Picking the right data provider for your company can feel challenging. But it doesn’t have to be. We care very deeply about data privacy, transparency, and data protection law compliance here at Dealfront. Unfortunately, we’ve seen a lot of conflicting information online which is part of the issue when you’re trying to make informed decisions.
We also understand that data privacy can be a complex topic in the context of its application in sales and marketing. Other vendors may not talk about this, but whenever you process personal data, you need to have a legal basis for doing so. Otherwise, such processing activity is illegal.
Most of the data vendors have to rely on the legal basis of so-called “legitimate interest” under the GDPR. Legitimate interest allows the processing of personal data without explicit consent under certain conditions. To do this, vendors are required to fulfill legitimate interest requirements and perform a “Balancing of Interest” test. What does that all mean?
Don’t worry, we’ll be going over:
What legitimate interest is
What the Balancing of Interest test is and when it can be applied
How data subjects can agree or disagree with the processing of their personal data
When you’re done, you’ll be able to make a more informed choice for your business.
What is legitimate interest?
“Legitimate Interest”, as outlined in Article 6 (1) lit. f GDPR, allows the processing of personal data if processing is necessary to achieve a legitimate purpose pursued by the one processing the data or a third party and the interests of the people concerned do not override the interest of the processing party. In order to call upon “legitimate interest” a party needs to:
Have a legitimate reason to do so
The interest or claim in processing the personal data is stronger than the individual’s interest in protecting their own privacy.
So the interests of the entity processing the personal data must be weighed against the rights and freedoms of the individuals whose data is being processed. But what exactly are the scenarios that are covered under that?
Balancing of interest: When can a vendor generally process personal data based on legitimate interest?
The data is publicly available, such as from an official trade register This is information that was made public by law to help identify owners and decision makers, making it possible to do business within a country.
The data is made publicly available by an individual themselves For example, a hiring manager has included their contact information in a job ad.
The data is made publicly available on a company’s website by the company For example, on their “Meet Our Team” page: The information is put there with the employees’ consent and with the understanding that their data can be used in the context of business.
In the context of marketing communications The contact has had previous dealings (purchased products/services) with your company and you believe you have another offer that will also benefit them.
When can’t you rely on legitimate interest?
It’s extremely problematic if personal data was collected, processed or stored unlawfully or without the data subject’s knowledge/control.
Here are examples of what problematic means in this context:
Data that’s been taken from a private conversation or phone book If a customer emails you, they don’t want a 3rd party taking their details from there to resell online.
Processing private phone numbers and personal emails We all have the right to separate our private lives from business. No one wants to receive unsolicited communication on their personal accounts. Keep in mind that you must respect strict e-privacy laws when using private contact details for marketing purposes.
Processing data from unknown sources You can trace all of Dealfront’s data back to its sources. Unfortunately, we can’t say the same for other vendors. Often, data is often stolen or acquired in other unlawful ways and passed on. You can never justify the use of this kind of data based on legitimate interest.
Storing and processing data indefinitely or processing outdated data
The GDPR requires that personal data be kept no longer than necessary once it fulfills the purpose that it was collected for. Not only that, the data has to be current.
Now all the terms are clarified, let’s talk about what you can do to assess a data vendor.
5 important questions to ask when assessing a data vendor
Imagine you’re walking down the street and a stranger approaches you, offering you all of the contacts and their information from their phone. It’s odd and something you’d never think of accepting, right? So why would you do that online?
Our General Counsel, Hanna Lee-Wunderlich, has some great tips for you regarding GDPR:
Let’s expand on that. Here are five questions you can ask to make sure you can properly assess vendors:
Where do you source your data from? If they won’t tell you, that’s a red flag! They shouldn’t have issues with revealing how and where they get their data from if they’re compliant.
Do you source personal data from your community members? This is problematic because essentially, you’re asking community members to share contact information they have of others. You have NO way of knowing if these others have given consent to having their data shared with a 3rd party.
If I install your tools / plugins, will you be able to read my email? If yes, this is cause for concern because you’ll lose control of the personal data stored in your systems.
