Boost your outbound sales lead generation in European Union

How to create outlook signature

the latest installment in field Fischer's GDP are practical webinar series my name is Eldon takitimu I'm a senior associate here in the Silicon Valley office today I am joined in the studio by mr. Mark Weber who is the the u.s. managing partner and by Anna Garcia who is our residence run about privacy team here and both French and US qualified and our alvrez of the next bit on CCPA amongst other things hello and hello everybody so for those of you who haven't dialed in to one of these before as I say this is the fifth or sixth one we've done please please do check out the other ones that we we like to keep things pretty pretty informal so I have the easy job today of leading and asking the questions about two experts here today and the topic is obviously outbound lead generation very much hot topic amongst lots of them lots of our clients we're here to to reassure you that you you very much still can do out there out family generation in Europe now all of those things buying a list of contact data social media scraping all of that stuff is still is still legal in GDP our land but it it has got a little bit tougher and we're going to talk to you about those various compliance hoops that you might need to jump through so I think on the screen you can see probably the six biggest questions that we get in this in this topic area is it still okay to use public sources can we rely on third-party day you know what legal basis do we rely on is there can we rely on both consent and or legitimate interest or a little bit of both how do we comply without transparency obligations how do we structure out our marketing program to make sure that we're we're minimizing risk and then you know how do we make sure that we protect ourselves in our contracts and then if we if we get time we will we will try to cover it in a couple of minutes where we are on the the privacy regulation which spoiler alert would not that five-month far further forth than we were two or three years ago when we were doing webinars about the e privacy regulation so if I sort of start at the basics and we set the scene so when we when we're talking about your your marketing program or your outbound lead generation there's really two key sets of European laws and play so you should be seeing in front of you a Venn diagram you know we'd like to include a VIN to keep all of our consultant friends happy there there are very much two Lords in play when we when we talk about direct marketing so there's the the gdpr which no doubt everyone's heard about that's the GTR is is that the broad broadly applying law that applies to all personal data processing so obviously with with any form of direct marketing there there's likely to be personal data processing involved so you're going to have all of those obligations to deal with under the gdpr and then the other the other part of the VIN is a privacy laws so just in terms of the e privacy laws so this is an e privacy directive and then various national laws that implement that directives throughout throughout Europe and the the where where a privacy really bites on your marketing program is really at either end of the of the scale so firstly I'll start at the back in you under here privacy law you have to have consent to to send marketing mails to to individuals or any electronic marketing communication whether that's email or for text message we'll talk a bit a little bit later about what about the standard of that of that consent and then the other the other way that the privacy law plays into your marketing program these days is at the front end collection so no doubt you've all heard of the of the cookie law no doubt you've all been on a European websites and you know had that cookie banner interrupt your day that that cookie bow mechanic comes out to be privacy law which says that the the automatic retrieval of data or storing of data on on an individual's device and that any data must be must be with it with five individuals consent so I think that's that's where we are in terms of setting the scene obviously this and forgive us we having some dramas with the slides but yeah like I sort of alluded to at the start this this area of law is is very much a hot topic you know we're seeing lots of lots of challenges from from privacy advocacy groups and complaints from individuals around around this area of law and you know we think very much that it's going to be a continued area of focus for for for European regulators so it is it is important that we we get those things right and so I think probably the logical place to start is is as legal basis or ensuring that you can lawfully process any any personal data so on on that one I'll hand over to Emma thank you Anna how do we ensure that we have a legal basis I think a lot of organizations are confused by the fact that they need to get consent for a privacy purpose and so they believe that they need to rely on consent as a legal basis or at least they confuse that requirement for consent and there the a privacy directive and the requirement for a legal basis and the GPR and and that's true that it's quite confusing but while you need to have a legal basis to process personal information for direct marketing it doesn't mean that you need to rely on consent consent is one of the legal bases that are available under the g e PR another one is the legitimate interest and direct marketing for direct marketing you can rely on the judgment interest but there is just some risk and relying on legitimate interest when you need to get consent for privacy purpose and the reason why it's it's not that there's some risk but it might become confusing it's because some regulators don't really like the idea of getting consent for a