GDPR for sales: How to find new customers without breaking the law!

GDPR for sales: How to find new customers without breaking the law!

Post summary:

  • How has GDPR affected your sales team?
  • How has sales prospecting changed under GDPR?
  • 7 ways to find new customers (without breaking the law!)

B2B sales is competitive by nature.

And given that 50% of all sales go to the first company to respond to a prospect, having an effective process in place is business critical.

Whether you pick up the phone to cold call prospects, meet potential customers while networking at events, or do something else entirely, proven strategies that quickly turn strangers into customers are considered the ‘holy grail’ in sales.

That’s because there’s a science to sales and once you master it, you can use multiple sales techniques to quickly reach sales quotas and collect that well-earned sales commission.

But, this has now changed.

The way you used to prospect has received a major update due to the EU data protection regulation known as GDPR – which came into affect in May 2018.

Failure to comply with GDPR can leave your company facing fines of up to €20 million or 4% of global turnover – whichever is greater.

There’s no escaping it:

The EU’s biggest privacy update in more than two decades is soon upon us – and with 57% of B2B sales professionals not aware of what GDPR is (via Demand Gen Report) – now is the time to look at how GDPR affects your sales team and how you can prospect under GDPR.

Sales reps not ready for GDPR

With that being said, let’s get started.

Will GDPR affect your sales team?

You might think that GDPR won’t apply to you, but for many sales reps, GDPR represents a big shift in your day-to-day prospecting.

Ask yourself this:

  • Do you still rely on purchased leads to fill up your sales pipeline?
  • Do you automatically add business card contact data to your mailing list?
  • Do you ask existing customers for referrals and recommendations?

If you answered “yes” to any of the questions above, then GDPR has an impact you and your organization.

Also, in case you think that the GDPR only impacts European businesses, you’d be wrong.

It doesn’t matter if your business is based in the EU or not – if the data you collect on at least one of your prospects belongs to an EU citizen then you’re liable to comply with GDPR.

GDPR for Sales

GDPR is the term used to describe a series of major updates to the EU data protection law that came into effect on May 25th, 2018.

In essence, GDPR provides citizens of the EU with greater control over their personal data and offers assurances that their information is secure, regardless of whether the data processing takes place in the EU or not.

For sales teams, personal data is at the heart of how they prospect for new business, and GDPR will change how they collect, store, and process it. And how long you can retain it for.

What is personal data?

Well, it comes in a variety of forms and can include things like name, email, phone number, and interests – the kind of information that sales reps typically store in their CRM system about your prospects.

On a bigger scale, personal data also includes things like IP address, social media posts, bank details, and even medical information – so it’s important to make sure you’re handling all types of personal data appropriately.

How sales prospecting will change under GDPR

First you have the collecting and storing of the data and then you have the processing.

Let’s take a closer look at how this will change under GDPR.

Collecting the data and seeking permission from the individual

GDPR revolves around correctly seeking permission to collect, store and use personal data.

The most typical examples for seeking permission is through a web form – including a link to a privacy statement – or in a follow-up email.

Under GDPR, individuals have the right to be informed about what data you collect, why you are collecting it and how you intend to use it.

But, that’s not all.

Individuals also have the right to be informed about the purposes of processing their data and the period for which their personal data will be stored (you can read more about the individuals rights under article 13 and article 14).

So, if you haven’t obtained their consent at the time you have collected their personal data, you must inform them – within 30 days of obtaining the data – that you have done so and the purpose for why you are keeping their personal data in your system.

Consent notification email

If the person replies to a message like this and requests that you delete their data, you have to comply with that request and remove them from your CRM database. Or, at the very minimum, keep as little information as possible to ensure no future contact will be made.

Although, this is easier said than done.

In some cases, you may be legally required to store their data, even if they request that you remove it. If this happens, your Data Protection Officer (DPO) will need to inform the person that you are required to keep their data stored and the reasons for doing so.

However, if you don’t hear back after making a fair and reasonable effort to contact them, then you can assume that storing their data isn’t a problem – providing you have a legitimate interest.

Just make sure you do not send any marketing messages (unless they have opted-in) and to keep a record of the consent, in order to stay GDPR compliant.

Processing the data

Once you’ve sought permission to store the data you have on a prospect, the next step is to use it to help you in your quest for new sales. However, you have to be careful, because GDPR restricts the way you can process (or use) this data.

