EMG guidelines for processing prospect data
1. Be transparent with your source - where you found the mail address
2. Explain the purpose of the send out - why is the send out relevant to the receiver
3. Link to our privacy policy - explain how we keep personal data secure
4. Have option to opt out - it should always be possible to opt out
Clear out old contacts from your prospecting lists
Keep a "no contact" list of prospects which have opted out
It is quite common for a company to purchase prospecting data for e.g. newly started companies in a specific line of business or companies in a specific location. The common thing to purchase is company address and email data and/or contact information to a specific role within the company. The purpose of the data process is to win these companies over, i.e. obtain new clients.
Communication about a specific service (B2B) directed to a company is exempt of GDPR, since the contact information (personal data) is related to a legal person at that company.
The information about the owner of a specific company would be considered personal data, and therefore fall under GDPR. But that data is also public (in Sweden), which would mean that it doesn’t fall under GDPR. - this is somewhat a grey zone.
Data is concerning a specific role at the company should be viewed as personal data. Though this data is usually made public by the person in question, for example on LinkedIn or the company home page.
Data can be obtained directly from the prospect (data subject). E.g. on a fair, company events or similar, or if the subject initiates contact.
Data can be obtained from the company where the prospect works or represents. E.g. by calling the company reception asking for contact information to a specific role.
Data can be obtained via a third party. E.g. through a common professional contact. Here it would be good practice to tell the data subject by first point of contact via whom you’ve obtained the contact information (personal data).
Please be aware that prospecting data which isn’t public is more complicated, in terms of GDPR compliance, than public data.
Buying prospect lists from third party company. In this case it’s important that you, before contacting the prospects, confirm that the external company has acquired the data in a GDPR compliant way, and that the prospects are aware of how their data is being used.