Rhetorik: What Does GDPR Mean for B2B Marketing? (Part II)

Yesterday, I presented a discussion of Legitimate Interest as the basis of GDPR communications.  For B2B companies in the UK, the 2003 PECR (The Privacy and Electronic Communications Regulations of 2003) law is often applicable when assessing GDPR and Data Privacy:

GDPR and Data Privacy under UK PECR and Non-PECR scenarios (Source: Rhetorik)
GDPR and Data Privacy under UK PECR and Non-PECR scenarios (Source: Rhetorik)

The PECR discusses soft opt-ins for individuals, sole traders and some partnerships, but not B2B.  The ICO states that “the term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send.  The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts.”

Legitimate Interest also applies to data licensing relationships and marketing partnerships.  If personal data interest is maintained for a specific purpose (e.g. Technology Sales), data licensing and sharing needs to be kept within the original scope.

Legitimate Interest and Consent also apply within a company.  Data maintained for one product line may not be usable for others, particularly if the firm spans multiple sectors.

The UK Direct Marketing Association published guidance on the subject of Legitimate Interest helping make sense of Article 6.1.f:

“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

And Recital 47:

“The legitimate interests of a controller, including those of a controller to which the Personal Data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.”

Once the basis of holding personal data is met, companies have additional conditions to meet around transparency (notification and the right to object), data minimization (Is there a legitimate interest in collecting all of the fields? How long is data retained?), and reasonable expectation (limited impact to personal and private life; ensuring data accuracy).

For individuals who opt out, firms must retain suppression lists to prevent the re-collection of personal information.  The suppression list should be the minimal information required to ensure the individual is not added back into the marketing database at a later date.  With B2B, the list may simply be name and email.

The GDPR also sets out expectations which are relationship specific:

  • Suspects – legitimate interest, reasonable expectation, transparency
  • Prospects – reasonable expectation; consent
  • Clients – contract, legitimate interest, reasonable expectation, data minimization, transparency

Part III of Rhetorik’s presentation discusses GDPR myths and applicable laws across Europe.


GDPR Article 6.1
GDPR Article 6.1

LinkedIn the #2 Social Media Platform across Multiple Metrics

LinkedIn is now the number two social media platform by usage, advertising spend, ROI and analytics tools.  Facebook remains number one.  “While LinkedIn is often considered a hub for job hunters and corporate recruiters, the platform has also shifted to position itself as a marketing engine in recent years,” said Jerry Ascierto, executive editor of The Social Shake-Up Show. “The recent updates to its ad platform and UI seem to be encouraging brands to increase spend. As a result, more companies are experiencing better ROI from this network than others considered more popular and ‘fun,’ such as Instagram, Twitter and YouTube.”

Source: Social Shake-Up.
Source: Social Shake-Up.

LinkedIn has benefited from a native video feature that was launched last year and was recently extended to company pages.

LinkedIn’s last official member count was 546 million global professional profiles.

Microsoft Chairman John Thompson said that the LinkedIn acquisition has been “wildly successful” and that Microsoft would be “all in” on a similar deal.  Of particular interest are firms that would help connect users to the Microsoft cloud.

Thomson was critical of firms that share or sell user data.  “Many of them make money off ads and they have used that as kind of a leverage point,” Thomson told Bloomberg.  “At Microsoft, we don’t believe in that.”

While Facebook has taken a series of hits on its sharing of member data, LinkedIn has long protected member data (for example, Sales Navigator does not permit the uploading of member information to CRMs but makes it available for display).  What’s more, Microsoft has built GDPR compliance into its product line and set it as a global standard.

LinkedIn celebrated its 15th anniversary last month.  “15 years ago, we launched LinkedIn in Reid Hoffman’s living room with the tagline ‘relationships matter’,”  said VP of Product Strategy Allen Blue.  “I’m proud to say that this mantra still rings true today in both the halls of LinkedIn and on the platform. While the world of work has evolved immensely — be it the tools and products we use, the ways we communicate, and even the jobs themselves — our need to connect with one another to be productive in our careers remains at the core of all we do.”

Salesforce: There is a “crisis of trust” concerning data privacy and cybersecurity

A few weeks ago, I wrote about enterprise software vendors calling for an American version of GDPR with Microsoft announcing that it was building GDPR into its global product line as its standard privacy protocol.

