GDPR for Sales: How to Find New Customers Without Breaking the Law!

GDPR for sales

Post summary: 

  • There’s no escaping GDPR for sales teams. The way you prospect has changed, and sales techniques must fall in line with the General Data Protection Regulation – or you risk being fined.
  • For sales teams, the question is what is considered compliant with the new EU regulation and how can you find new prospects without breaking the law? We have the answers.
  • Along with our Data Protection Officer (DPO), we have reviewed 7 of the most common sales techniques and share how (and if) you can use them during the sales process under GDPR.

B2B sales is competitive by nature.

And given that 50% of all sales go to the first company to respond to a prospect, having an effective sales process in place is business critical.

Whether you pick up the phone to cold call prospects, meet potential customers while networking at events, or do something else entirely, proven strategies that quickly turn strangers into customers are considered the ‘holy grail’ in sales.

That’s because there’s a science to sales and once you master it, you can use multiple sales techniques to quickly reach sales quotas and collect that well-earned sales commission.

But, this has now changed.

The way you used to prospect has received a major update due to the EU data protection regulation known as GDPR – which came into affect in May 2018.

Failure to comply with GDPR can leave your company facing fines of up to €20 million or 4% of global turnover – whichever is greater.

For example, British Airways are facing fines of up to €200 million for a data breach that occurred in September 2018, while the hotel chain, Marriott International are expected to be fined in the region of €99 million for a data breach between 2014 and 2018

There’s no escaping it:

The EU’s biggest privacy update in more than two decades has now come into effect – and with 57% of B2B sales professionals not aware of what GDPR is (via Demand Gen Report) – now is the time to look at how GDPR has affected your sales team and how you can "legally" prospect under GDPR.

Sales reps not ready for GDPR

With that being said, let’s get started.

Will GDPR affect your sales team?

You might think that GDPR doesn't apply to you, but for many sales reps, GDPR has represented a big shift in your day-to-day prospecting.

Ask yourself this:

  • Do you still rely on purchased leads to fill up your sales pipeline?
  • Do you automatically add business card contact data to your mailing list?
  • Do you ask existing customers for referrals and recommendations?

If you answered “yes” to any of the questions above, then GDPR has an impact you and your organization.

Also, in case you think that the GDPR only impacts European businesses, you’d be wrong.

It doesn’t matter if your business is based in the EU or not – if the data you collect on at least one of your prospects belongs to an EU citizen then you’re liable to comply with GDPR.

GDPR for Sales

GDPR is the term used to describe a series of major updates to the EU data protection law that came into effect on May 25th, 2018.

In essence, GDPR provides citizens of the EU with greater control over their personal data and offers assurances that their information is secure, regardless of whether the data processing takes place in the EU or not.

For sales teams, personal data is at the heart of how they prospect for new business, and GDPR will change how you collect, store, and process it. And how long you can retain it for.

What is personal data?

Well, it comes in a variety of forms and can include things like name, email, phone number, and interests – the kind of information that sales reps typically store in their CRM system about your prospects.

On a bigger scale, personal data also includes things like IP address, social media posts, bank details, and even medical information – so it’s important to make sure you’re handling all types of personal data appropriately.

How sales prospecting will change under GDPR

First you have the collecting and storing of the data and then, you have the processing.

Let’s take a closer look at how this has changed under GDPR.

Collecting the data and seeking permission from the individual

GDPR revolves around correctly seeking permission to collect, store and use personal data.

The most typical examples for seeking permission is through a web form - including a link to a privacy statement - or in a follow-up email.

Under GDPR, individuals have the right to be informed about what data you collect, why you are collecting it and how you intend to use it.

But, that’s not all.

Individuals also have the right to be informed about the purposes of processing their data and the period for which their personal data will be stored (you can read more about the individuals rights under article 13 and article 14).

So, if you haven’t obtained their consent at the time you have collected their personal data, you must inform them – within 30 days of obtaining the data – that you have done so and the purpose for why you are keeping their personal data in your system.

Consent notification email

If the person replies to a message like this and requests that you delete their data, you have to comply with that request and remove them from your CRM database. Or, at the very minimum, keep as little information as possible to ensure no future contact will be made.

Although, this is easier said than done.

In some cases, you may be legally required to store their data, even if they request that you remove it. If this happens, your Data Protection Officer (DPO) will need to inform the person that you are required to keep their data stored and the reasons for doing so.