For example, today when you collect an email address from a prospect, they are usually added to a variety of sales and marketing email lists, such as:

  • If someone downloads a white paper, you later send them an email with a webinar invitation.
  • If someone requests more information on your pricing packages, you add them to your lead nurturing email list.
  • If someone calls up your business to asks for a free trial, you send him a series of onboarding emails.

If you’re still doing this today, then you risk being fined.

When you collect personal data such as an email address, not only do you need to inform the individual that you have stored it, but you also need to make sure that your prospects actively ‘opt-in’ or choose to join a specific email list before you start sending them marketing messages.

Simply put:

You cannot assume that you have permission to send mass email campaigns just because you have their email address.

One way to handle this is to allow prospects to manage their email subscriptions, using a subscription management tool.

Subscription management settings inline with GDPR compliance

However, before you can begin to think about storing and processing personal data, you first need to find it – so let’s look at how to prospect under GDPR.

7 ways to prospect under GDPR

For many companies, GDPR means sales teams need to make some changes to their sales techniques to stay compliant. Here are 7 sales prospecting techniques that you should consider adopting now that the new regulation has came into effect.

1. Sales outreach

If you’ve been sending out cold prospecting emails and sales pitches on auto-pilot lately, then you’re going to have to stop.

Immediately.

With GDPR, you can’t send automated sales emails to prospects without getting their permission first. This includes product demo, quick catch up and “just reaching out” emails, or any other form of communication that your prospects didn’t ask to receive.

If you’ve never had contact with a prospect before, you should demonstrate in the sales outreach email that you have tried to contact them by phone prior to emailing them.

In the example below, it’s clear that no attempt has been made to reach out to me by phone and therefore falls under direct marketing communications.

Cold sales email example

If you’re going to send out these kinds of outreach emails in a post-GDPR world, then you need to have been granted consent by the prospect first. Without it, you’re failing to comply.

That being said, you can continue to send cold sales emails to prospects, if the email is sent to an individual and not to a group of recipients (if it includes an unsubscribe link, it’s most likely automated), and if you have included a link to your privacy statement explaining why you are contacting them in the first place (i.e. you have a legitimate interest).

2. Social selling

Social selling is a new term to many sales reps.

Today, only 1 in 4 sales reps use social selling.

But, for those that do use it, it’s fast becoming a popular way to prospect!

The good news is that GDPR doesn’t prevent you from finding and connecting with potential customers on social media. Whether you connect with customers online and ask for recommendations or if you decide to reach out to new prospects directly, you can continue to use social media as part of your overall sales strategy.

If you use LinkedIn or any other social network for businesses, here’s a handy template to copy and paste each time you send out a connection request to get the conversation started.

LinkedIn connection request template

Once these contacts have accepted your connection request, you can reach out and message them with the aim to gain consent to nurture and sell to them.

Bearing in mind that the principle of providing value before asking for something still holds in the social media world. Spamming your social media contacts will not provide any better results than if you were spamming prospects in any other channel.

If the conversation shifts outside of social media, you will need to establish that there is a legitimate interest in contacting them by email or by phone. The best way to do this is to gain their consent. However, consent to contact them cannot be treated as consent to send them mass marketing campaigns!

3. Purchased lead lists

Purchased leads lists can often be a great way to fill up the sales pipeline – either when there’s a drought or to compliment your existing prospecting work.

But, since May 25th, this has now changed.

If you acquire leads that contain personal data from third-party ‘lead generators’, then not only do they need to have consent to share that information with you, but you will also be required to get specific consent to use the email addresses on the list – unless they have given their consent to be approached by associated partners. (i.e. said “yes” to their data being transferred to third parties).

In this case, you can contact them.

However, you must document proof of their consent from the third party you purchased the list from, and you will also need to allow people to unsubscribe from your email campaigns.

This GDPR-related change affects existing purchased leads, too. If you already have purchased leads in your mailing list – but you haven’t contacted them yet – then you will need to document their consent from the third-party vendor before you send marketing messages.

4. Cold calling

 Cold calling is one of the most effective ways to build new relationships with potential customers.

In fact, cold calling doesn’t come under the same regulation as the GDPR and is being given a new lease of life as a result, which is good news to cold calling experts!