privacy directive and then relying on legitimate interest because it might confuse your customer or your users if you need to get obtained consent and then but you tell them that you're actually really are relying on your legitimate interest so you don't really tell them but that's that's your better analysis so I think it's it's not it's kind of where the issue is for a lot of our client and it's quite confusing it's not clear I think the issue is not that as important if you're doing on the b2b direct marketing because in countries like the UK and France you're not bringing obtained consent so in that case it's really easy to build your argument and say that you rely on legitimate interest because you do not collect consent anyway it might be a little bit more complicated in countries where you need to get obtain consent regardless of whether you sending the marketing communication to consumer email address or a business email address yeah something so what you play that back to so what you're saying there is that within their their overall framework of saying that you have a legitimate interest to to undertake marketing direct marketing within their framework you can have a specific consent for the collection of any device data and then another specific consent for the sending of the electronic mail itself yeah and I think the thing that's possibly worth throwing in here this part of debate is another thing which confuses is the beginning of this discussion we focused on the data controller that's actually thinking about sending the marketing emails but in many times when we're dealing with lead gen there's a provider of those lead gen email services and then does the ultimate recipient the controller that's going to use those emails to market for their own purposes and in that scenario we've actually got two controllers and there's a controller to controller exchange from the lead gen provider to the party that's sending the email but then also because we've got two providers there's actually two Assessors sorry two controllers there's also an assessment that needs to be made by the lead gen provider because they're building a database and collecting information they're processing personal information so they have to ensure they've got lawful grounds and establish legal basis then when that's provided to the third party that it's actually going to be the controller sending out email marketing they have to establish their own legal grounds and it is them which is dealing with both gdpr and Withey privacy and this is where we see some confusion in the market because it's quite easy for a lead gen provider to collect the data they have a relationship in many situations with the data subject they're collecting that data from and because they are just part from the de Durham they only need to consider about their local grounds and the legal basis under the GDP are so it's easy for them to talk about how it's been collected in ance for gdpr and establish their lawful grounds the complication comes as we'll see when they want to send the emails from the second controller that second controller hasn't had the relationship the data subject but also to Eldon's Venn diagram at the beginning they're wrestling with lawful grounds and the gdpr but also the grounds or permissions for sending that email marketing message under the privacy rules and there's a little bit of difference here and you know to be fair is a little bit of confusion in the marketplace because the way some of the lead gen providers of positioning cells it suits them to talk only about gdpr and focus in on that and know what their commentary and their explanations of compliance often admit to discuss is the grounds that the controller sending that email marketing message need to assess in in relation to eat privacy and that yeah that's another element of this confusion that we're talking through so just to play devil's advocate can one of you talk about perhaps what the what the drawbacks would be or although all the pros and cons say of if you're if you are that sticking controller and that data has been collected by Attlee gen provider on the basis of consent ok can you talk us through why you wouldn't just rely on consent all the way through as your as your legal basis having because consent is tricky it's hard to get valid consent especially on the other gdpr and because consent needs to be free free to given so it means you cannot Bendel it it can be a condition to access a document or an event it needs to be specific so it needs to name you if if the first party is collecting the consent they need to name you and specifically say in their concern that big B gonna share the contract details with you and you will and marketing communication and if you want to be on the safe side it should also name the the method of communication that you will use to communicate that in video it has to be an ambiguous so it means that it can't be pre check works it has to be and check opt-in boxes so it's a little bit tricky and it has to be informed of course and and and that's an issue because it means that not only the first party has to provide information that the way they're going to process the data but you will also have to provide information about that and it can be mr. own at any time so that's there therein lies some of the issue for the lead gen providers because obviously prior to gdpr and and today there's a there's a real incentive to build databases have potential names and then to use those databases to effectively sell them on to others now if you don't know who your future customer is you can't be specific about that customer so it's much harder to build a consent for that customer because they've never been named they may have been referred to in a general category Sensurround partners or