LinkedIn has become an invaluable tool for sales and marketing professionals to identify and connect with potential customers. With over 740 million users worldwide, LinkedIn offers access to the largest professional network on the internet. However, there are growing concerns that some common prospecting approaches on LinkedIn could be in breach of data privacy laws such as the General Data Protection Regulation (GDPR).
What is prospecting on LinkedIn?
Prospecting on LinkedIn typically involves identifying and contacting people who work at companies that you want to do business with. Common prospecting approaches include:
- Searching for contacts at target companies using LinkedIn’s advanced search filters
- Sending connection requests to build up your network within target companies
- Messaging contacts directly through LinkedIn to introduce yourself and your business
- Using LinkedIn’s Sales Navigator tool to identify contacts and accounts
The goal is to build relationships with potential customers and ultimately generate leads and opportunities for your business. Done right, prospecting through LinkedIn can be an effective way to grow your pipeline and revenue.
How could prospecting on LinkedIn breach GDPR?
The GDPR imposes strict requirements around the collection and use of personal data. Some common prospecting activities on LinkedIn could potentially breach GDPR in the following ways:
Collecting data without consent
Searching for and identifying contacts at target companies on LinkedIn inevitably involves collecting some personal data such as names, job titles, and employer details. GDPR requires valid consent before collecting someone’s personal data. Response to a connection request does not constitute consent. If you use LinkedIn to gather data on contacts without obtaining their consent first, this could violate GDPR.
Processing data without a lawful basis
GDPR states you must have a lawful basis for processing personal data. The lawful bases include consent, contractual necessity, legal obligation, vital interests, public tasks, and legitimate interests. Relying on legitimate interests for prospecting is risky, as contacts may argue it doesn’t outweigh their privacy rights. Be sure you have a clear lawful basis for processing prospect data.
Collecting more data than necessary
GDPR requires data collection to be limited to what is directly relevant and necessary for the specified purpose. When prospecting on LinkedIn, it’s tempting to try to gather as much data as possible on your contacts. However, taking a blanket approach and collecting excessive data could breach the GDPR principles of data minimisation and purpose limitation.
Retaining data longer than needed
The GDPR states you must retain personal data for no longer than is necessary for the purposes for which it is processed. In practice, this means deleting prospect data once the prospect has been contacted, converted to a customer, or dismissed as an opportunity. Storing prospect data indefinitely just because it was gathered from public LinkedIn profiles could violate GDPR.
Not allowing data subjects to exercise their rights
GDPR provides data subjects with rights like the ability to access, correct, delete, restrict, and object to the processing of their personal data. If you are not prepared to comply with data subject requests related to any LinkedIn prospect data you have gathered, you could be in breach of GDPR.
Is all prospecting on LinkedIn banned under GDPR?
No, not necessarily. GDPR does not outright prohibit the use of LinkedIn for prospecting. However, some aspects of prospecting do carry GDPR compliance risks. Here are some tips for reducing your risk exposure:
- Only collect the minimum data necessary
- Anonymize prospect records where possible
- Have a lawful basis for processing prospect data
- Delete prospect data once no longer needed
- Allow prospects to exercise their data rights
- Avoid automated collection of public profile data
As long as you take reasonable steps to comply with core GDPR principles around consent, data minimisation, purpose limitation and storage duration, prospecting on LinkedIn can be lawful and GDPR compliant.
LinkedIn prospecting strategies to reduce GDPR risk
Here are some suggested strategies for reducing GDPR risk when prospecting on LinkedIn:
Focus on existing connections
Prospecting among your 1st-degree LinkedIn connections is generally lower risk, as you likely have implied consent to market to them within reason. However, you should still aim to minimise data collected and allow them to opt out.
Use privacy settings
Respect prospect privacy by adjusting your LinkedIn settings to not show who has viewed their profile. Avoid using browser extensions that expose profiling activities.
Customize outreach
Personalized messages demonstrate you are not using automated data collection or messaging tools prohibited under GDPR.
Obtain consent where feasible
For prospects outside your network, seek consent in your initial outreach. Avoid collecting or processing their data until you have received clear consent.
De-identify prospect data
GDPR does not apply to anonymous data. Where possible, record LinkedIn prospect info in an anonymized format.
Form a contractual relationship
Having a contract in place provides a lawful basis for limited data processing required to deliver the service.
Rely on legitimate interests carefully
Only use legitimate interests as a basis where you can demonstrate compelling justification and have minimized privacy impact.
LinkedIn Prospecting Approach | GDPR Compliance Risk |
---|---|
Searching profiles in target companies | High risk of breaching data minimization and purpose limitation principles |
Mass sending generic connection requests | High risk of breaching consent requirements |
Exporting prospect contact details from Sales Navigator | High risk of breaching data minimization without consent |
Messaging your existing connections | Lower risk if Reasonable and Customized |
Purchasing a targeted contact list | Depends on source and consent practices of list provider |
Storing collected prospect data indefinitely | Almost certain breach of data retention periods |
Getting consent right under GDPR
For prospects you don’t already have a relationship with, obtaining GDPR-compliant consent is crucial. Some key requirements for consent under GDPR include:
- Must be freely given, specific, informed and unambiguous
- Must involve some form of clear affirmative action
- Silence, pre-checked boxes or inactivity do not constitute consent
- Must be separate from other terms and conditions
- Must be verifiable – records should be kept
- Must be easy for the person to withdraw consent at any time
When initially contacting prospects via LinkedIn:
- Explain clearly who you are and what data you want to collect/process
- Outline the purposes the data will be used for
- Provide an opt-in checkbox or request they reply consenting
- State they can withdraw consent at any time
Penalties for GDPR non-compliance
GDPR sets out strict penalties for non-compliance, including:
- Fines of up to €20 million or 4% of global turnover, whichever is higher
- Stop-processing orders
- Civil litigation
- Criminal prosecution in some cases
- Reputational damage
Regulators have already issued major fines to companies found in breach of GDPR for prospecting activities. For example:
- H&M fined €35m for unlawful monitoring of employees
- British Airways fined £20m for failing to protect customer data
- Marriott fined £99m for inadequate prospect data security
The risks are substantial. But with care and preparation, it is possible to leverage LinkedIn for prospecting without falling afoul of the GDPR.
Conclusion
Prospecting via LinkedIn can deliver great results, but aspects of it carry GDPR compliance risks. To mitigate risk, focus on your existing connections, obtain consent where required, only collect necessary data, customize your outreach, and always allow prospects to opt out. With the right strategy, prospecting on LinkedIn can be effective while also GDPR compliant. But failure to address privacy obligations could lead to serious fines, so proceed with caution.