At this stage, it is worth repeating that each time you add a new prospect to your CRM database, you’ll need to get their consent before you can start sending them promotional offers.

So, while you are on the call with the prospect, just ask them if they would like to receive newsletters. If they say yes, you can send them a link to a “manage my subscriptions” page where they can opt-in to specific news, content and updates.

The challenge with cold calling is that it can be difficult to document their consent, unless you record a call with a prospect. To overcome this, you can follow up the call with an email that sums up everything you have discussed.

In this email, make sure you include:

  • The purpose of why you called them,
  • What was agreed during the call,
  • Why you are following up by email.

Here’s an example what this email could look like.

Cold call follow up email template

Each time you send an email with this information, make sure you store it in your database under the prospect’s details. If the prospect responds and asks to be removed from your mailing list, then you have to comply with their request.

5. Networking

Networking at conferences and events is a great place to meet new customers.

A large part of networking includes the time-old tradition of exchanging business cards. In the past, this meant taking the contact information on a business card, such as name, company and email address and storing it in your CRM system.

While you can continue to exchange and store business card information, you cannot use their email address for marketing purposes, unless you have their consent and they have opted-in to receive marketing emails.

But, all is not lost.

You can still send one-to-one emails and follow up with prospects that have given you their business card since a legitimate interest has been established. So, don’t give up on networking just yet!

6. References

One of the most successful ways to find new customers is to ask your existing customers for referrals or recommendations to people they know who might be interested in your product or service. Today, you can simply pick up the phone and give new prospects referred to you by existing customers a call or send them an email.

Under GDPR, you can continue to call and email prospects based on recommendations from existing customers.

One of the best ways to reach new prospects through referrals is to ask your existing customer to introduce the both of you and tell them why he/she is doing it. Plus, using email means that the introduction is digitally recorded.

Of course, not every customer will be willing to write an email for your benefit.

To help you with this, here’s a sales email template that your customers can send to introduce you.

Introduction email template for reference customers

7. Website

Websites are a great place to capture new leads.

If you’re using a web form to capture contact information, then now is the time to review the type of information you collect. GDPR requires you to legally justify the personal data you capture from website visitors.

What this means is that going forward, you can only ask for information you need, rather than information you would like to have. And while asking for the size of personal income and date of birth will help you identify and prioritize the leads you get, you need to make sure that you can prove why you’re asking for it.

Otherwise, if you can’t justify the extra information, then just concentrate on asking for name, company and business email address.

You also need be clear and upfront about how you use their data and for what purpose as well as giving them the opportunity to opt-in or opt-out accordingly (via a subscription management tool).

This means that just because they’ve entered their email address to sign up for a webinar, it doesn’t mean they are subscribing to every mailing list you have.

Prospects need to opt-in to receive email marketing campaigns, so be clear on how they can subscribe.

GDPR compliant forms on website

Conclusion

Since May 25th, 2018, the way you prospect has changed.

But, ultimately, it’s for the better.

Instead of trying to sell to new prospects that are not in the market to buy, GDPR forces you to focus on building relationships and selling to people that actually want to hear from you.  In doing so, you’re dealing with prospects that are much more engaged and ready to buy.

GDPR helps you focus on quality prospects over a quantity of prospects – so it should make your job easier in the long-term.

Remember, GDPR is not about restricting the way you prospect and generate new business. In fact, by complying with GDPR, you and your sales team will quickly meet your sales KPIs, generate better quality leads, reach more engaged prospects and ultimately, win higher close rates.

P.S. If you enjoyed reading this post, you can share it easily here!

Is the prospect data you collect and store compliant with GDPR?

If not, then download this free GDPR checklist.

GDPR checklist for customer data

Disclaimer: The content in this blog post (including all responses to comments) is not to be considered legal advice and should be used for information purposes only.

Sales

About Steven MacDonald

Steven MacDonald

Steven Macdonald is a digital marketer based in Tallinn, Estonia. Steven has been creating blog content writing since 2010 and has appeared as a featured writer for Content Marketing Institute, Marketing Profs and Smart Insights. Since working with SuperOffice, he has led the growth from 0 to 2 million visitors per year. You can connect with Steven on LinkedIn and Twitter.

