GDPR for sales: 10 things sales reps need to know about cold emailing and calling

by Jory MacKay
Tom Hanks GDPR

If your sales process relies heavily on cold emailing or calling prospects, the new European General Data Protection Regulation (GDPR) isn’t great news for you.

At its most basic, the GDPR changes the way outbound sales teams can collect and use personal data like email addresses, names, and other info about prospects.

So, whether you buy lists of leads to fill out your pipeline, scrape prospects from LinkedIn, or automatically add new inbound contacts to your sales funnel, the sales strategies you’ve used in the past to turn strangers into customers are going to have to dramatically change.

There’s a lot of questions about how GDPR is going to affect sales teams. And the stakes are high if you get it wrong. We spoke to GDPR experts Ken Baylor and Chas Ballew to help answer the 10 biggest questions sales teams have about how to stay compliant while prospecting.

Disclaimer: The content in this blog post (including all responses to comments) is not to be considered legal advice and should be used for information purposes only.

1. What’s covered under the GDPR and do I need to care about it if I’m outside of Europe?

At its essence, GDPR gives EU citizens more control and transparency over who can store and use their personal data. It also means that as a company using personal data to build lists and contact sales leads, you have new responsibilities around how you collect and process that data.

Under GDPR, personal data includes:

  • Names
  • Phone numbers
  • Email addresses
  • IP addresses
  • Mobile device IDs
  • And even encrypted data

Basically, if the information you have can be used to identify a person in any way, it’s covered under GDPR.

For sales teams, personal data is the lifeblood of outbound sales. To move a lead through your sales pipeline, you need to get in touch with them and pitch. But under GDPR, you can no longer use personal data (like email addresses or phone numbers) unless that person has consented to being contacted by you.

This means no more sending out cold prospecting emails, quick catch-ups, or product demos without that person opting in to receiving your messages.

Now, before you freak out, there are a few details to go over.

First, the GDPR only covers your sales prospecting towards EU citizens. You only need to be concerned with following GDPR guidelines if your business either:

  1. Has any sort of established presence in the EU (either an Office, PO box, or employees)
  2. Is offering services or products to EU citizens or using their data in some other way (such as monitoring or profiling them)

Second, you may still be able to contact prospects if you have “legitimate interests.” This is a bit of a grey area. But one that Ken says many cold calling companies are going to rely on under GDPR. As he explains:

“If your companies ‘legitimate interests’ aren’t overridden by the individual’s ‘fundamental rights and freedoms’ then you may be able to use the contact data.”

Ken calls this a ‘balancing test’ where, should a prospect send a complaint about your outreach, you may be able to argue that the communication was still legal. However, you’ll want to make sure you document your legitimate interest, make it clear in the communication, and offer an easy opt-out.

Lastly, we won’t know the final effects until the ePrivacy directive is finalized next year. The GDPR is only a starting place for new regulations around personal data. We won’t know the final impact it will have on outbound sales and marketing until another regulation—the ePrivacy Directive—is finalized. In other words, there’s still more change ahead.

2. What is consent and how do I get it from my prospects?

Under GDPR, the only way your sales team can do any sort of outbound sales is if you have consent from your prospects to contact them. More specifically, the GDPR says that consent must be:

  1. Freely given
  2. Specific and transparent about what it will be used for
  3. Able to withdraw it at any time

Consent is key to interacting with your sales leads under GDPR. So, let’s break down each of these factors to make sure you’re collecting it properly.

To show that consent was “freely given,” your lead has to explicitly click an opt in to receive communications from you (i.e. your opt-ins can’t be selected by default). It also means that consent to receive sales emails or calls can’t be a requirement for using your services.

When a prospect gives you consent, you need to be open and transparent about what you’re using that consent for. For example, if a prospect gives you their email to send them an eBook, you can’t then use that as consent to send them sales emails or unrelated content.

Finally, your prospects have to have the ability to withdraw consent at any time. This could mean an unsubscribe link on emails or some other way of contacting you to get off your list.