others that we send messages to but there are real challenges as Ana's pointing out to consent in that scenario there are legion providers now that are going out to the market and building databases specifically for a controller customer and in that situation if the mandate is to go and build the database then you can be more specific because you know who you're building that database for and you can overcome some of those sort of information challenges that might otherwise be there but it's a it's a it's a real kind of difficulty and it's easy to sort of assume they have the right to build the database but the controller that's receiving the information from that légion provider also needs to make its own assessments and that's yeah that's what we're wrestling with here Eldon yeah and I think that that's you talked about information challenges there mark it's probably a good segue to talk about transparency now obviously transparencies are weird a word that we we hear about a lot you know I think they can yell use the French word for it about 400 times and they're and they're good yeah ruling yeah so so mark talk talk us through what what the transparency obligations are and how how the various players in this Marcus yeah should be discharged yeah thank you it in part this is why I was making a distinction earlier because there's two parties to this transaction the party building the database is the lead gem provider and then the controller that wants to take those emails and share them out and obviously they're both acting as controller they're both acting as independent controllers so they're both obtaining and processing personal data one with the outcome of building its business as a lead gem provider and the other with you know building its own database so it can send emails out to its customers or potential customers in this instance so protesting personal data as Anna has talked about we need lawful grounds but we also need to overcome the transparency hurdle because in order to have fair and lawful processing we need grounds and we need transparency so then you need to think about that transparency and particularly get into the the type of model and the the transparency is going to depend on the source of that information to a degree so if we look at the lead gen provider to start with they have obligations under the GD P R and they have to be transparent and we've talked about the ground so their transparency their obtaining information directly from the data subject in many circumstances although some models will see them partnering with others but the party that's obtaining the information directly from the data subject is going to have obligations under article 13 so the typical article 13 transparency obligations that long list of information that has to be provided typically provided by way of privacy policy but should be provided in clear comprehensive language at the time that information is collected and it's relatively easy to think about article 13 B because there is a touch point with that kind that data subject at the point if the information is collected sometimes this model then comes under some cowling because we're you're the third-party relying on the lead gen provider all your the third-party scraping data from social media and other sources and we should say that scraping should always be assessed in terms of contractual rights to do that scraping whether you're licensed and permitted to say we're going to park that for the moment in terms of scraping but let's assume it's lawful scraping there in those certain circumstances the control of sending out the marketing email hasn't had a relationship with the data subject or they've scraped it from a third party website and in those scenarios article 13 doesn't apply because it hasn't directly obtained information personal information from the data subject in fact article 14 applies and that's an article which is often forgotten and article 14 applies where personal data is obtained from the data subject and that data has not been obtained directly from the data subject so the here herein lies the challenge if you're scraping data you're adding data to a database you've then got to inform the individuals and if you're obtaining that data from a lead gen provider to be able to get into your own database before you send out those emails to prospective customers you've also got to inform those end users that all of those data subjects that you're processing their information and that means getting all of the information in article fourteen to those individuals unless an exemption applies and yeah there's a challenge because you don't have a relationship so simply our article 14 requires all of the information that you had to provide under article 30 notice about who you are the purposes for which you're using information you're DPO the fact that they've got rights there's not something that's easily presented to individuals but um you know it's simply article 14 says that information has to be provided in within one month I've obtained the information or at least that the first time that information is used if it's used within within that month and the exemption say unless that data subject has already got that information so in some business models of lead gen you maybe ever rely on that third party lead gen provider to providing sufficient information about your use and purposes and the fact that they are sourcing the information but that's often difficult to do there are some that just go on up yeah that's something that some of some of the regulator's hate yeah the guidance from the Kineo says that even I mean it doesn't mention the fact that who first thought she might provide information I mean it requires the first party to provide information but it also requires the third