On the Salesforce earnings call last week, CEO Marc Benioff observed that the software industry has been going through a “crisis of trust for the past six months” related to privacy and data ownership:

“From the European perspective the way they look at data is data belongs to you, it’s your data. Now for us at Salesforce, we understand that. We’ve had that position from the beginning. Our customers’ data belongs to them, it’s their data. I think in some cases, the companies that are start-ups and next generation technologies here in San Francisco, they think that data is theirs. I think the Europeans with GDPR have really flipped the coin, especially in advertising but in another areas saying hey, this data belongs to the consumer or to the customers, you guys have to pivot back to the consumer, you have to pivot back to the customer.”

Benioff once again called for a US privacy law similar to GDPR which provides “guardrails” around trust and safety. “This is going to help our industry,” said Benioff.  ”It’s going to provide the ability for the customers to interact with great next generation technologies in a safe way.”

Benioff also warned that when AI technologies are indistinguishable from humans, trust will also be an issue.

GDPR Perspectives from Microsoft, Salesforce, and SugarCRM

810px-Flag_of_EuropeIt is less than 36 hours until GDPR becomes the law of the land in the EU Zone.  As the regulation has extra-territorial privacy requirements, non EU companies, even those without a physical presence in the EU, are subject to its requirements with respect to communications with EU citizens and management of their data.

The US has a much weaker set of laws and there is concern that US firms are laggards with respect to compliance.  However, a number of US technology firms have called for adoption of a US GDPR.

On Monday, Microsoft once again reiterated its belief that “privacy is a fundamental human right” and announced that GDPR will be their privacy standard globally.

“As people live more of their lives online and depend more on technology to operate their businesses, engage with friends and family, pursue opportunities, and manage their health and finances, the protection of this right is becoming more important than ever.”

  • Julie Brill, Microsoft Corporate VP & Deputy General Counsel

Companies, therefore, have a “huge responsibility” to protect and safeguard personal data.

Since GDPR was enacted in 2016, Microsoft has dedicated 1,600 engineers towards compliance.  “GDPR compliance is deeply ingrained in the culture at Microsoft and embedded in the processes and practices that are at the heart of how we build and deliver products and services,” said Brill.

She noted, however, that GDPR is a “complex regulatory framework” subject to “ongoing interpretation” by regulators and feedback from customers.  As such, the firm will “determine the steps that we all will need to take to maintain compliance.”

As a provider of corporate infrastructure, Microsoft views GDPR as an opportunity to differentiate itself and assist its customers with compliance on the Microsoft Cloud.  “One of our most important goals is to help businesses become trusted stewards of their customers’ data,” said Brill.  “This is why we offer a robust set of tools and services for GDPR compliance that are backed up by contractual commitments.  For most companies, it will simply be more efficient and less expensive to host their data in the Microsoft Cloud where we can help them protect their customers’ data and maintain GDPR compliance.”

Additional details about Microsoft GDPR compliance can be found in their Trust Center.

Salesforce and SugarCRM have also taken a strong position on GDPR calling for similar legislation in the US.  “What we need is a national privacy law, and that will really not just protect the tech industry; it’s going to protect all the consumers,” said Salesforce CEO Marc Benioff.

This is not a new position for Salesforce.  Back in 2014, Benioff said, “I’m all in favor of consumers having more power and more control over their data. As a consumer, you should have all of the rights. It’s like a cloud Bill of Rights. As a consumer or as an enterprise, you should have the right to be forgotten or to add or take away your data.”

As part of its compliance, the firm named their Senior VP of Global Privacy and Product Legal Lindsey Finch as their new Data Protection Officer.  Finch has been with Salesforce for a decade with previous stints at GE (Privacy Counsel), the Federal Trade Commission, and Homeland Security.

“The official DPO designation is a natural outgrowth of our existing programme. My team and I will continue to partner across the company to foster a culture of privacy – designing, implementing, and ensuring compliance with our global privacy programme, including ensuring that privacy is considered throughout the product development lifecycle,” said Finch. “The top theme I’m hearing is that our customers are using the GDPR as an opportunity to focus on their privacy practices and putting their customers—oftentimes end-consumers—at the center of their businesses. The GDPR is a complex law, but putting the individuals to whom the personal data relates at the forefront, and focusing on their expectations and preferences, is a great starting point for compliance with the GDPR and other privacy laws.”

