Are you worried about your company finding a trustworthy way to buy prospect data for your sales, marketing, or recruiting teams? Don’t stress – we’ve got the essential tips you need to acquire prospect data safely while staying compliant with major data privacy regulations like GDPR and CCPA. As a privacy professional or in-house legal […]
Are you worried about your company finding a trustworthy way to buy prospect data for your sales, marketing, or recruiting teams? Don’t stress – we’ve got the essential tips you need to acquire prospect data safely while staying compliant with major data privacy regulations like GDPR and CCPA.
As a privacy professional or in-house legal counsel at a company that’s looking for a data vendor, ensuring compliance is likely high on your priority list. You need to do your due diligence to mitigate risks and protect your own company’s reputation.
That’s why Lusha– a compliance leader in the sales intelligence space – just hosted a webinar on “The Safe and Compliant Way to Purchase Prospect Data” where our privacy and compliance experts walked through a comprehensive checklist of must-have assurances and criteria to evaluate before selecting a data vendor.
In case you missed it (or wanted a refresher), here are the major takeaways:
How to vet a data vendor for privacy and compliance
Take a look at their in-house team
Does the data vendor have an in-house team that’s hands-on and ready to deal with any potential privacy issues as soon as they pop up?
Look for a team that’s an appropriate size proportionate to their number of customers and includes a designated Data Protection Officer (DPO) and a compliance manager. Also check that the in-house team holds IAPP certifications, which proves that they can manage, analyze, handle, process personal data as part of their role expectations.
Get contractual assurances about compliance
Make sure the data vendor can provide you with representations and warranties that prove they have the ability to compliantly provide you with the data they sell. Because data vendors share personal data with you, they need to comply with all relevant privacy laws (especially GDPR and CCPA).
For an example of what this looks like, you can refer to Lusha’s standard Master Subscription Agreement – in section 7.4 it clearly states that we possess all necessary authority and permissions to give our customers access to the data we provide.
Check for certifications from independent auditors
It’s not enough for a data vendor to just tell you that they’re compliant – someone outside of the company should be able to confirm it, too. Look for companies that have undergone an objective audit from an independent body.
You can ask the vendor to share a certificate that proves their compliance, like an ePrivacy Seal (the German auditor who evaluated Lusha and awarded them with a certificate). If the data broker can’t provide this, you might want to dig deeper to clarify their claims of compliance. Be aware of US companies that certify compliance with GDPR – they’re likely not as strict as Europena ones.
Verify they notify data subjects and allow for opt-out
Make sure your vendor doesn’t just talk the talk – they walk the walk. Verify that they follow critical GDPR requirements like providing proper notification to data subjects (Article 14) and having a process to notify you if a purchased prospect opts out (Article 19).
Confirm US and CCPA data compliance
Certain states in the US (like California under CCPA) require that data vendors register as data brokers. You can request that they provide you with documentation that proves they’ve done this.
You can also ask them to show you a certificate from a third-party auditor that proves they’re compliant with CCPA, like Lusha’s confirmation from TRUSTe.
Look for accreditation of security certifications
Few vendors have ISO 27701 certifications. It’s even rarer to find one that has had that certification accredited by an international body (like ANAB, which accredited Lusha’s certificate). Accreditation serves as an extra layer of assurance that the company’s privacy and security processes are rock-solid.
Check compliance with UK Do Not Call lists
You don’t want your company to incur the high fees that come along with calling people registered on the TPS and CTPS (UK’s Do Not Call lists).
If you’re planning to acquire UK data, ask whether the vendor is an “official cleaner” of the TPS and CTPS. If they’re not, they don’t have an obligation to scrub their data in a timely manner. That means the risk falls on you and your company.
Learn about using data after your partnership ends
Ultimately, individuals own their data – not any company who’s selling it. That’s why Lusha allows customers to continue using the data they’ve purchased from us, even after our relationship has ended.
You can ask prospective data vendors to give you contractual assurance that they won’t stop you from using the data they’ve provided you after the contract is terminated. Some companies will go so far as to take legal action against former customers who continue to use the data they provided.
Ask for a data processing agreement and independent controller status
When you sign on with a data vendor, enter into a Data Processing Agreement to make sure that your own employee and CRM data is protected.
Also, make sure that this agreement states that both your organization and the data vendor are independent controllers in regard to the data provided by them. You want to make sure you’re not a processor or joint controller with the data vendor – that could leave you liable for their actions.
Protect your own data
As you evaluate data vendors, it’s not all about their data. You’re also potentially giving them access to your own company systems and data. Take a look at this checklist to make sure your internal systems stay safe:
Set guidelines in a Data Processing Agreement
We just mentioned how important it is to enter into a Data Processing Agreement to protect your own data. This agreement, if done well, will define your company as the Controller and the data vendor as a Processor of your company data. It also should outline safeguards the data vendor will provide to protect your company’s data.
Set restrictions on data sharing and selling
Never skip the fine print on your agreement with your data vendor. Some companies will use the data you share with them to boost their own database.
You can ask them for contractual assurance that they won’t share or sell your data to third parties. If you want an example for specific wording to request from your potential data vendor, you can use Lusha’s form Section 6.6 of the Master Subscription Agreement.
Require purpose-limited data usage
Make sure data usage is limited only to the specific purpose you’ve agreed on with the data vendor. You can have them confirm this with a certification of ISO 31700 (privacy by design).
Ask for security credentials
You can request that a data vendor provides you with copies of all of their security certifications like SOC II and ISO 27001 to prove that they protect the data they handle.
Request EU data storage
It’s no secret that Europe has some of the strictest data protection laws. Customers have more control over their data, and the risk of a breach is lower thanks to extra high security standards. For an extra layer of protection, request to have your company’s data stored in a European data center (and ensure that its subprocessors do this as well).
Key takeaways
There’s a lot to take into consideration when your company is looking for a data provider you can trust. From do-not-call data, Data Processing Agreements, and more. The main takeaway: it’s important to rigorously vet your vendors and set up safeguards before entering into a partnership.
Maintaining robust data privacy standards can be an ever-evolving challenge. But with the right strategies and checklists – and compliant partners like Lusha – companies can ethically and legally acquire prospect data that allows sales, marketing, and recruiting to be more effective and efficient.