Because consent is such an important part of being GDPR compliant, you should always record when and how it was given. If a prospect emails you and asks why you have their information, you need to be able to say: “Here’s where we got your data. Here’s the link to our privacy notice. And here’s the unsubscribe link.”

As Chas explained, if there’s a guiding principle to consent, it’s to avoid surprises.

“Don’t make people surprised to see your name pop up in their inbox. You might have to remind them who you are and why they wanted to hear from you, but it can’t be a total surprise.”

3. Do I only need consent if I’m sending bulk emails? What about individual outreach?

Let’s keep this one simple: There is no legal difference between bulk emailing and one-to-one emailing when it comes to cold outreach under GDPR. That means even your “Just reaching out” emails need to have prior consent in order to be legal.

If you’re unsure if you have consent from a prospect to contact them, you probably don’t.

4. How can I build my outbound sales funnel under GDPR? Can I still buy lists of leads?

At this point, it might seem like building an outbound sales funnel is impossible under GDPR. But while some of your tactics and strategies will have to change, there are still ways to grow your list of leads:

  1. Double down on content marketing and inbound sales: Both our GDPR experts agreed that inbound marketing and sales is going to become more important moving forward. You should also take time to make sure your forms are set up to properly gather personal data and get consent.
  2. Buy relevant lists that have documented consent: You can still buy lists of leads under GDPR. However, to use those lists, they need to come with attached metadata explaining how and when each person gave consent. As long as you can prove they consented to receiving emails from you, the list is okay to use.
  3. Advertise on sites that are relevant to your ideal customer: Advertising and getting inbound sales leads is still legal under GDPR. Again, you’ll need to make sure you’re gathering and tracking consent whenever you get a new lead.

5. How will GDPR affect cold calling?

Cold calling isn’t as restricted under GDPR as cold emails. That’s great news for all those sales teams that are already seeing success with cold calling. And if cold calling is not yet part of your sales proces, you might want to consider it now. (Check out this post for a simple framework to figure out if cold calling is feasible for your business.) However, you still need to identify yourself and tell your prospect who you work for, why you’re calling, and how you got their information.

You also need to make sure that you’re only calling companies who have either consented to receive your calls or who aren’t registered on a no-call list.

Unfortunately, there’s no EU-wide no-call list you can check. Instead, you’ll have to look on a nation-by-nation basis. For example, in the UK, businesses and individuals can register on either the Telephone Preference Service (TPS) or the Corporate TPS (CTPS).

While cold calls aren’t as heavily scrutinized under GDPR, this all will most likely change when the ePrivacy Regulation becomes finalized next year. Under the proposed Regulation, unsolicited direct marketing by any means—including email, SMS, or automated calling machines—will be prohibited unless direct consent is given.

6. What is the difference between the GDPR and the ePrivacy Regulation?

We’ve mentioned the ePrivacy Regulation a few times already, but it’s worth taking a closer look at what it is and how it will affect sales teams.

As Chas explains, the GDPR is a “general” regulation. So, while it covers all of the EU, it’s only a baseline for data protection regulations. This means that if there’s a more specific regulation or set of data protection rules for an industry, those take precedence over the GDPR.

For example, law enforcement agencies have their own set of regulations around using personal data. So they would follow those rather than the GDPR.

The ePrivacy Regulation will be the more specific set of rules for electronic communication by sales and marketing teams. It covers everything from email to SMS, phone calls, messenger services like WhatsApp, Facebook Messenger, LinkedIn, and Skype as well as cookies and other forms of digital tracking.

Unfortunately, the Regulation is still being finalized, which means that there are no firm answers about exactly what it will entail. However, if you want to get a better idea of how it might impact your sales team, here’s a link to the current working proposal.

7. Can I send sales emails to someone I met at a conference or meet up?

If you use in-person events like conferences and meetups to build your sales pipeline, there are only a few minor changes you need to make to stay GDPR compliant.

First, you still need to get consent from your leads to receive sales emails or calls from you and be able to show that consent. This could be as easy as using your CRM like Close.io to write a short customer note, such as:

“I met Jim at X tradeshow and he asked me to follow up with him about our product/service.”