Finch described Salesforce’s approach to GDPR compliance:

“We started by kicking off a thorough review to ensure compliance across the company. The GDPR is an incredibly rich document—99 articles and 173 recitals across 88 pages! Our Privacy team broke this down into key principles and worked closely with our Technology & Products organization to review our compliance. We found that we were already in a really great place,

Since then, a lot of the work we’ve been doing has been to document how our customers can use our services to comply with some of the key GDPR principles, which we’ve published on our GDPR website. There is no finish line when it comes to GDPR compliance. While Salesforce currently offers the tools for our customers to comply with the GDPR, we will continue to release new innovations that help our customers achieve compliance success.”

Salesforce CMO Simon Mulcahy echoed Benioff and Finch at the Salesforce World Tour event in London last week.  Mulcahy stated that many companies simply view GDPR as a compliance issue and nuisance, not an opportunity to align company interests with customer desires.  “It is a compliance issue, but it’s also a phenomenal opportunity to give your customers what they want. What they want is to know that when they give you their data, you’re looking after it appropriately.”

“Benioff is right that we will need some regulation and I can’t see how we can set two standards–EU and US–so we’ll likely need to adopt what the EU has done or risk chaos.  This also fits well into the narrative of the information utility. GDPR is another driver sending us toward utility formation for the information industry.”

  • Dennis Pombriant, Principal Beagle Research

Larry Augustin, CEO of SugarCRM noted that firms have been lax in their privacy and cyber security processes saying that self-regulation has proven to be insufficient with “too many incidents.”

“Data privacy issues are not going to go away. People are thinking a lot here now about GDPR, because Facebook, Twitter, and all of these issues keep coming. And Experian in the US, about managing personal information related to credit card data… there’s just a constant barrage of issues around data privacy and personal information,” continued Augustin.  “Everyone has to address it, whether it’s in the context of GDPR or the next thing that’s going to come along. There is definitely a heightened awareness and interest.”

SugarCRM has built a data privacy manager into its CRM as a “command center” for the data privacy officer.

In my discussions with clients. they all admit to the regulations being a muddle that initially adds risk to their business models.  The penalties are draconian, but the compliance requirements are ambiguous, particularly for B2B firms.  As such, we are likely to be hearing about issues concerning GDPR compliance requirements over the next few years.

Satya Nadella and “Trust in Technology”

Microsoft CEO Satya Nadella digressed from standard earnings call topics two weeks ago to discuss the importance of ethics, privacy, and cybersecurity.  While he did not provide a specific reason for the digression, the Facebook hearings and impending GDPR implementation were likely motivators.

Nadella noted that the intelligent cloud and intelligent edge are “tremendous opportunities” for Microsoft customers, but that it is critical that both Microsoft and its customers “ensure trust in technology” across three dimensions: privacy, cybersecurity, and ethics. Nadella argued that “privacy is a fundamental human right” and that the firm has implemented an “end-to-end privacy architecture” which is GDPR compliant.

“For customers, we will provide robust tools backed by our contractual commitments to help them comply with GDPR,” said Nadella. “In fact, for most customers it will be more effective and less costly to host their data in Microsoft’s GDPR-compliant cloud than to develop and maintain GDPR compliance tools themselves.”

With respect to cybersecurity, the company spearheaded a coalition of 34 global tech and security companies for the Cybersecurity Tech Accord, “an important first step by the industry to help create a safer and more secure online environment for everyone.”

Nadella also announced the establishment of an AI and Ethics in Engineering and Research Committee at Microsoft “to ensure we always advance AI in an ethical and responsible way to benefit our customers and the broader society. This includes new investments in technology to detect and address bias in AI systems. Microsoft stands for trust, and this will continue to be a differentiating focus for us moving forward.”

Up until recently, information technology and social media have been viewed as social goods with few drawbacks, but now that we are all tied into the social communications fabric, we are beginning to worry about the dark side of such connectivity whether it be job losses through automation, the stripping away of privacy, the vulnerability of our networks to hacks, or the undermining of objective truth and democratic systems.