party that received the personal data from the earth marketing office to provide some information regardless of the information that had been provided by the first party and in that case it means that you have to in your first communication the first marketing email that you're going to send to the individual you have to tell that in video how you obtain the data so the source yes okay who gave you the data and even if the first party provided some information you still have to provide that and that's why I said unless they provided the source and this is the difference if you read article 13 and 14 if you're so inclined you'll see there pretty much look the same but the real killer is article 14 to F which talks about providing the source of the personal data from which it originates or if applicable whether it came from publicly accessible sources which is the notice that you've been scraping it or building in other ways so all essentially as a third as a controller you're an independent control and looking to compile a database to send marketing messages and you're dealing with your own lawful grounds and your own transparency under article 14 and this is a challenge because it effectively means as data is coming in and you're assembling that database either you've got an opportunity to tell the individuals because you're going to market to them and you should not do that within the month as a part of that marketing communication or if you're assembling that database to use over time that independent controller that's contemplating Marketing has to go out to those individuals and let them know that they're compiling a database now there is an exemption under article 14 - which effectively says that you don't have to go out if it proves impossible or would involve disproportionate effort now I think we'd argue if you were building a marketing database you have their emails you have their contacts it's hard to say it's impossible or it's the disproportionate effort yes it's a pain yes it takes time but the whole point of the gdpr is ensuring that data subjects whose information is being processed are being notified about that processing the purpose of that processing and then ultimately been giving some kind of chance to understand their rights and potentially to object so I don't think you can rely on exemptions in this scenario and you have to start thinking about that article fourteen notice and in fact just in our office and with a couple of our London crew and the famous Phil Li there was a bit of excitement before Christmas as we started to see our own notice you notice he's coming in under article 14 from certain providers as we were being added as field Fisher partners and lawyers to databases so there are businesses out there sending article 14 notices they're not all fully compliant because they rarely reference the source but we are seeing that starting to happen and as as the law would require but it's it's a real burden when you're talking to your marketing teams about this because they're building 200,000 names in a database and you say oh well you've got to go out to them and tell them that we're processes information and you want to minimize the number of notices you want to know use that to hit them and often that's kind of entering a please delete my information or a data subject access request or some kind of deletion request so those kind of interactions make this kind of region model difficult unless you're really ready and I think our best advice in this scenario is if you're going to have the data coming in and it's coming in indirectly make sure you're using that data and having an opportunity to interact and communicate with the data subject within the month of that information and being obtained and don't sit back and forget about providing the information and yeah it could be a you know could be a partial layered notice with information about purposes and then linking off it needs to be conspicuous enough that it's really bringing notice to those individuals because they have no other information about you what you're intending to use then information for and what their rights are etcetera so it sounds to me that you're you're suggesting there that it it needs to be something more than just sending that first marketing communication with a link to the privacy privacy notice I mean I think yeah this is where your risk based approach comes in I mean I think if you want you could combine it in that first marketing notice but it has to be conspicuous enough that it's not buried at the bottom of the message I mean let's face it I mean you could it's fine challenge for that I mean many people you know you should identify a marketing message on the face of the message many of us will say it delete it and never get any notice so burying it it it isn't recommended if you are going to use that first marketing communication then yes you should others have taken the more pure probably more defensible approach of sending a separate communication around the processing and the fact they're held and then information but of course from a marketing perspective which is why I say this needs to be risk-based do you really want to be engaging with businesses before you even though who you are what you're trying to do because that prompts other things and we have found that that's just the sort of thing that brings you into separate rights requests and deletions and and other burdens in terms of supporting those rights but it's one of those things you need to weigh up around obtaining these third-party marketing lists and I think it's one of the things there's also difficult to communicate to marketing teams because marketing teams you know have their best yeah their own best interests at heart they're very experienced in what they do but they have