A few weeks ago, I wrote about enterprise software vendors calling for an American version of GDPR with Microsoft announcing that it was building GDPR into its global product line as its standard privacy protocol.
On the Salesforce earnings call last week, CEO Marc Benioff observed that the software industry has been going through a “crisis of trust for the past six months” related to privacy and data ownership:
“From the European perspective the way they look at data is data belongs to you, it’s your data. Now for us at Salesforce, we understand that. We’ve had that position from the beginning. Our customers’ data belongs to them, it’s their data. I think in some cases, the companies that are start-ups and next generation technologies here in San Francisco, they think that data is theirs. I think the Europeans with GDPR have really flipped the coin, especially in advertising but in another areas saying hey, this data belongs to the consumer or to the customers, you guys have to pivot back to the consumer, you have to pivot back to the customer.”
Benioff once again called for a US privacy law similar to GDPR which provides “guardrails” around trust and safety. “This is going to help our industry,” said Benioff. ”It’s going to provide the ability for the customers to interact with great next generation technologies in a safe way.”
Benioff also warned that when AI technologies are indistinguishable from humans, trust will also be an issue.
It is less than 36 hours until GDPR becomes the law of the land in the EU Zone. As the regulation has extra-territorial privacy requirements, non EU companies, even those without a physical presence in the EU, are subject to its requirements with respect to communications with EU citizens and management of their data.
The US has a much weaker set of laws and there is concern that US firms are laggards with respect to compliance. However, a number of US technology firms have called for adoption of a US GDPR.
On Monday, Microsoft once again reiterated its belief that “privacy is a fundamental human right” and announced that GDPR will be their privacy standard globally.
“As people live more of their lives online and depend more on technology to operate their businesses, engage with friends and family, pursue opportunities, and manage their health and finances, the protection of this right is becoming more important than ever.”
Julie Brill, Microsoft Corporate VP & Deputy General Counsel
Companies, therefore, have a “huge responsibility” to protect and safeguard personal data.
Since GDPR was enacted in 2016, Microsoft has dedicated 1,600 engineers towards compliance. “GDPR compliance is deeply ingrained in the culture at Microsoft and embedded in the processes and practices that are at the heart of how we build and deliver products and services,” said Brill.
She noted, however, that GDPR is a “complex regulatory framework” subject to “ongoing interpretation” by regulators and feedback from customers. As such, the firm will “determine the steps that we all will need to take to maintain compliance.”
As a provider of corporate infrastructure, Microsoft views GDPR as an opportunity to differentiate itself and assist its customers with compliance on the Microsoft Cloud. “One of our most important goals is to help businesses become trusted stewards of their customers’ data,” said Brill. “This is why we offer a robust set of tools and services for GDPR compliance that are backed up by contractual commitments. For most companies, it will simply be more efficient and less expensive to host their data in the Microsoft Cloud where we can help them protect their customers’ data and maintain GDPR compliance.”
Salesforce and SugarCRM have also taken a strong position on GDPR calling for similar legislation in the US. “What we need is a national privacy law, and that will really not just protect the tech industry; it’s going to protect all the consumers,” said Salesforce CEO Marc Benioff.
This is not a new position for Salesforce. Back in 2014, Benioff said, “I’m all in favor of consumers having more power and more control over their data. As a consumer, you should have all of the rights. It’s like a cloud Bill of Rights. As a consumer or as an enterprise, you should have the right to be forgotten or to add or take away your data.”
As part of its compliance, the firm named their Senior VP of Global Privacy and Product Legal Lindsey Finch as their new Data Protection Officer. Finch has been with Salesforce for a decade with previous stints at GE (Privacy Counsel), the Federal Trade Commission, and Homeland Security.
“The official DPO designation is a natural outgrowth of our existing programme. My team and I will continue to partner across the company to foster a culture of privacy – designing, implementing, and ensuring compliance with our global privacy programme, including ensuring that privacy is considered throughout the product development lifecycle,” said Finch. “The top theme I’m hearing is that our customers are using the GDPR as an opportunity to focus on their privacy practices and putting their customers—oftentimes end-consumers—at the center of their businesses. The GDPR is a complex law, but putting the individuals to whom the personal data relates at the forefront, and focusing on their expectations and preferences, is a great starting point for compliance with the GDPR and other privacy laws.”
Finch described Salesforce’s approach to GDPR compliance:
“We started by kicking off a thorough review to ensure compliance across the company. The GDPR is an incredibly rich document—99 articles and 173 recitals across 88 pages! Our Privacy team broke this down into key principles and worked closely with our Technology & Products organization to review our compliance. We found that we were already in a really great place,
Since then, a lot of the work we’ve been doing has been to document how our customers can use our services to comply with some of the key GDPR principles, which we’ve published on our GDPR website. There is no finish line when it comes to GDPR compliance. While Salesforce currently offers the tools for our customers to comply with the GDPR, we will continue to release new innovations that help our customers achieve compliance success.”
Salesforce CMO Simon Mulcahy echoed Benioff and Finch at the Salesforce World Tour event in London last week. Mulcahy stated that many companies simply view GDPR as a compliance issue and nuisance, not an opportunity to align company interests with customer desires. “It is a compliance issue, but it’s also a phenomenal opportunity to give your customers what they want. What they want is to know that when they give you their data, you’re looking after it appropriately.”
“Benioff is right that we will need some regulation and I can’t see how we can set two standards–EU and US–so we’ll likely need to adopt what the EU has done or risk chaos. This also fits well into the narrative of the information utility. GDPR is another driver sending us toward utility formation for the information industry.”