Alternatively, you can include your reason for reaching out to them in your email:

“Hey Jim! We met at the X conference last week and you asked me to follow up with more information about how my company can help you out with X, Y, and Z.”

This also applies if you’ve gotten a referral from a current customer. Ideally, you would have your current customer send an introductory email explaining why they’re putting you in touch. Otherwise, you need to make sure you explain how you got their information and why they would want to talk to you.

As Ken explains, a best practice in any of these situations is to send one tailored and targeted email rather than add a new contact to a sales automation.

8. How will GDPR affect inbound leads from content or webinars?

It’s probably clear by now that inbound sales and marketing is going to take a front seat under GDPR. It’s much easier to get consent when a prospect comes to you. However, you still need to make sure you’re getting the right kind of consent. When someone gives you their information, you need to make sure of a couple things:

You can only collect the personal data you need to do what you’re saying you’re doing. That means if you don’t need a prospect’s home address, phone number, and credit card number to sign up for a free trial, you can’t ask for it.

You need to be transparent about what they’re consenting to and who will get their information. Your opt-in form needs to say exactly what you’re going to be using their personal information for as well as be unchecked by default (to show their consent was “Freely given”). Double opt-ins are always recommend to make sure you’re getting consent properly.

And what if you use partnerships like webinars or co-branded courses to share leads?

This is still legal, but you’ll have to make sure your opt-in explicitly states that you’ll be sharing their information with third parties. And as always, you’ll need to give them an easy way to opt-out of future communication.

9. Can I still use services like Clearbit and FullContact to enrich data about prospects?

A lot of outbound sales teams use services like Clearbit and FullContact to find out more about their prospects and who’s visiting their site. And while these services aren’t prohibited under GDPR, staying compliant with them will come down to the details.

As Ken explains, if you’re using personal data from one of these services, you need to know:

  • What personal data has the individual consented to having collected?
  • What fields are being transferred?
  • How exactly does the data flow?

The easiest way to figure this out is to look at your provider’s GDPR position statement or privacy policy.

Under GDPR, EU customers have the right to ask for all the information you have on them and where you sourced it from. So, if you don’t know where a service is getting their data from, you’re going to have issues answering any questions your prospects have.

10. What are the risks of not following the GDPR when cold emailing or calling?

So what happens if you don’t follow these rules? Well, that’s where the GDPR gets a little scary.

Each country in the EU has its own regulatory body that will enforce the GDPR (such as the ICO in the UK or CNIL in France). If you’re found guilty of violating the regulations, they have the right to:

  1. Fine you up to 4% of your worldwide annual revenue from the past financial year
  2. Shut your business down until you can prove you’re compliant

Data subjects also have the right to sue you for misuse or mishandling of their personal data. If you run into someone who knows their rights and doesn’t want to receive your sales emails or calls, you might be in a situation where they file a complaint.

To give yourself the best chance of not running into these issues, it’s important to get organized as soon as possible. Inventory all the ways you’re using data in the EU and be clear about what you’re doing with that data and how you’re going to justify it legally when people ask.

As Chas says, if you’re just reacting to GDPR instead of being proactive about compliance, the consequences are potentially company ending.

GDPR might sound like a burden for your sales team. But there are some benefits.

GDPR is bringing some major changes to the way outbound sales teams work. But it’s not all bad news. As Ken explains, the spirit of GDPR is to make sure that you’re only reaching the right customers at the right time:

“Instead of dealing with 98% of people who want nothing to do with them, sales teams will only deal with people who are more interested in what they’re selling.”

“Plus, many potential customers fear contacting companies as they believe they will be bombarded for years by low-quality pitches and have their data resold to other companies. With GDPR, these fears will abate and prospects will be more likely to engage companies to purchase their products.”

Don’t think of GDPR as something meant to kill your outbound sales process. Instead, it’s a shift in the way you think about who your ideal customer is and how to get in touch with them. Do that right and the only difference under GDPR is that you’ll have a small list of qualified leads, rather than a massive list of people who don’t want to hear from you. 

Want our best sales advice?

Join 200,000+ sales professionals and founders. Get our best tips on growing revenue every week.

No, thanks.

Thank you for subscribing.