What picture does “outbound” conjure for you?
Is it a sense of accountability, proactivity, and ownership?
Or cold dread that your team may participate in the malpractice of hitting up random strangers who fit your nebulous “ICP” and badgering them into taking a trial or sitting through a gift card incentivized demo?
If it’s the latter… you are suffering from PLGD - Post Lead Gen Distress.
We’ve been there and done that. But we’ve also mended our ways.
What does that look like you ask?
💡 A harmonious and balanced approach where outbound isn’t cold. Outbound isn’t even “to close”. Outbound is a strategic touchpoint that does what every touchpoint should do - empower the prospect to better understand their problem, and embrace a viable solution.
Most importantly, it means an operation that is privacy compliant by its very design.
When GDPR hit, searches for “Is cold calling GDPR compliant?” surged in our Google Search Console.
With time though the GDPR conversation is no longer as “I’ll get fined” driven as it once was.
Other sweeping changes are evident.
Outbound as a stand-alone (frankly abused) channel has come under scrutiny.
The MQL hamster wheel is being dismantled.
But the C-suite has realized that outbound isn’t a reluctant partner in crime to marketing’s lead generation.
It can and should play nice with demand generation.
In fact, this sweet spot is where we discovered that privacy considerations aren’t a nuisance. They are a playbook to define the nature, intent, intensity, and quality of outbound touches as a part of piquing interest and reinforcing messaging.
Once you see the logic, you can’t unsee it.
What Demand Generation strategizes, Privacy quantifies.See Convert’s LIA
What does “legitimate interest” mean in marketing parlance?
It means that the personal data of an individual, who hasn’t specifically shared it with you (the business) through explicit consent can still be processed (added to your outreach platform or your dialer) if it is of clear benefit to parties involved, has limited privacy impact on the individual - and a key factor - is expected by the individual.
This is the most flexible of the 6 lawful bases that marketers can fall back on. Yet it sets standards:
💡 Don’t share or sell target audience information you’ve acquired. If you dissect the Legitimate Interest clause, you may find loopholes around 3rd party data sharing. But privacy considerations in general frown upon this practice. Don’t do anything that breaks trust before you’ve had a chance to even establish it. Another privacy mandate that is surprisingly marketing aligned.
Legitimate Interest seems like the stuff of dreams, right? You could go back to pre-2018 processing with impunity?
Because once you’ve established that outbound contact with prospects who haven’t consented to being approached isn’t “unlawful” or “unexpected” - you have to take a conscience check.
This is the most flexible of the 6 lawful bases that marketers can fall back on. Yet it sets standards:
❔ Should you do it, just because you can?
❔ And should you do it this way? (The specific way you have in mind).
Ponder these questions:
Even if the WHY behind your outreach is impeccable, you can still be denied access to your prospects by privacy watchdogs.
If what you have in mind “impinges on the fundamental rights and freedoms” of your ICP.
The scope of the discussion is broad. Every LIA lists out probing and thorough questions to address it.
These are the basic components of the Balancing Test:
This is the simplest section to navigate.
Despite best efforts, mistakes happen.
Legitimate Interest Assessment wants businesses processing data - however good intentioned - to have a plan B.
What do you do in case of a data breach?
What do you do in case you blast an email off to someone you can’t use any of the 6 lawful bases to contact?
This is more of a contingency blueprint (which frankly every marketing & sales team should have), covering measures like:
We hope you get the beauty and relevance we hinted at.
Privacy isn’t a nuisance that you comply with, begrudgingly.
Privacy is the bedrock of good marketing and sales. It is the conscience check that businesses have been missing.
💡 Through privacy, ethics have been reintroduced into marketing. And brands have seen the real potential of outbound - as a valuable touchpoint on the road to Won Deals from demand gen.
|What is the purpose of the processing operation?||
Business Development and Networking
|Is the processing necessary to meet one or more specific organizational objectives?||
|Is the processing necessary to meet one or more specific objectives of any Third Party?||
The objectives are set by Convert Insights Inc. and not any other Third Party.
|Does the GDPR, ePrivacy Regulation or other national legislation specifically identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome?||
Recitals 47 to 50 in the GDPR give some examples of when a Controller may have a Legitimate Interest which would need to be confirmed by a LIA. For Convert Experiences, two of the six generic examples in the GDPR of where a Controller may have a legitimate interest are of a particular note. RELEVANT & APPROPRIATE RELATIONSHIP - where there is a relevant and appropriate relationship between the individual and the Controller in situations where the individual is a client or in the service of the organization. REASONABLE EXPECTATIONS - the fact that individuals have a reasonable expectation that the Controller will process their Personal Data.
|Why is the processing activity important to the Controller?||
To reach out to businesses and individuals who have expressed either an interest in our product or a clear interest in exploring the option of better A/B testing tools in the market and are the most likely to value supporting information to make a better decision.
|Why is the processing activity important to other parties the data may be disclosed to, if applicable?||
No other parties are involved
|Is there another way of achieving the objective?||
|Would the individual expect the processing activity to take place?||
Since our targeting is accurate, no prospect should ever wonder why we have emailed. It is obvious based on what we do and what they do.
|Does the processing add value to a product or service that the individual uses?||
A/B Testing is the process of offering multiple options, for a web page, landing page, or design, to different portions of your audience and tracking each portion’s reaction.