Dennis Pombriant, Principal Beagle Research
Larry Augustin, CEO of SugarCRM noted that firms have been lax in their privacy and cyber security processes saying that self-regulation has proven to be insufficient with “too many incidents.”
“Data privacy issues are not going to go away. People are thinking a lot here now about GDPR, because Facebook, Twitter, and all of these issues keep coming. And Experian in the US, about managing personal information related to credit card data… there’s just a constant barrage of issues around data privacy and personal information,” continued Augustin. “Everyone has to address it, whether it’s in the context of GDPR or the next thing that’s going to come along. There is definitely a heightened awareness and interest.”
SugarCRM has built a data privacy manager into its CRM as a “command center” for the data privacy officer.
In my discussions with clients. they all admit to the regulations being a muddle that initially adds risk to their business models. The penalties are draconian, but the compliance requirements are ambiguous, particularly for B2B firms. As such, we are likely to be hearing about issues concerning GDPR compliance requirements over the next few years.
I came across some excellent tips from Johnty Mongan, Managing Director of The Mongan Group concerning the new European sales environment post-GDPR. Selling in Europe will be trickier in May as reps need to obtain opt-in approval
Mongan provided the following advice:
GDPR is about protecting our interests from unlawful behaviour. GDPR removes the unwanted cold calls, email campaigns and any other processing that we haven’t agreed to. A transparent and fair existence for all. I really like it, it fits with my karmic views of the world.
It won’t how ever stop marketing activities through publicly available information, like a company email or a company number…
It’s time to go old school… here’s what you can do to reach new customers in a lawful and GDPR way:
Get consent from current customers to continue marketing to them. Do it in an engaging way. That’s a must.
Provide explicit consent of your intentions to all new prospects when luring them in with shiny content. For example, download this form so I can phone you. That’s a must.
Go to the events your customers go to, get over yourself and introduce yourself. That’s a must.
Hold your own events.
Get more business cards…. they are not as useless as you may think.
Offer referral schemes to current customers. You should do that anyway.
Market your services within ethical channels. Where you customers go, you go
My list goes on, but it all centres around building clear authentic relationships. This is a good thing because most “sales” are won on the back of authenticity and trust. I see leading the charge with GDPR compliant sales processes a fantastic way to demonstrate your intentions.
So basically, what’s old is new again. While marketing needs to be particularly attuned to GDPR, sales reps also need obtain permission.
European company research firm DueDil rolled out a set of enhancements spanning list building, list analytics, compliance validation, and their API. DueDil’s products are used for sales intelligence, company research, and onboarding Know Your Client (KYC) / Anti-Money Laundering (AML) compliance checks.
DueDil added four Ownership search filters to assist with targeting firms with concentrated shareholdings “ripe for takeover.” The new screens include Total Shareholding Count, Individuals Count, Companies Count, and Shareholder Name.
The firm rolled out interactive lists which build upon their list capabilities. “Interactive List Reports offer a unique way of mapping whitespace and identifying new prospects, based on high-performing segments identified in a List Report,” said Product Marketing Manager Sam Hockley. “By accessing a customer list in Report view, common traits and trends are visualised, and the characteristics of quality customers can be easily identified.”
Users can now view any List Report segment in Advanced Search, surfacing the companies and related criteria. Users can drill down on segments to research anomalies or focus on size brackets within the list. The functionality can also be used to display similar companies while suppressing the original list, providing a tool for expanding the pool of ABM candidates.
Both the browser and API now support compliance checks including Politically Exposed Persons (PEPs), sanctions, fraud warnings, and adverse media. These checks are part of standard KYC / AML onboarding steps. The Adverse Media Check includes Gazette Status (receivership, shuttering a business) and County Court Judgments. Politically Exposed Persons lists identify government officials and close family members to flag funds which could be related to bribes, kickbacks, and money laundering. Sanctions lists flag individuals associated with terrorism, trafficking, and money laundering.
“Conducting these checks with DueDil allows businesses to identify any and all linkages of corporate ownership and associated individuals. As a result, when a check is run against a specific entity, that check can be extended to all of these related parties, returning any flags or sanctions across the entire group. Advanced datasets reveal the ultimate beneficial owner of a business and enable checks for PEPs and any sanctions levied against a business,” said Hockley.
DueDil performs KYC/AML checks against both businesses and individuals. People checks are performed in conjunction with Callcredit.
DueDil also recently launched API support for webform auto-population and enrichment.
UK business information vendor DueDil partnered with CallCredit Information Group for an enhanced KYC (Know Your Customer) service. The new API service provides real-time access to company, director, and beneficial ownership data to expedite onboarding and financial compliance.
“This service provides a one-stop-shop for a business’s identification and verification needs,” said Alan Golob, CallCredit Data Solutions Director. “By combining Callcredit’s data, industry knowledge and first line support capabilities with DueDil’s data and development expertise, we’ve created a service that will fully integrate into a client’s system or work as a standalone tool. Advancements in regulatory requirements have caused many businesses to reassess their processes and checks, and this solution answers this need.”
“Compliance is not only a regulatory requirement, it is the heart of every resilient business,” said DueDil CEO Damian Kimmelman. “This can only be achieved by having a true and comprehensive profile of the customers that you are dealing with. Customers of our new service will have the comfort of knowing that they can make KYC checks in a simple, automated way through a platform which is underpinned by one of Europe’s largest company information sources. Enhanced due diligence checks should form part of a balanced risk-based approach and can help organisations assess customers and meet regulatory requirements.”