If you handle any data from your customers, even if it is just an email address, you need to have rock-solid data security. Each time your customer interacts with your brand, they leave behind some form of personally identifiable information (PII), which you are required to safeguard from any kind of loss, theft, corruption or misuse. If you are wondering what data protection is and how to do it, you have come to the right place.

Table of contents

• Definition of B2B data compliance and the two types of data protection
• Demystifying common legal terms related to data compliance
• Benefits of adopting data compliance in your organization
• Guide to how you can achieve impeccable standards of data protection and privacy for your customers

Data compliance is a term used to describe formal standards and practices for ensuring your customer data is protected from loss, theft, corruption, and misuse. Data compliance as a term includes all regulations that your organization must follow, in terms of how you organize your customers’ data, use and store it. This means no matter who your customer is, you must keep their personally identifiable information (PII) and financial details confidential, and prevent their sensitive data from falling into the wrong hands.

There are two kinds of data you need to pay attention to when it comes to data protection: personal data and business data.

Personal data: Personal data refers to any information that can directly or indirectly identify an individual, and this is directly under the purview of data compliance legislation. Personal data includes everything from names, identity numbers, locations, and email addresses or usernames to cookies and IP addresses.

Business data: Business data is information related to a business, such as its name, public email, and landline number. Business data is not protected under data compliance laws. However, the line is very thin as information in relation to one-person companies may constitute as personal data where it allows the identification of a person. Moreover, some business email addresses also fall under personal data, such as those email addresses with names of individuals.

Let us break down some common legal terms related to b2b data compliance in the next section.

Digital Identity: A digital identity is an online or networked identity adopted or claimed in cyberspace by an individual, organization, or electronic device. With each upload, each click, and every second you spend online, you leave behind some traces of your identity in cyberspace which in totality forms your digital identity.

Personally Identifiable Information (PII): Personally identifiable information represents any sensitive information connected to an individual that can identify or pinpoint their location. While PII has several formal definitions, generally speaking, it is information that can be used by organizations on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Personally Protected Information (PPI): PPI refers to information that is non-public and protected by the government. This includes a person’s social security number, home address, date of birth, and home phone number.

Anonymization: Anonymization is a data processing technique that removes or modifies personally identifiable information to create data sets that inform but do not reveal the identities of the people represented.

Pseudonymization: Data processing under pseudonymization creates a separation between the data subject and the personal data. A person cannot be identified without additional data that is stored separately. Compliance laws like the GDPR advise organizations to pseudonymize and/or encrypt all personal data. This encryption may not stop malicious actors accessing the information altogether, but it does make it much harder for them.

Consent: An independently offered indication of a person’s interest through a statement or affirmative action, qualifies as consent around personal data so long as there is an option to withdraw consent (for instance via an ‘unsubscribe’ button at the bottom of marketing emails)

Explicit consent: Some data compliance laws require a consent with a written statement or a digital note, the key being that it must be able to be verified, something that would be difficult to do with an oral form of consent. This type of consent is called explicit consent.

Unambiguous consent: Unambiguous consent involves knowingly checking a box or agreeing to technical terms which clearly indicate in this context the data subject’s acceptance of the proposed processing of his or her personal data.

Opt-in consent: An opt-in consent requires organizations to obtain explicit consent from the user before collecting and processing their personal data. Explicit consent is sought by asking for affirmative action for indicating your consent to allow the processing of your personal data. For eg. Whenever you visit a website, you can manually opt in to retain your online activity for various purposes.

Opt-out consent: Opt-out means that the recipient has to withdraw consent after your initial outreach. There are two main ways through which opt-out options are offered to the consumer:

a) Pre-emptive opt-out in which you can untick/uncheck a pre-selected checkbox

b) Consent withdrawal where you are provided a clear option to withdraw your permission or change your preferences through an unsubscribe button in your mail or newsletter.

Legitimate interest: An unspoken agreement (though enforced by laws like GDPR) that allows a user to trust that companies will use the data they collect for things of use or importance to the individual. It depends on purpose, necessity, and balance. As a company requesting data from your customer, you must ensure you have a legitimate interest in asking for the information and that legitimate interest is not overridden by the individual’s interests, rights, or freedoms.