For instance, you could create two separate landing pages, each with a different design, and allow 50% of visitors to see one and the other 50% to see the other. Then you can track each group’s reaction and engagement with the page they received. When one page gets significantly more engagement, you know that it’s of more value to your customer base.
The idea that everything you do as a company and brand should create value for your customer base ties directly to the value of A/B testing; not only does A/B testing allow you to see, in the short term, how successful a campaign or strategy or design can be with your audience, it also allows you to gather long-term and highly valuable information about how to create value for your customers.
A/B testing provides you with quantifiable, statistical information about what your customer base and online audience finds valuable.
|Is the processing likely to negatively impact the individual’s rights?||No|
|Is the processing likely to result in unwarranted harm or distress to the Individual?||No – the data we use can’t result in a harmful breach.|
|Would unwarranted harm or distress to the individual occur if the processing did not take place?||No|
|Would there be a prejudice to Data Controller if processing does not happen?||Financial Harm|
|Would there be a prejudice to the Third Party if processing does not happen?||N/A|
|Is the processing in the interests of the individual whose personal data it relates to?||Yes|
|Are the legitimate interests of the individual aligned with the party looking to rely on their legitimate interests for the processing?||
|What is the connection between the individual and the organisation?||
|What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?||
Under the GDPR, the personal data we collect should be adequate and relevant to the purpose of its processing (Principle c: Data Minimisation). That means we had to consider two key things: the adequacy of our data collection (how much data do we really need for what we are going to achieve) and the relevancy of our data collection (is the data we are collecting the right data for our purposes).
Ensuring Adequacy: Collect Only What We Need We only collect data that is strictly necessary to us.
Ensuring Relevance: Collect Only What Is Relevant We ensure we are extremely precise in choosing who our ideal prospects are and who our segments are, and tailor our campaigns to those prospects and their pain points.
We help set the target criteria for our prospecting activities routinely.
We build and verify lists for ourselves from scratch according to very specific targeting criteria (mentioned above), from publicly available sources.
Building the lists ourselves with target criteria in mind means we can ensure the adequacy and relevance of the data collected, and that we can keep detailed records of our lead generation process.
|Is there a two-way relationship in place between the organisation and the individual whose personal information is going to be processed? If so how close is that relationship?||
|Would the processing limit or undermine the rights of individuals?||
|Has the personal information been obtained directly from the individual, or obtained indirectly?||
We obtained the business information from public directories where businesses are published LinkedIn.com or Shopify.com agencies and expert directory for example. The personal information is then collected by finding the person responsible for web analytics. Marketing or conversion optimization
|Is there any imbalance in who holds the power between the organisation and the individual?||
No, given the individual can opt out of even the limited data usage we rely on. The individual holds the greater power.
|Is it likely that the individual may expect their information to be used for this purpose?||
|Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?||
The data is well protected with limited access, not shared with other controllers and retained only as long as strictly necessary.
|Is a fair processing notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?||
Yes, in the cold emails we include three key pieces of information:
|Can the individual, whose data is being processed, control the processing activity or object to it easily?||
An ‘unsubscribe link’ at the bottom of our email is the easiest way to automate that process and ensure compliance across our lists.
That means that as soon as someone has asked us to unsubscribe, we delete their data. We keep a list (a suppression list) of all the companies and individuals who have asked to be removed from our database, then ensure that we do not contact them again.
|Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?||
As stated above, there are no privacy risks or harms.
|Safeguards include a range of compensating controls or measures which may be put in place to protect the individual, or to reduce any risks or potentially negative impacts of processing. These are likely to have been identified via a Privacy Impact Assessment conducted in relation to the proposed activity. For example: data minimisation, de-identification, technical and organisational measures, privacy by design, adding extra transparency, additional layers of encryption, multi-factor authentication, retention, restricted access, opt-out options. , hashing, salting, and other technical security methods used to protect data.|
|Please include a description of any compensating controls that will be put in place or are already in place to preserve the rights of the individual.|
|Using the responses above now document if you believe you are able to rely on Legitimate Interests for the processing operation. Please explain, perhaps using bullet points, why you are, or are not, able to rely on this legal basis. You should draw on the answers you have provided in this LIA.|
|Outcome of Assessment: We meet the definitions and requirement of the GDPR in our justification to use Legitimate Interests. Based on our processes, we do not believe that our processing will have a detrimental or harmful impact on the data subject. Data subjects may contact us at firstname.lastname@example.org to request removal or suppression from any data that we hold or to demand any other rights details within the GDPR.|