Previously on the Monsanto case…
Following the “France 2” (French TV) survey on influencer mapping methods used by Monsanto, a debate emerges on the lawfulness of such maps in the public affairs sector.
Few days after these disclosures, legal studies confirm that for GDPR these methods are licit, under certain conditions. It is was Erwan Le Morhedec, lawyer at the Paris bar and expert in public affairs, explains in his article : https://www.linkedin.com/pulse/affaires-publiques-la-cartographie-des-acteurs-erwan-le-morhedec/
"All of these elements provide a solid legal foundation for the initial intuition that the production of files, lists, maps of decision-makers or other stakeholders is not unlawful in itself, contrary to what today’s emotion might suggest. "
Monsanto’s managers, themselves, are not mistaken. Bayer’s decision markers are not apologizing for doing something that could have been illegal. They explained that ”it was not the way Bayer was looking to talk with groups of interest and the society, and thus they are apologizing for that.” Also, they considered not having, for the moment, any elements showing that the lists drawn up for the Monsanto account have broken the law.
So, is GDPR agreeing with the way Monsanto gathered his data?
In fact, if maps creation is legal, the problem comes from the data source and more precisely from the way to collect these information. In this case, it is a little bit more delicate, as Erwan le Morhedec is explaining.
To summarize, to collect data, you need:
Usually : the consent of the person lawfully in control of the information.
Except in the case of “the legitimate interest pursued by the data controller.”
In this situation, a priori, consent is not collected, on one hand because the people that have been mapped would have made it known to the public, and on the other hand because it is an external firm that did this mapping. It is therefore unlikely that a disclosure exists on a relationship, which could have meant that the information already existed and had already been lawfully collected.
How can companies lawfully map big accounts, according to GDPR?
Companies that use B2B mapping to win complex businesses or manage big accounts, usually call upon legitimate interest, and seem to be right. Here, we prefer to write the word "seem" given the inexistence of jurisprudence in this area and the age of GDPR, it would be inaccurate to say something definitive in one way or another. Nevertheless, unlike public affairs, companies have ongoing commercial relationships with their customers. They continuously exchange information. When the customer "communicates", on his own, information to his supplier, via his business card, business meetings or e-mails, he gives "de facto" his consent for data processing. GDPR encourages us to professionalize our lobbying approach through tools and methods, not to stop doing it!
The 3 things you need to know about B2B mapping
At Perfluence, we find that the need for stakeholders to map key strategic issues is becoming more and more important as the complexity of ecosystems is increasing. Thus, three things need to be done to make this activity legal, achievable and ethical:
1 . To provide employees, in charge of these issues, with a platform to work on influence (like Powerscope) because :
Without it, collaborators multiply “hacked files” which goes against the register of processing requested by the GDPR, and this can really have bad impacts ;
Shared data with the involved employees increases the exchange, and therefore allows better updates of the information. As Etienne Wéry is mentioning : “the data must be accurate and, if necessary, kept up to date ; all reasonable steps must be taken to ensure that personal data which are inaccurate, in view of the purpose for which they were gathered, are erased or rectified without delay.” https://www.droit-technologie.org/actualites/monsanto-fiche-ses-opposants-que-dit-le-gdpr/amp/
A single platform (for example SaaS) allows a rigorous control of access to information, logging, auditability, unlike a heterogeneous constellation of files. It is a strong factor of control, confidence, and respect to the controller.
2 . Train collaborators to effective, pragmatic and shared methodologies on influence and relationship management, like RiiM (Relationship Intelligence and Influence Management). Indeed, the sharing of common notions, apart from contributing to the effectiveness of the approach, allows a transparent, unequivocal, and positive work towards the individuals (even opponents) and better results.
3 . Put everything in a charter explicitly submitted, approved and adopted by the collaborators.