86 Comments

Sian

about 3 months ago

Can you clarify the bit on cold calling? I understood that consent also applied to telephone calls, i.e. you had to have specific consent to contact an individual. I am confused to read that cold calling doesn't fall under the same GDPR compliance.

Reply

Steven MacDonald

about 3 months ago

Hi Sian, thanks for commenting! You do not have to get consent to contact an individual. But, you will have to inform the individual that you have stored their data within 30 days of obtaining it, and explain why you have stored it. Thus, if they respond to you and ask you to remove their data, you should do so.

Reply

Sylvester

about 3 months ago

I understand the client has to opt-in before you can pitch them in a cold call. Can you help as to how such an opt-in statement at the beginning of the call should look like

Reply

Steven MacDonald

about 3 months ago

Thanks for commenting Sylvester! I suggest asking for consent and opt-in after the call, rather than an the beginning. This way, you can build the relationship first and once you feel like things are going well, you can ask for permission.

Reply

Nick

about 3 months ago

Great explanation for sales teams. Thanks a lot!

Reply

Tom Newton

about 3 months ago

Well done, Steven! This is a must-read for any sales rep wanting to learn more about GDPR.

Reply

Jon Wick

about 3 months ago

Hi Steven, Where you say: “you can continue to send cold sales emails to prospects, if the email is sent to an individual and not to a group of recipients (if it includes an unsubscribe link, it’s most likely automated), and if you have included a link to your privacy statement explaining why you are contacting them in the first place (i.e. you have a legitimate interest).” Does this mean a cold email can be sent only to one individual without prior consent? As long as it’s not part of a mass email campaign and there is legitimate interest. Thanks Jon

Reply

Steven MacDonald

about 3 months ago

Thanks, Jon. Yes, that is correct. You can still send cold emails to prospects without their consent, providing you have a legitimate interest and it is not part of a mass email campaign.

Reply

Giuseppe

about 2 months ago

Just one comment on cold telephone calls. In the midst of all this GDPR, we have all forgotten about TPS, Telephone Preference Service, which we should check the number is not registered first before calling, should we not?

Reply

Steven MacDonald

about 2 months ago

That's an excellent point, Giuseppe! You're right. Check the TPS first before making a cold call to a prospect.

Reply

Rebecca

about 2 months ago

Hi i read this blog as an answer to the storing of sales information from customers that form part of an accounts management system. So i have an ecommerce business - what is still not clear here or anywhere else is what you must do if a customer says they wish to "be forgotten" but you need their sales data for accounting purposes? Customer X buys something online. their details are stored in my accountancy software. They wish to be removed. How do i comply with this but not potentially loose all my accounting info which in turnwilllead to much bigger issues than the GDPR fines?!? If you have any advice that would be much appreciated!

Reply

Steven MacDonald

about 2 months ago

Hi Rebecca, great question! So, if you have a customer that asks you to remove them from your database, but you need to keep their data for accounting purposes, then you or your DPO need to inform the person that you are required to keep their data stored and also include the reasons for doing so.

Reply

Jon Wicks

about 2 months ago

That’s great. Thanks for your reply. Do I need a warning under bottom saying this was sent on grounds of legitimate interest then an opt out link and or link to data privacy policy? Or do I just need to say this is sent on grounds of legitimate interest. Also, is this just opinion from you or a fact? Sorry don’t mean to question your experience but if we do this then are we sure to comply.

Reply

Steven MacDonald

about 2 months ago

Thanks, Jon. I recommend including both a privacy policy and opt-out link in your cold emails (this is my opinion, and not a fact).

Reply

Michael Covington

about 2 months ago

I've been looking for an in-depth piece on GDPR and sales for a while now. Thank you!

Reply

Alex

about 2 months ago

Thanks for great article Steven But what about consent on a workplace while someone is performing on behalf of his/her employer? If I got email and full name from open sources like LinkedIn do I need consent still? I agree that there is still a need in transparency and respect but LinkedIn has its own invision to allow people to communicate.

Reply

Steven MacDonald

about 2 months ago

Hi Alex, thank you. Not sure I understand the question here. Can you please rephrase? You can store information that you obtain from LinkedIn. But, you cannot add these contacts to your mailing list.