First-party data: The data you collect directly from your audience or customers are called first-party data. This data may include intent data from behaviors, actions or interests demonstrated across your website(s) or app(s), your CRM data, Subscription data, or Data from your social media accounts.

Second-party data: This is the data you get from another organization’s first-party data. Second-party data is similar to first-party data, but it comes from a source other than your own audience.

Third-party data: Third-party data is data that you buy from outside sources who generally do not hold data but source it on demand. A third-party data aggregator collects and organizes this data for you in compliance with data protection laws. A good example of this is FHG’s data processing as a service (DPaaS).

Walled gardens: A walled garden is a data approach where all information sought from customers is kept in a closed ecosystem with all operations managed by the ecosystem controller.

Dark patterns: Dark patterns are actions that nudge users into making uninformed choices about their personal data which they do not intend, typically to their own detriment and to the benefit of the organization. These may be tactics or practices intended to trick people on the internet into purchasing, committing to, or signing up for things without clearly understanding that they are doing it.

Now that we have gone through some common aspects of data compliance, we come to a differentiating factor, the location. Data compliance is worldwide but the laws are different, depending on where you are or who you sell to.

In the following section, I will go into detail into different region-specific B2B data compliance laws.

Now there is a myriad of industry-specific and location-specific regulations concerning data security and data privacy laws for you to know about depending on your business model.

I have collated some of the most well-known and broadly utilized data protection regulations below.

The GDPR is one of the most popular privacy laws in the world due to its clarity and breadth of descriptions. At its core, GDPR defines rules designed to give EU citizens more control over their personal data and help them fully benefit from the digital economy.

The legislation came into force across the European Union on 25 May 2018. The GDPR covers all the European Union member states and while most member states follow the Opt-in option, there are some which follow the Opt-out option as well.

Countries with an opt-in regime i.e ones that require explicit consent before sending marketing communications are:

• Austria
• Belgium
• Bulgaria
• Croatia
• Cyprus
• Czech Republic
• Denmark
• Germany
• Greece
• Italy
• Lithuania
• Malta
• Netherlands
• Norway
• Poland
• Romania
• Slovakia
• Slovenia
• Spain

Countries with an opt-out regime i.e. those that allow sending communications straightaway with an unsubscribe button to withdraw consent are:

• Estonia
• Finland
• France
•  Hungary
• Ireland
• Latvia
• Luxembourg
• Portugal
• Sweden
• The United Kingdom.

Under the terms of GDPR, not only do organizations have to ensure that personal data is gathered legally and under strict conditions but those who collect and manage it are obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.

The GDPR requires a legal basis for data processing and this requirement must follow one of the following legal bases:

• Processing is necessary to satisfy a contract to which the data subject is a party.
• You need to process the data to comply with a legal obligation.
• You need to process the data to save somebody’s life.
• Processing is necessary to perform a task in the public interest or to carry out some official function.
• You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it is a child’s data.

GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. What this ultimately means is that almost every major corporation in the world needs a GDPR compliance strategy.

Penalties for not adhering to the GDPR are severe, with the maximum fine being €20 million or 4% of annual worldwide turnover for the preceding year – whichever is greater.

Canadian Anti-Spam Legislation (CASL) concerns email marketing and applies to all emails sent to Canadian residents as part of commercial activity.

The primary feature of CASL is that recipients must give companies consent before they can email them. Implied consent can be used to send unsolicited B2B emails if the person’s email address is publicly available (e.g: on company websites) and unaccompanied by a statement that confirms they do not wish to receive email marketing to their business email address.

If the person’s email address isn’t publicly available, B2B companies must ensure they only contact customers or prospects who have given consent. Apart from unambiguous consent, another provision of CASL requires that a clear unsubscribe option is included in all marketing communications.

The penalties under CASL can be severe. The maximum fines are $1 million for individuals and $10 million for corporations per violation.

