The General Data Protection Regulation (GDPR) is a European privacy law that imposes obligations on organizations that offer goods or services to individuals in the European Union (EU), or that collect and analyze data related to EU residents. The GDPR went into effect in May 2018 and applies no matter where organizations are located as long as they process EU residents’ personal data.
What is LinkedIn Sales Navigator?
LinkedIn Sales Navigator is a paid subscription service from LinkedIn that provides sales professionals with tools to find new prospects, maintain customer relationships, and generate leads. Key features of LinkedIn Sales Navigator include:
- Advanced search filters to find prospects based on location, company, job title, and more
- Lead recommendations using artificial intelligence
- Saved lead lists and customized alerts when prospects meet specified criteria
- Contact insights and news alerts on accounts and leads
- TeamLink collaboration tools
- Mobile apps
Sales Navigator integrates with LinkedIn’s professional social network data to provide sales teams with detailed information on prospects to help drive sales.
What data does LinkedIn Sales Navigator collect?
To provide its services, LinkedIn Sales Navigator collects and processes the following categories of data:
- Contact details such as name, email, phone number, job title, and employer
- Profile information such as skills, education, experience
- Social connections and relationships
- Interests and preferences based on content interactions
- Device data such as IP address, browser, operating system
- Location data
- LinkedIn activity such as shares, page views, searches
- Usage data of Sales Navigator features
Much of this data comes directly from LinkedIn member profiles. Additional data is collected from engagement with LinkedIn services and third-party integrations. The data is used to generate lead recommendations, contact insights, target account lists, and other Sales Navigator features.
What are the GDPR requirements?
The GDPR imposes stringent requirements on handling personal data of EU residents. Key requirements include:
- Lawful basis for processing – Data must be processed lawfully, fairly and transparently. Valid lawful bases include consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate business interests.
- Data minimization – Data collected should be adequate, relevant and limited to what is necessary.
- Purpose limitation – Data can only be obtained for specified, explicit and legitimate purposes.
- Data accuracy – Data must be accurate and kept up to date.
- Storage limits – Data should not be stored for longer than needed for its purpose.
- Integrity and confidentiality – Appropriate security must protect data.
- Accountability and transparency – Organizations must demonstrate compliance.
Is LinkedIn Sales Navigator GDPR compliant?
LinkedIn states that it has taken steps to comply with GDPR requirements across its products and services, including Sales Navigator. Some of the key ways it supports GDPR compliance include:
- Providing transparency into data collection and use through privacy policy notices
- Obtaining consent from members to process data for specified purposes
- Allowing members to access, rectify, restrict, object to, or delete personal data
- Implementing privacy by design and default into products and services
- Pseudonymizing and anonymizing data where possible
- Limiting data use to purposes stated and not keeping it longer than needed
- Securely processing data in accordance with industry standards
- Entering into GDPR-compliant contracts with vendors and partners
- Training employees in data protection and information security
- Regularly evaluating technical and organizational privacy measures
Specifically for Sales Navigator, LinkedIn aims to be compliant by:
- Providing notice to users explaining what data is collected and for what purpose
- Obtaining explicit consent from users to enable data processing where needed
- Allowing users to revoke consent or request data deletion at any time
- Collecting only data needed to provide Sales Navigator services
- Implementing access controls and encryption to protect data
- Entering data processing contracts with customers that outline responsibilities
- Training sales personnel on GDPR requirements
- Conducting regular audits and reviews to validate continued compliance
Does LinkedIn offer GDPR-compliant contract terms?
Yes, LinkedIn has incorporated GDPR-compliant data processing terms into Sales Navigator contracts. Key terms include:
- Naming LinkedIn and the customer as independent data controllers for data processing
- Outlining data protection responsibilities for each party
- Warranting that data transfers will only occur as needed for the service
- Ensuring appropriate technical and organizational measures protect data
- Including GDPR-specific clauses around audits, security incidents, data transfers, sub-processing, and more
- Incorporating standard contractual clauses for cross-border data transfers
- Allowing data subjects to exercise GDPR rights through either party
- Committing both parties to cooperate to fulfill GDPR obligations
LinkedIn also provides supplementary information regarding its security and compliance programs. Customers can request additional specifics as needed to conduct due diligence.
Does LinkedIn offer guarantees of GDPR compliance?