Do you have personal phone numbers or private email addresses in your database? If they answer yes, you need to find out if there’s a way to filter those out. Generally, higher data protection standards apply to a person's private contact details.
Where do you host your data? EU data subjects are often wary of US or outside of the EEA/EU hosting as these countries have different data protection standards than the EEA/EU.
Now you’re equipped with information on how to assess the data collection, processing, and storage practices when reviewing vendors. But what do you do when vendors start offering arguments trying to support their case?
Common vendor arguments and how to interpret them
You know how it is with customer objections, but do you know how to interpret vendor arguments? We’ve rounded up the usual suspects.
Argument 1: “But everyone in our database has been notified according to Art. 14 about our data processing.”
Sending out email is NOT sufficient to fulfill a data subject’s information rights. It’s also unclear if the data subject even received/read the email. These kinds of emails usually end up in spam.
Argument 2: “We make it really easy to opt out!”
This is required, but it’s already too late if the data ended up in their database unlawfully in the first place.
Argument 3: “But we’re ISO certified.”
ISO, SOC or any other kind of certifications do not permit lawful processing or prove compliance with the GDPR or other privacy laws. These certifications typically fall within a specific scope:
How processes work
How processes are documented
They do NOT cover the personal data that flows within those systems.
Argument 4: “We only process B2B / business data.”
Great! But this is still considered personal data.
Argument 5: “We’re audited under Trust-e or ePrivacy Seal.”
Most of the badges that organizations like to display on their website to show they comply with certain privacy standards create a false sense of security. Why? These seals are issued by private, third-party providers for a fee.
That means there’s a financial incentive to issue them rather than them carefully vetting those organizations and eventually denying their issuance. Always check what the badges stand for and the requirements for issuing such instead of blindly relying on them.
Argument 6: “The GDPR doesn’t apply to us.”
If they are a US company that only has customers located and operating within the US, they don’t have to comply in the US. The moment that vendor has EU customers using their services, then the GDPR directly applies. Any time there are any EU data subjects involved, GDPR comes into effect.
Argument 7: “We are registered data-brokers.”
This is a requirement under certain US privacy laws and has no relevance to GDPR compliance in the EU.
Argument 8: “We are GDPR aligned!”
Sentences like “We adhere to GDPR principles.” or “We’re GDPR aligned.” demonstrates they’re just trying to be as compliant as possible. They’re not confident enough to declare their services as GDPR compliant. This uncertainty is an indication that they’re actually not GDPR compliant or not well-informed enough to know the difference. Both are problematic.
Argument 9: “We have successfully performed a data privacy impact assessment (DPIA).”
This is mandatory under the GDPR for certain high-risk or large-scale processing activities. Performing a DPIA has no meaning in relation to the lawfulness of their processing or data.
Don’t forget: You are responsible for data privacy the moment you acquire the data from data vendors. Don’t blindly trust their marketing materials!
So, to make sure you’re always on the right track when it comes to data sourcing, go through the following checklist to make sure you’ve done your due diligence.
The trustworthy vendor checklist
They rely on personal data from publicly available sources.
They carefully vet all data sources to ensure the quality and reliability of the data.
They never acquire data from data sources that have questionable data processing practices.
They can explain and provide comprehensive documentation on where they got their data.
They never share personal data or the personal data you share with other parties unless you explicitly asked them to do so.
So now you’re familiar with all the terms, asked the right questions, and can interpret vendor arguments. What’s left for you to do?
Build a foundation of trust and reliability
We know there are a lot of things to consider when choosing a vendor for your business. All of the terms, suggestions and words of caution all boil down to one thing: trust. You not only want to do business with a vendor that you can trust, your customers need to know they can trust you too.
When you go through all of these steps to pick the vendor that is transparent and reliable, you’re also positioning yourself as a business that cares about these things.
But choosing a vendor is just the start. Your commitment to high-quality, transparent, and ethically sourced data is a journey, no matter where you’re doing business.