One step towards addressing these problems is the GDPR Chief Privacy Officer requirement with its focus on privacy and cybersecurity.  At most companies, this role is likely to be one of compliance, not ethics or broader social questions.  At a few, however, this role may grow beyond mere compliance and begin to address the broader social and economic issues posed by information technology.

 

Are you ready for EU GDPR Compliance?

On May 25, 2018 the EU General Data Protection Regulation (GDPR) goes into effect, creating data privacy and security concerns for firms both inside and outside of the EU.  The GDPR covers both companies that provide goods and services to EU residents and those that are part of the value chain.  The regulation covers all individuals domiciled within the EU, regardless of where the company is headquartered.

According to Forrester, the regulation has five key requirements:

  • If a firm has “regular, systemic collection or storage of sensitive data,” they need to hire or designate a Data Protection Officer (DPO).  The function may be filled by individuals with legal, privacy, security, marketing, or customer experience.  The International Association of Privacy Professionals (IAPP) estimates that the regulation will require 30,000 privacy officers.  The DPO will need to work with security leaders with respect to identity and access management (IAM) and encryption.  They will also be involved in purchasing decisions around CRM, analytics, and other platforms.
  • Should a data breach occur, firms have a-72 hour window for reporting breach details to the authorities and customers.  The window begins as soon as the breach is detected.
  • Privacy must be built into any new projects with a “Privacy-by-design” philosophy.  Forrester stated that “sustained collaboration between teams will be critical, so firms will have to establish new processes to encourage, enforce, and oversee it.” For example, privacy officers will need to review business requirements and development plans related to new apps.
  • Extraterritoriality places requirements on firms outside of the EU, making it a global requirement.  Forrester notes that “a US-based data aggregator that collects and resells EU customers’ data to other business partners will need to comply fully with GDPR requirements, rather than simply meeting international data transfer rules.”
  • Firms will be responsible not only for securing data but providing evidence that they have implemented appropriate risk mitigation.  Thus, a firm can be held in violation even if they have not had customer complaints or data breaches.

US companies are still obligated to comply with the 2016 Privacy Shield agreement between the US and EU.  Forrester also warned UK firms to comply with the GDPR as lowering British privacy standards would only serve to complicate UK-EU data transfer rules post Brexit.

Forrester suggested that firms take a cost-benefit analysis to data instead of simply storing everything:

“Firms will learn to better assess the costs and benefits of records they process, store, and protect. They will progressively focus on collecting, buying, processing, storing, and protecting only the data that offers them the most value and will kill the rest.”

Forrester also suggested that privacy should be part of a firm’s DNA and some firms will integrate privacy into brand perception and the customer experience, providing a basis for competitive advantage.

Osterman Research conducted a survey of mid to large companies subject to the law to identify technology expenditure increases for GDPR compliance.

GDPR compliance expenditure increases (January 2017)
GDPR compliance expenditure increases (January 2017)

GDPR non-compliance costs are potentially very high with penalties up to the greater of €20 million or 4% of total worldwide annual turnover of the preceding financial year.

Quora: Why is My Information on Zoominfo?

I recently answered two posts on this question.  As Zoominfo data collection is opt-out versus opt-in, executives are sometimes concerned about what is being collected and how they can opt out.  Here is my post:


ZoomInfo collects data about US and international businesspeople. Information is gathered via web crawling (for bio data) and email plugins that collect signature information such as name, title, company, direct dial, and email. This information is then available to its customers who use it primarily for sales, marketing, and executive recruitment. Customer use cases include prospecting lists for B2B email and telemarketing campaigns, data hygiene (i.e. confirming you are still at a company and that your contact information is accurate), and call prep prior to telemarketing or recruitment calls.

Here is an example of how they provide additional information about you to LinkedIn users via their ReachOut Chrome plug-in:

The ZoomInfo ReachOut Chrome connector provides just-in-time company and executive intelligence from corporate websites and LinkedIn.
The ZoomInfo ReachOut Chrome connector provides just-in-time company and executive intelligence from corporate websites and LinkedIn.

ZoomInfo does not collect any consumer or credit information. Thus, they have no lifestyle data, political affiliations, donations, income estimates, age, family details, credit histories, personal emails, mobile phone numbers, or housing data. They focus strictly on your professional persona.

ZoomInfo’s privacy rules and how to opt out of their database can be found on their website.

If you would like to know more about ZoomInfo, I cover them on my blog.