In the US, the CAN-SPAM act has been in force since 2003, governing commercial emails. CAN-SPAM dictates that marketers cannot be dishonest when sending electronic messages. It also requires them to provide an unsubscribe function in their emails and act on it within ten days. There are no exceptions for B2B marketers.

CAN-SPAM is enforced primarily by the FTC (Federal Trade Commission). The FTC has the power to impose penalties of up to $16,000 per email that violates CAN-SPAM.

The California Consumer Privacy Act (CCPA) focuses on consumer privacy rights. The law which came into effect on January 1, 2020, regulates data belonging to individuals, such as internet activity, cookies, IP addresses, and biometric data, as well as “household data” generated by IoT devices in the home, for example. Under CCPA, consumers will have the right to know what personal data is collected or sold, and for what purpose, including disclosures of previous sales dating back to January 1, 2019. They will have the right to access the data, to request its deletion, and to opt-out of it being collected or sold. Those who exercise these privacy rights will still be entitled to equal services at the same cost. Consumers will also have the right to sue companies for data breaches and for privacy failures.

Any organization that could potentially possess the data of a California resident could be subject to CCPA regulations, and non-adherence could lead to penalties of up to $7500 per violation. In addition, consumers will be able to sue companies for data breaches for damages of $100 to $750 per record.

In Brazil, the LGPD came into force in August 2020. The law regulates companies that hold data on citizens of Brazil, whether they have a physical presence there or not.

While the LGPD does not have a single example for what it considers as personal data, the legal document does echo parts of the GDPR’s definition of personal data. The LGPD states in various places that personal data can mean any data that, by itself or combined with other data, could identify a person or subject them to a specific treatment.

The LGPD governs how companies can keep data on their customers. This law does not apply to non-personal data, such as B2B data. However, it’s a good illustration of how countries are tightening up their data privacy laws.

In Australia and New Zealand, the Privacy Act regulates the handling of personal information by relevant entities. Under the Privacy Act, the Privacy Commissioner has authority to conduct investigations, including own motion investigations, to enforce the Privacy Act and seek civil penalties for serious and egregious breaches or for repeated breaches of the APPs where an entity has failed to implement remedial efforts.

The maximum fine for a serious invasion or repeated invasions of privacy (i.e. breaches of the privacy law) will be increased to up to the greater of AUD 10 million (approx. €6.1 million), three times any benefit obtained from the invasion breach (whichever the greater) and 10% of Australian annual revenue.

The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore. The PDPA recognizes both the need to protect individuals’ personal data and the need of organizations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDPA covers personal data stored in electronic and non-electronic formats.

It generally does not apply to:

• Any individual acting on a personal or domestic basis.
• Any individual acting in his/her capacity as an employee with an organization.
• Any public agency in relation to the collection, use or disclosure of personal data.
• Business contact information such as an individual’s name, position or title, business telephone number, business address, business email, business fax number, and similar information.

The maximum financial penalty for contravening the PDPA will increase to up to 10% of an organization’s annual turnover in Singapore, or SGD 1 million, whichever is higher.

Compliance with the law

The most obvious motivation for focusing on data compliance is of course compliance with the law, as a failure to do so creates an extreme risk to your business. These risks to your company can be financial or reputational. In some cases, this risk can represent the end of your business, and in others you might end up being charged with a hefty fine for non-compliance. Apart from the fines, the damage to your company may be irreversible and can negatively affect your company’s reputation.

Consumers need to trust the companies that use their personal data, and a failure to comply can have the effect of customers leaving in droves, and have a nasty effect on your customer retention.

Increased trust and credibility

Data compliance can support your business in helping you build more trusting relationships with your customers and the public generally. When gathering consent to use data subjects’ data, you will have to explain clearly and concisely how you will be using their personal information.

Since consumers are becoming more and more suspicious about how their data is handled, the transparency and responsibility you demonstrate will encourage trust in your brand. Thus, you can use the GDPR to underline that you do care about the privacy of your current and prospective customers and stand head and shoulders above your competitors.

A better understanding of the stored data

To be compliant, you should know precisely what sensitive information you hold on people. Compliance, therefore, requires you to audit all the data you have, which will enable you to minimize the data you collect and hold, better organize storage and refine data management processes.