However, if you don’t hear back after making a fair and reasonable effort to contact them, then you can assume that storing their data isn’t a problem – providing you have a legitimate interest.

Just make sure you do not send any marketing messages (unless they have opted-in) and to keep a record of the consent, in order to remain GDPR compliant.

Processing the data

Once you’ve sought permission to store the data you have on a prospect, the next step is to use it to help you in your quest for new sales. However, you have to be careful, because GDPR restricts the way you can process (or use) this data.

When you collect information from a prospect, they are usually added to a variety of sales and marketing activities.

For example, if someone:

  • downloads a white paper, you later send them an email with a webinar invitation.
  • requests more information on your pricing packages, you add them to your lead nurturing email list.
  • calls up your business to asks for a free trial, you send him a series of onboarding emails.

If you're still doing this, then you need to stop it - or you risk being fined.

When you collect personal data such as an email address, not only do you need to inform the individual that you have stored it, but you also need to make sure that your prospects actively ‘opt-in’ or choose to join a specific email list before you start sending them marketing messages.

Simply put:

You cannot assume that you have permission to send mass email campaigns just because you have their email address.

One way to handle this is to allow prospects to manage their email subscriptions, using a subscription management tool.

Subscription management settings inline with GDPR compliance

However, before you can begin to think about storing and processing personal data, you first need to find it – so let’s look at how you can prospect under GDPR.

7 ways to prospect under GDPR

For many companies, GDPR means sales teams need to make some changes to their sales techniques to stay compliant. Here are 7 sales prospecting techniques that you should consider adopting now that the new regulation has came into effect.

1. Sales outreach

If you’ve been sending out cold prospecting emails and sales pitches on auto-pilot lately, then you’re going to have to stop.


With GDPR, you cannot send automated sales emails to prospects without getting their permission first. This includes product demo, quick catch up and “just reaching out” emails, or any other form of communication that your prospects didn’t ask to receive.

If you’ve never had contact with a prospect before, you should demonstrate in your outbound sales email that you have tried to contact them by phone prior to emailing them.

In the example below, it’s clear that no attempt has been made to reach out to me by phone and therefore falls under direct marketing communications.

Cold sales email example

If you’re going to send out these kinds of outreach emails in a post-GDPR world, then you need to have been granted consent by the prospect first. Without it, you’re failing to comply.

That being said, you can continue to send cold sales emails to prospects, if the email is sent to an individual and not to a group of recipients (if it includes an unsubscribe link, it's most likely automated), and if you have included a link to your privacy statement explaining why you are contacting them in the first place (i.e. you have a legitimate interest).

So, good news to sales and marketing teams that have implemented account-based marketing campaigns.

2. Social selling

Social selling is a new term to many sales reps.

Yet, only 1 in 4 sales reps actually use social selling.

For those that do use it, it’s fast becoming a popular way to prospect!

The good news is that GDPR doesn’t prevent you from finding and connecting with potential customers on social media networks. Whether you connect with customers online and ask for recommendations or if you decide to reach out to new prospects directly, you can continue to use social media as part of your overall sales strategy.

If you use LinkedIn or any other social network for businesses, here’s a handy template to copy and paste each time you send out a connection request to get the conversation started.

LinkedIn connection request template

Once these contacts have accepted your connection request, you can reach out and message them with the aim to gain consent to nurture and sell to them.

Bearing in mind that the principle of providing value before asking for something still holds in the social media world. Spamming your social media contacts will not provide any better results than if you were spamming prospects in any other channel.

If the conversation shifts outside of social media, you will need to establish that there is a legitimate interest in contacting them by email or by phone. The best way to do this is to gain their consent. However, consent to contact them cannot be treated as consent to send them mass marketing campaigns!

3. Purchased lead lists

Purchased leads lists can often be a great way to fill up the sales pipeline – either when there’s a drought or to compliment your existing prospecting work.

But, since May 25th, this has changed.

If you acquire leads that contain personal data from third-party ‘lead generators’, then not only do they need to have consent to share that information with you, but you will also be required to get specific consent to use the email addresses on the list – unless they have given their consent to be approached by associated partners. (i.e. said “yes” to their data being transferred to third parties).

In this case, you can contact them.