a good idea of what others are doing and it's always peer benchmarking and we don't necessarily see others doing this across the board in the market they also know what they've always done and of course gdpr has changed them of that so convincing working with teams to do this in a different way and then to Anna's point also convincing and working with teams to think that you might need to do different things for different markets is also different so that jurisdictional difference I think we've seen for a while businesses you know making adaptions for Canada as Canada came in with fairly strict laws with castle but there are also yeah other issues on the on a global nature and we can kind of come on that and and talk to that and I think this was something an are you gonna speak to call I think yeah but I think as you said Matt probably that that first point is is deciding what approach you're gonna take to your to your marketing program like like we mentioned briefly at the start there are different rules in an every in every country so you know but you can either take a country-by-country approach which I'd say is I mean very rare okay it works if you are a big organization and you have the means to do that to go country by country you have strong marketing and legal team in each country so it makes sense to do that but it's like you said it it doesn't make sense if it's not the case it's also what when you look at historic databases often people have collected email address but don't necessarily know where that individual is based as well so going country by country you either bring yourself up to the highest benchmark of law which is effectively opt-in and if you've already got that data and you can't evidence that button you can't evidence that consent so you've probably got opt-in so you're looking at different different approaches and it is difficult and this is one of the things we saw through GDP are that historic database where collection hadn't been a strict some decision to remove it someone took the decision to reconsent there was probably too much or certainly too much reconsent in going on but really understanding the data and understanding it's it's you know where it's from and supplementing it is different difficult and this is where particularly on a global basis a number of our clients work with email platform providers they're able to sort of segment lists manage with suppression lists manage opt-ins and sort of work on better email marketing so those that are you know rich enough and large enough to implement those platform so probably at an advantage here because it does give you know a framework operationally to bring in some compliance but you do have to have those discussions about where sending marketing the kind of marketing and then the type of marketing that you send one other thing I mean obviously we're talking a lot about sending the message but there's a whole lot of lore out there about the messages that are within the marketing around advertising brand IP risks confidentiality etc so you will need to be aware of the content of that message there are also other laws in Europe like the e-commerce directive which kind of sneaks in which talked about having a opt-out role an opt-out within of every message so there's an ability to opt out of the communication it should be clear from the face of the communication that it's a marketing message and also under the e-commerce rules because it's a communication you may have additional obligations around disclosure the fact that you have to disclose the entity that's sending the marketing message something to think about if you're using a third party Canon or sending tool to make sure they're not branding it as theirs identifying your corporation and contact points but then also in certain countries looking at local obligations if it's a UK ntg it's a communication from a UK entity and there are other rules around you know identification of that entity to include things like company registered number etc so there's a overlapping of gdpr the privacy of the e-commerce directive of other national statutes around marketing and sort of misrepresentation and so so suddenly something you know legislatively looks and you know quite difficult to decipher but then also some of our clients as some of you out there on the call will be signed up to direct marketing association which will have its own rules or there will be local marketing codes and other things to consider so when you look at all of this it often becomes Yeti too difficult to look at on a specific country by country basis so it's either prioritization minimizing marketing in certain areas or bringing yourself to a higher benchmark depending on where your risk is and you know some well we will look at well as long as I've got an unsubscribe and I never market to them again maybe I'll get away with it but of course that's not marketing within the law that's definitely a risk based decision to become you know weighing quite carefully I think it's the same thing depending on me if you do b2c so business to consumer or if she do b2b because in the risk of a much lower in a b2b context in many European countries it's not the case in some EU countries Germany but in many countries such as the UK it's not even regulated I know that you privacy directive at least so the risk are much lower and people tend to complain less when they receive marketing communication to their business email address then when they receive those communication of their personal email address and just in terms of that that risk I know social media or public scraping has come up a couple of times in a b2b context and am I right to assume that if we are only scraping data from say Mark Weber us managing partners public profiles that's probably going to be a lower