The big disclaimer: We’re not lawyers and this should not be considered legal advice. We’re based in Canada (ie. not Europe, but we do still like kilometers and the Celsuis scale). We think about software and security all day long: not spam jurisprudence. If after reading the below text you experience any of the usual GDPR symptoms, which may include uncertainty, doubt, headaches, frustration, cold sweats, backaches, fatigue, confusion, paralysis, fear, uncertainty - did we say that one already?- hopelessness, malaise, dread, resentment, eye-strain, or joint pain you should talk to your attorney. If you don’t have one, you should search the internet for a GDPR expert in your neighbourhood and skim past the first 10 results of ads from people claiming to be GDPR experts. Also - if you came across this article after searching “Zymewire GDPR” in hopes of reading our own GDPR compliance statement or security documentation, please send an email to email@example.com and we will send you an up-to-date record of compliance.
The regulations would suggest that as long as your company can legitimately help the prospect biotech or pharma company and you write a personalized email with the right extra details: you’re in the clear for your first outreach but you can’t keep trying.
The hype about needing consent for everything has overshadowed the other justifications for acceptable ‘processing’ of personal identifiable information. What the heck does personal identifiable information mean? That’s the stuff at the center of this whole GDPR discussion and it is defined as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This means that the name and email of a business prospect fall into this definition if the person is based in Europe. Some people are challenging whether business email addresses should fall within the definition, but why even chance it? Let’s proceed with the assumption that business emails are just as much Personal Identifiable Information as someone’s @gmail.com email address or their home address.
Before we get too deep, two other definitions worth noting are the roles of Controller and Processor. These terms and the notion of processing are fundamental to understanding which sections of regulation apply to which types of companies or usages.
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Non-legal translation: the one who is hoarding the personal information, whether this is in Excel spreadsheets, CRM systems or any other place you can store text.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Non-legal translation: Companies or people that the personal information passes through at the direction of the one who holds the information.
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Non-legal translation: Using personal information to get something done. In your case, to help you communicate with other companies.
At the crux of the cold email debate is Article 6, Section 1 of the GDPR. This is the section that lays out the ground rules for when personal information can be used by the controller (ie. the person that has the personal identifiable information).
Article 6 (1)
Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c ) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The media and most blog articles from marketing systems, such as Hubspot, Autopilot, Salesforce Pardot, & Marketo, have picked up and ran with item (a) on this list, the consent clause. This is where a lot of the hype around GDPR has been focused.
Items b, c, d, e, f present alternative scenarios under which the Controller can legitimately process [use] the information. Item (b) is a no-brainer and all your existing clients will no doubt fall under this one. Item (c ) might be more applicable for your own legal team and isn’t relevant to the selling environment. Items (d) and (e) are outside the scope of most B2B transactions. However, Item (f) is where things get interesting in the context of selling to biotech and pharma companies.
If you provide contract manufacturing (CMO) services to biotech companies and you learn about a company planning to scale up manufacturing, is it considered spam if you email the VP of manufacturing directly to her work email asking if she might need help with the project? The question to ask is whether this will satisfy the above Article 6 (1) (f) requirement:
Your guiding principles should be asking yourself whether this comes from a genuine place and you think you can honestly help this person’s company with their business. That seems trite, but it’s an important way to think about how legitimate your purposes are. Chances are good that if you are already busy responding to RFPs and customer calls you’re not looking to waste time writing personalized emails to people who will not need your services. Keeping the manual factor in the mix here actually helps keep things compliant.
We occasionally get asked jokingly at Zymewire whether the system will draft their emails for them and deliver RFPs. While these people aren’t serious and no, Zymewire does not draft your emails, it illustrates that fact that any automated email or template-derived communication attempt is at risk of failing the test for “legitimate interest.” There are plenty of cadence or sales automation systems out there claiming to manage all the follow up and cold emailing for you. If you’re using one of those systems you may need to think twice about using it to target European prospects.
The bigger potential danger with anything overly automated is violating Article 14 of the GDPR. This is the bit in the regulations that specifies the rules for what to do in scenarios where consent is not explicit.
“Information to be provided where personal data have not been obtained from the data subject “
Article 14 is worth a read to get understand the spirit of what the regulators are attempting to achieve with GDPR. Here is the jist of it:
We recommend adding the below text to the footer of your emails. This keeps the compliance proof tied to each and every communication with a cold prospect and ensures that if a complaint were ever made, your proof of compliance with Article 14 is readily available because it is contained directly within the footer of the email . Any sort of he said/she said scenario is thwarted because you’re laying it all out in the single piece of communication. Ask your lawyer to give this the okay in your home country and as don’t forget to set up a centralized way to record any instances of people clicking the opt-out link.
Suggestion for what to add at the bottom of your emails to comply with Article 14:
Privacy and opt-out notice: To remain compliant with GDPR Article 14 I would like to inform you that I received your contact details from a service called Zoominfo. You can remove your name from that system using this link: Zoominfo Opt Out. You were sent this message under Article 6(1)(f) of GDPR because my company helps drugs development firms like yours resolve challenges in the drug development process and I believe we can help your firm. Our policy policy is here (Insert link to your own policy). If you would prefer not to receive further communication from my company in the future you can use this opt-out link to indicate your choice.
GDPR is going to have a positive impact on those sales professionals who understand the value of crafting a unique message with a time-relevant reason for the decision maker to take notice. If you’re doing this already then keep doing this. If you’re not already doing this, then take the heavy regulation as the opportunity to change your ways. Start thinking of what problems your prospect is likely going through and frame your outreach accordingly.
Here some sample openers to get you thinking along these lines: