Lead Generation from Publicly Available Data
Lead Generation from Publicly Available Data
The case for using publicly available data as a lead generation source
A recent £187,000 fine from the Polish Regulator, the Personal Data Protection Office (UODO), should be a reminder that we need to be careful when working at the top end of the lead generation funnel.
In the desire to build a lead database, publicly available data sources, business directories etc. can all look very tempting. They are a quick, easy and available source of contact information.
So, what did the UODO not like, and how can you avoid a similar fine.
Firstly, get your ‘GDPR head’ on and start thinking about the data as personal data and not just a marketing lead!
Remember the definition of personal data is ANY information which RELATES to an IDENTIFIED or IDENTIFIABLE natural person. Emails, phone numbers, addresses, job titles are all personal data when you can relate them back to an individual. As a marketer, you know you will get better open and click through rates if you use a personal/named approach, so you will be looking to ‘scrape’ personal data from those publicly available sources.
But it’s B2B, business data, people at work! Surely that means it’s OK?
It’s OK to consider using it as a lead generation source, BUT it is personal data, so you must ‘do’ GDPR.
Start with your basic principles. Your processing of the data from the public source must be carried out LAWFULLY, FAIRLY and TRANSPARENTLY; that’s Principle 1.
Lawful requires you can ‘hang your hat’ on one of the six lawful bases for processing personal data . If you’ve had no contact or relationship with the people in the public source, you can quickly dismiss five of the available lawful bases; leaving you with legitimate interests.
Because you MUST use legitimate interests, you must now complete and document a legitimate interest assessment, the purpose of which is to demonstrate that your commercial need to build a lead generation funnel is not ‘trumped’ by the individual’s interests, rights and freedoms. Here are some key phrases you will be looking at in your assessment.
- Your ‘scraping’ of data is something that people would reasonably expect and that has a minimal privacy impact.
- your use of people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object if you explained it to them.
As the UK Information Commissioner says, “There’s no fool proof formula for the outcome of a balancing test – but you must be confident that your legitimate interests are not overridden by the risks you have identified”. Remember, you may have to defend this decision in court, so no fudging it, be honest, objective and CONSIDER ALL THE ANGLES.
OK, so you have chosen legitimate interests and your documented assessment is such that you believe there is enough protection for interests, rights and freedoms.
Next you must address the fairness and transparency requirements of Principle 1. This is where the Polish data controller tripped up and landed the £187k fine.
For an individual to access their rights they must know who is processing their personal data. If you ‘scraped’ their contact details from a public source, how will they know i) this has happened, ii) who the controller is, and iii) how to contact them to exercise their rights? They won’t! So, you must do something.
What you must do is address the requirements of GDPR § 14. What this Article says is if you ‘scrape’ personal data from a source without the data subject knowing, you MUST get in touch with them and tell them what’s happening. Article 14 has a prescriptive list of things to tell each person but is essentially a copy of your privacy notice with the addition of information about where you got their data from - the source. The Polish controller’s defence was that it put the required information on its website. NOT good enough, you must provide the required information to each individual.
Are there any rules on how and when I contact them?
Yes. If you disclose the data to a third party, tell them when you disclose. If you communicate with them, tell them in that communication. If you keep them in CRM/MailChimp/spread sheet without contacting them, tell each individual within one month.
What have you learned?
There is provision in GDPR to scrape data from public sources, but you must work hard to satisfy the legitimate interests requirements and the fair processing information requirements. It won’t always be lawful. Interestingly, the UODO did not issue a penalty for failing to have a lawful basis, implying that in this case the legitimate interests of this controller were sufficient and balanced.
Why not take our mini quiz to see how knowledgeable you and your team are?
Here’s a link to the English version of GDPR.