risk than you know more invasive data scraping techniques potentially I mean there are some technical arguments in the UK as a member of a UK partnership whether that UK punch it was an LLP or a real partnership or a Scottish partnership and the way it's treated and the law because it's not always b2b marketing some of those situations would be seen as PTC because individual partners may be seen as individual individual so in their own right therefore we consumer marketing but I mean that's a kind of a pedantic legalistic point but it's there and imagine the same question if you were mark with us see to some extent you some will see themselves as fair game and I think business and business marketing is is more tolerated and there's less of Joanna's point less of an emphasis from the regulator's right now around the regulation but it doesn't mean there isn't law there I think the important thing is where we see clients getting caught out is it's very easy to confuse service messages around your service and marketing messages service messages themselves aren't regulated in the same way you can still send them if you start blurring marketing messages with your this messages you tipped the balance into marketing that's one area to to look out for and making sure that you you know you preserve your rights to have a service message you don't need to have an opt-out in a service message for example you have to tell people there's downtime between 2:00 a.m. and 4:00 a.m. on the sass service they're using so you know maybe making distinctions around the kind of message you're making I think is is important and then then really because there's an obligation because it protects you having their unsubscribing every message making sure that unsubscribe link actually works and is registered but then importantly with that unsubscribe you should be maintaining a suppression list if anna has said please don't market to me again the worst thing you can do is market and/or again and then you know that comes becomes a very difficult issue if you've got siloed business units or different business groups or different group companies marketing because you know you may find the English business is sending out updates and the u.s. sends something else different they don't compare suppression lists and you know although the English entity is my is tracking unsubscribes they're not in the US and yes there are differences between companies and group to group but you really need to be thinking about that and managing that and really making sure you don't trip yourself up because that's where you're likely to draw complaint or you know potentially in investigation because somebody's expressed their rights not to be marketed to that's an absolute right under the GDP are in any event regardless of any of the other rules and you really need to be making sure you can honor that and keep to honoring that and kind of working that through so cool so so we've heard it sounds like if you can afford a good email a good platform to manage your you're off doubts and your suppression this you should be doing there it sounds like we should be telling our marketing teams you have to think about the messages there they're sending any any other tips in terms of good good marketing hygiene I think we can move to maybe the pre-contract again I think I think one of the most important thing here is that you need to know your vendor so you need to know which service provider you're going to use and whether they gonna collect and and the data appropriately what notice they're gonna provide how they gonna get consent if you need to to get consent what language they're gonna provide when they're gonna get consent so you really have to conduct proper due diligence when you're looking at a generation provider it's not enough you to just tell you that they are gdpr compliant it's not enough you to just tell you that they are a privacy compliant you have to really understand how they work what are the sources how do they collect the data why do they tell the video when they do that and so it's and that need for pre contract due diligence that's something that people should be communicating to their marketing teams because I mean so often deals we work on like the the marketing guys want to go with the campaign like yesterday yeah and so setting that expectation with your marketing teams then it's it's not as easy as it used to be to just buy an A List and you know start spamming but start sitting Hargett in marketing emails yeah I think you have to train them and ideally you need to find someone in the marketing team that's gonna be like a champion or exactly your privacy champions it's gonna know about how to choose then they're in what should be in the contract and and that type of information yeah and then managing that database when it's on-boarded tagging where it's come from we often find at the point of DISA we get pushed by some saying oh where did you get this information from and then well you know unless you've tracked that in and you can find out which list it came on and then you can evidence that you've got your own your own issues being drawn out through data septic access rights et cetera so yeah completely agree there yeah it's a it's a process and a management thing but that process and management needs to be with regard to the legal framework you're trying to work to so you mentioned earlier mark that it's you know typically these these relationships are control the controller relationships between the yeah the data broker or the acquire and the and the signal controller what does that mean from from a contracting perspective obviously we don't have the handy article 28 test items that's right so you mean occasionally these third-party lead gem providers may be acting for you to gather information