarily need to be through a link. Mailbox services don't have opt-out links, so if you were sending a personal email from your personal mailbox, there would not be an unsubscribe link. This is why you may also use other ways to let your prospects stop receiving emails from you. Just add a PS to your signature or a friendly mention in the content of your emails, inviting anyone not interested and wanting to opt out to let you know about it.
You are obligated to immediately stop contacting prospects who request it. If a prospect of yours demands that their data gets removed from your prospect lists, you need to comply (in accordance with the "right to be forgotten"). If you're not using the unsubscribe links, then this is something you need to do manually by adding a prospect to the exclusion list in Overloop.
C. A genuine physical address must be included in the email.
In order to establish trust and keep companies accountable, you now need to display the address of your business in the email.
Best way to do it? Include it in your signature, and it'll look natural and won't be disruptive.
D. The sender must be clearly identified.
Each sender needs to be clearly identified. That is, you can't just use a generic address or write in the name of the business. Not only is that illegal, but it also dehumanizes the relationship.
Bottom line: prospecting and cold emailing are okay as long as you play by those reasonable rules and focus the experience on the prospect.
For more information about GDPR, check out our dedicated page!