However, you must document proof of their consent from the third party you purchased the list from, and you will also need to allow people to unsubscribe from your email campaigns.

This GDPR-related change affects existing purchased leads, too. If you already have purchased leads in your mailing list – but you haven’t contacted them yet – then you will need to document their consent from the third-party vendor before you send marketing messages.

4. Cold calling

 Cold calling is one of the most effective ways to build new relationships with potential customers.

But, is cold calling allowed under GDPR?

The good news is that cold calling doesn’t come under the same regulation as the GDPR and is being given a new lease of life as a result, which is good news to cold calling experts!

At this stage, it is worth repeating that each time you add a new prospect to your CRM database, you’ll need to get their consent before you can start sending them promotional offers.

So, while you are on the call with the prospect, just ask them if they would like to receive newsletters. If they say yes, you can send them a link to a “manage my subscriptions” page where they can opt-in to specific news, content and updates.

The challenge with cold calling is that it can be difficult to document their consent, unless you record a call with a prospect. To overcome this, you can follow up the call with an email that sums up everything you have discussed.

In this email, make sure you include:

  • The purpose of why you called them,
  • What was agreed during the call,
  • Why you are following up by email.

Here’s an example what this email could look like.

Cold call follow up email template

Each time you send an email with this information, make sure you store it in your database under the prospect’s details. If the prospect responds and asks to be removed from your mailing list, then you have to comply with their request.

5. Networking

Networking at conferences and events is a great place to meet new customers.

A large part of networking includes the time-old tradition of exchanging business cards. In the past, this meant taking the contact information on a business card, such as name, company and email address and storing it in your CRM system.

While you can continue to exchange and store business card information, you cannot use their email address for marketing purposes, unless you have their consent and they have opted-in to receive marketing emails.

But, all is not lost.

You can still send one-to-one emails and follow up with prospects that have given you their business card since a legitimate interest has been established. So, don’t give up on networking just yet!

6. References

One of the most successful ways to find new customers is to ask your existing customers for referrals or recommendations to people they know who might be interested in your product or service. Today, you can simply pick up the phone and give new prospects referred to you by existing customers a call or send them an email.

Under GDPR, you can continue to call and email prospects based on recommendations from existing customers.

One of the best ways to reach new prospects through referrals is to ask your existing customer to introduce the both of you and tell them why he/she is doing it. Plus, using email means that the introduction is digitally recorded.

Of course, not every customer will be willing to write an email for your benefit.

To help you with this, here’s a sales email template that your customers can send to introduce you.

Introduction email template for reference customers

7. Website

Websites are a great place to capture new leads.

If you’re using a web form to capture contact information, then now is the time to review the type of information you collect as GDPR requires you to legally justify the personal data you capture from website visitors.

What this means is that going forward, you can only ask for information you need, rather than information you would like to have. And while asking for the size of personal income and date of birth will help you identify and prioritize the leads you get, you need to make sure that you can prove why you’re asking for it.

Otherwise, if you can’t justify the extra information, then just concentrate on asking for name, company and business email address.

You also need be clear and upfront about how you use their data and for what purpose as well as giving them the opportunity to opt-in or opt-out accordingly (via a subscription management tool).

This means that just because they’ve entered their email address to sign up for a webinar, it doesn’t mean they are subscribing to every mailing list you have.

Prospects need to opt-in to receive email marketing campaigns, so be clear on how they can subscribe.

GDPR compliant forms on website


Since May 25 2018, sales prospecting has changed.

But, ultimately, it's for the better.

Instead of trying to sell to new prospects that are not in the market to buy, GDPR forces you to focus on building relationships and selling to people that actually want to hear from you.  In doing so, you’re dealing with prospects that are much more engaged and ready to buy.

GDPR helps you focus on quality prospects over a quantity of prospects – so it should make your job easier in the long-term.

Remember, GDPR is not about restricting the way you prospect and generate new business. In fact, by complying with GDPR, you and your sales team will quickly meet your sales KPIs, generate better quality leads, reach more engaged prospects and ultimately, win higher close rates.

P.S. If you enjoyed reading this post, you can share it easily here!

Is the prospect data you collect and store compliant with GDPR?

If not, then download this free GDPR checklist.

Disclaimer: The content in this blog post (including all responses to comments) is not to be considered legal advice and should be used for information purposes only.

Back to articles