that's pretty rare I think we should assume that it's a controller to controller these parties aren't working as joint controllers because they're both pursuing their own separate business purposes so article 26 doesn't apply so actually the gdpr doesn't say anything about having terms however commercially there are definitely terms that you'd want to put in place and I think this is partly goes to the message I've put in around you know it's easy for that lead gen provider to be gdpr compliant and they can warrant that GPR component but you as the party sending the emails have your own compliance obligations so just getting a warranty about compliance is is is one thing but you need to be you know thinking about how they can help you and provide information but but also you know getting assurances around the kind of consents that they'll put in place if they are relying on consent ensuring that they have proper notices in place and betting that but then also you know looking at other you know they have effectively you know operating and you know partly doing their due diligence but then partly thinking about the what if so around their own compliance and holding to that them to that compliance contractually but then also thinking about risk and liability and indemnity one of the things I mean a lot of these transactions the reason they tend to get missed at legal effort was there then they're relatively small transactions you can buy in a list for a couple of thousand dollars it might fall below the threshold somebody can do it on their own credit card but that really means the the own the terms and conditions are likely to be you know standard terms conditions at the vendor they probably limit their liability and you know scene list marketing providers limiting to $100 or two the cost of this provided now your own liability is a lead gen provide as a as a user of that information is probably far greater you're probably not going to win that much around you know liability indemnity you might if you're setting up a large relationship so it really comes down to protecting yourself in other ways understanding that vendor understanding their attitude some of the good vendors out there have got FAQ I've got descriptions they can explain all of these things and if they can hit you with some PDFs and those and information and FA cues about how they're in compliance that's great but I think you also need to be thinking well that shows they're in compliance but what they're I then have to do around compliance and while the contract might make you feel better it probably really isn't the tool that's going to help you because if you get into hot water around this kind of marketing you're gonna be dealing with regulators it's gonna be backwards or forwards you're going to be dealing with disgruntled data subjects contract doesn't really help you there you're unlikely to be able to claim back on that you may have you've got a very wide contract but really it's a administrative and to the compliance burden for your own business so needing to think about you know how many of these lists do we buy and how do we manage them are we going to manage these other alternatives you know ways to market or just kind of you know you're cutting down on how these these this lists use it and then you know making sure you've got you know where it is possible sufficient contractual terms and you thought about that away from standard GDP our compliance and with with some of the more sophisticated légion models that you know sometimes will will will have your database hooked up with a provider's database all the time how do you do you recommend having audits or how do you manage that ongoing sort of contractual due diligence compliant relationship yeah I think budget rights is definitely a good idea they should be able to give you the proof of consent because you need to retain them because if you have a regulator that comes to you you need to be able to prove that you've got concerned if you need to get and and yeah I think I'd it is definitely a good idea and yeah within that audit going into you know what are you doing have you changed the way you're obtaining that information and you know there are definitely lead gen models Eldon that get more complicated and that you may be buying emails from one provider you may be providing eat buying email matches from another provider and enhancing profiles and building profiles of individuals and do more sophisticated stuff and I think that's a probably a topic for another day but if you are merging databases and relying on multiple providers to to build a you know profiler or more in-depth intelligence about individuals there are other considerations not least around your own legal basis and how you're doing that as well as of course the age-old issue of transparency okay well I think I've got the the producer in my ear telling us to wrap up that we're at the top of the now a lot of time we will we will release the recording thanks for thanks for darling and we hope it's been helpful I'm not sure if the it will will answer any questions that we've had online and in writing and extended out to everyone and look out for the next installment the Fisher series which is on a very interesting topic we know there are an increasing number if there are topics you would like to hear about or talked about in more depth and yeah feel free to drop as a man and suggest them we're always happy to do this but this is gonna be a regular series and if there's enough interest with more than happy to to look at other things and we're doing a podcast now as well so we just release a podcast on the decision on the converse who's this yeah and by registering for this webinar you've consented this evening new marketing mails thanks everyone we will thank you you