While LinkedIn strives to enable compliant use of Sales Navigator, it stops short of guaranteeing full GDPR compliance. There are several reasons for this:
- Compliance depends on how customers configure and use Sales Navigator features
- Customers may need to implement additional controls based on their environments
- Customers are responsible for ensuring lawful data processing on their end
- It is not possible to guarantee compliance with all GDPR requirements in all circumstances
- The GDPR grants some discretion and flexibility that makes firm guarantees difficult
- Regulators determine compliance and may interpret the law differently
Instead, LinkedIn focuses on providing transparent information on its data practices and control features to enable customers to make their own assessments regarding GDPR compliance. Customers should conduct risk assessments and due diligence to determine if Sales Navigator meets their specific compliance needs.
What steps can customers take to ensure GDPR compliance?
While LinkedIn aims to support GDPR compliance, the responsibility ultimately lies with the data controller – the customer organization. Steps customers can take include:
- Reviewing LinkedIn’s privacy policy, data processing terms, and documentation
- Conducting audits and assessments of data flows and privacy risks
- Validating appropriate consents are obtained from data subjects as needed
- Utilizing Sales Navigator data minimization, access, and deletion controls
- Limiting data use to lawful purposes, accessing only data needed
- Securing appropriate GDPR-compliant terms with sub-processors
- Implementing additional technical controls like encryption as required
- Providing notice, choice and rights exercise mechanisms to data subjects
- Training personnel on GDPR responsibilities and Sales Navigator features
- Establishing GDPR accountability and governance controls
- Monitoring compliance on an ongoing basis and remediating issues
Can Sales Navigator support GDPR compliance in high-risk scenarios?
For high-risk data processing activities like large-scale profiling or automated decision-making, Sales Navigator has limitations in enabling full GDPR compliance. In these scenarios, customers would need to implement substantial additional controls such as:
- In-depth impact assessments and risk mitigation strategies
- Enhanced disclosures and explicit consent mechanisms
- Stronger data anonymization or pseudonymization methods
- Data subject rights management tools
- Advanced access controls and activity logging for transparency
- Oversight programs involving personnel training and management approval workflows
- Third-party audits and certifications
LinkedIn provides some capabilities to support these controls but cannot offer a complete high-risk GDPR solution out of the box. Customers with high-risk needs should conduct in-depth assessments and work closely with LinkedIn to determine if and how Sales Navigator can be utilized compliantly.
Does LinkedIn recommend any other products for GDPR compliance?
LinkedIn offers two other products that can help strengthen GDPR compliance programs when used alongside Sales Navigator:
- LinkedIn Matched Audiences: Enables GDPR-compliant analytics and ad targeting by allowing anonymization or pseudonymization of data used for these purposes.
- LinkedIn Marketing Developer Platform: Offers APIs and event tracking to capture consent as well as manage and report on data subject rights requests like access, rectification, restriction, etc. Provides transparency into data flows.
Additionally, LinkedIn recommends exploring specialized third-party solutions to fill any GDPR capability gaps, such as:
- Consent and preference management platforms
- Data discovery and mapping tools
- Data masking and anonymization services
- Data subject rights management systems
- Data protection impact assessment software
Integrating the right mix of tools and controls from LinkedIn, third parties, and in-house systems can enable full GDPR conformity for Sales Navigator deployments in most organizations.
What are the risks of non-compliance?
If Sales Navigator is utilized in ways that fail to comply with GDPR, customers risk facing significant penalties and sanctions. Potential consequences include:
- Fines up to 4% of global revenue or €20 million, whichever is higher
- Stop processing orders that may ban use of personal data
- Reputational damage and loss of customer trust
- Civil lawsuits and claims for compensation by data subjects
- Criminal charges against organization and personally liable staff
- Required notification to regulators and affected individuals in case of a breach
- Inability to operate in the EU marketplace
- Competitive disadvantage compared to compliant peers
- Increased regulatory scrutiny and oversight
In addition to regulatory penalties, organizations found non-compliant may face significant business disruption, legal costs, and drops in revenue and stock price valuation. Using Sales Navigator in a GDPR-compliant manner can help mitigate these extensive risks.
Conclusion
While LinkedIn aims to provide Sales Navigator customers with tools and information to support GDPR compliance, full conformity with the regulation ultimately remains the responsibility of the customer organization. Utilizing the right combination of LinkedIn capabilities, third-party solutions, and internal controls tailored to your compliance needs and risk tolerance levels can help ensure GDPR alignment. But due to the complexities and nuances of the regulation, LinkedIn avoids making absolute guarantees of compliance.
To leverage Sales Navigator effectively under the GDPR, conduct in-depth due diligence, implement strong governance practices, take steps to minimize risks, and monitor compliance on an ongoing basis. Work closely with your legal, IT, and data security teams along with LinkedIn representation to determine how Sales Navigator can be deployed compliantly based on your specific organizational context and data processing activities.