An audit of stored data grants a better understanding of the stored data in two key ways:

First, you will be able to detect and get rid of redundant, obsolete, and trivial (ROT) files that your organization retains, though they do not have business value. By cleaning up the data, you will cut costs on storing and processing this data and perhaps erase sensitive ROT data, such as former customers’ personal information. Even ROT data poses a high and unjustified risk to your organization, so why take responsibility for something that has no value to you.

Second, after you analyze all data you have, you can implement mechanisms for fulfilling another GDPR requirement — making data globally searchable and indexed. This will help you more easily handle subjects’ requests to delete the data if they exercise their right to be forgotten. On the other hand, this requirement will encourage you to reorganize data storage so your staff will be more productive and efficient while working with accurate, easily searchable, and accessible data.

To effectively perform data compliance, you need to understand your data and where it comes from. This includes pertinent information like what type of data you collect, how is it used, and what guard is there protecting subjects.

The below section helps you do just that by providing guidance on performing actions required by data compliance authorities for data protection and security.

1. Conduct a data audit to check what kind of personal data your company holds on your prospects or customers

The first checkpoint to data compliance is to conduct a thorough check into which personal data is currently held through a “data audit”. You will need to appoint people across the business to facilitate the audit as this is a very significant piece of work.

It is important to understand what type of data you are dealing with on a regular basis. The type of data you store will determine which information security standards and data security laws you are required to follow, so this is the best place to begin when seeking data security compliance.

• Check how you source your B2B Data to see whether the source is in compliance with data protection laws

How you source your data plays a very important role in laying the foundation for data protection and compliance as the data collected will often be used for B2B sales by your marketing and sales teams.

If you are collecting data through in-house or internal teams, then you need to make sure that the process used to collect the data is GDPR compliant and that you are sourcing the data with all security measures in place. This involves making sure that all data is thoroughly audited and stored with some encryption to eliminate any chances of fraud or data theft.

When you get the data from a reputable third party or an external source such as FHG, you can rest assured knowing that the data provided to you is safe and in line with the local data compliance laws. Not only this, the data you receive from us will be enriched across 25 data points such as prospect data, categorical data, firmographic data and contact data, to name a few saving you the pains of working with limited data.

• Audit how you are handling the data to ensure internal processes are upholding data protection

Now that you understand which kind of data you have and where it comes from, the next thing to pay attention to is what you are doing with this data. Your organization may perform many processes such as data acquisition, upload, migration, transformation, analysis, storage, recovery, and archival. In evaluating how you are processing personal data, consider all the processes that surround your business services, and not be restricted to only those organizational processes for the core business services that you provide.

Companies that send out commercial email marketing campaigns are required by the legislation laws to have opt-in or opt-out options listed in each email depending on the region. Additionally, you should list these legal policies in your privacy statement so customers know how their information is being used.

Furthermore, listing your company’s name, website, address, and contact email give your customer all of your contact information up front in case they have any questions about your privacy policy or how you use their personal information.

In today’s era of big data, data has become central to marketing and strategy. This data-filled world of marketing comes with a caveat, there are issues such as data compliance, consent, and intent that come with data. However, instead of thinking of data compliance regulation as a roadblock, think of it as a necessary tool to disperse cluttering information and establish business connections that actually matter. As you initiate the process of data compliance, remember there is no one size fits all approach to data compliance; as there is no specific rule that applies universally, and different regions adhere to specific data protection laws. The ever-changing digital world also adds to the regulatory change and complexity. So, make sure to keep abreast of the latest rules and regulations in the markets your company operates in or simply partner with a reputable third-party B2B data supplier like FHG. When choosing your data supplier, selecting a GDPR adherent B2B data supplier is crucial. If the data supplier is not following GDPR norms, you will be in breach of regulations once you control that data.

FHG’s GDPR and ePrivacy adherent sales automation solution makes your outreach secure and seamless. We provide an end-to-end B2B leading solution with on-demand generated B2B data and multi-channel personalized outreach automation software to generate sales qualified leads securely.

Book your discovery call today to see how you can scale your opportunity generation.