Reply

Jon

about 2 months ago

Thanks. If the prospect doesn’t reply can we sent one further say a week or two later to remind them of the initial prospect? If obviously no reply after that then no future contact. Also, if the person receives the email and then agrees to receiving updates. Do we need to gather any further info or just simply store what’s necessary? Best Jon

Reply

Steven MacDonald

about 2 months ago

Hi Jon! Yes, you can resend a second sales email and remind them. After that, you can then stop trying to contact them if they do not reply. As for the second question - yes, store the information of consent. That should be enough.

Reply

Gajanan Wankhede

about 2 months ago

I am a little confused with the cold calling regulation. We buy leads from a 3rd party leads provider and I am not sure whether he acquires consent before he sells the leads to us? Kindly advise.

Reply

Steven MacDonald

about 2 months ago

Thanks, Gajanan. I highly recommend you get confirmation of consent from your third party lead provider before you try to contact/ sell to these leads.

Reply

Alex

about 2 months ago

Hi Steven, Great article and very interesting. I have a few questions that I would appreciate your opinion on: 1. How does the new GDPR laws affect a leads list kept in a sales team? and also what information are we allowed / not allowed to keep? This could be keeping info before first point of contact as a means of prospecting. 2. On a first cold email if they reply and say they are not interested, do we have to remove their details from our CRM? As we keep information on why people say no and also which companies to not get in contact with. 3. On any cold email to a business, do you have to include an opt out? Although it is for a legitimate reason, not just marketing. Thank you, Alex

Reply

Steven MacDonald

about 2 months ago

Thanks, Alex! 1. You can still keep in contact with existing leads, unless they have opted out. 2. You can store their contact information, unless they request to be removed from your CRM. But, this in itself changes if you are required to keep their information by another law/ regulation. 3. Personally, I would always include an opt-out link, just to be sure.

Reply

Simon Munch

about 2 months ago

Hi Steven Thank you for this very interesting post. Like many others I am also a bit in doubt about how these rules work. 1: For how long can we store contact information on our customer? And do we need to inform them about this. If we have called a prospect, and the person does not want to buy from us, but neither says we can't contact them again. Is it okay if we keep the contact information for next year? 2: The border between personal info and business info is a bit unclear to us. We write notes on all conversations with customers and prospects. These conversations are typically about the customer's firm and their situation, but would it still be regarded as personal information if we have this information related to the person who said it? I really hope you can help us with this.

Reply

Steven MacDonald

about 2 months ago

Hi Simon, and thank you! Here's my comments based on your questions: 1. Yes, it is OK to keep their information. But, for how long is something you must decide. 2. Yes, I believe so. Any information you store that can identify a person is impacted by GDPR.

Reply

Sarah Taylor

about 2 months ago

Hi Simon We are an SME manufacturing business with about 800 customers on our database. About 30% are customers who have bought machines or spares over the years and what I call our 'regular' customers as we have known these from the days of old - some over 30 years. Can I still phone these customers for a general 'keep in contact' call or do I need their permission to do so? Can I send them a 'catch up' email if their receptionist says I can if they are not in the office or do I need them to 'opt in'? Sarah

Reply

Steven MacDonald

about 2 months ago

Hi Sarah, great question! If they're paying customers, you can continue to contact them - by either by phone or email.

Reply

Jules Bandrow

about 2 months ago

There's no reason to be so upbeat about this. It will be great to see less spam, but this can go bad in many ways for businesses. One of the big concerns I have: often you only start with someone's email address for having registered to use your online service, but then a salesperson "processes" that into knowing the name and company of the user and then invites the user on LinkedIn and Skype and other social media to stay in contact. If someone objects to your suddenly knowing their name from their email address, your company is protected from having conducted a breach of the law because there was a legitimate interest in providing your contact information to the registrant of your service via social media. Knowing their name and contact information from their email address is simply a normal thing salespeople do. Or is that in breach of the law now?

Reply

Steven MacDonald

about 2 months ago

Great point, Jules! You can continue to contact prospects by email or by phone, but if they withdraw consent or ask you to remove their details, you have to honor their request.

Reply

Tina Enright

about 2 months ago

Steven, A brilliant article for sales reps, thank you so much!!! direct, and very informative and not vague like a lot of articles!! Well done!! One question, what if my sales rep has a prospect customer database he collected himself from research etc... what do we do with this as of the 26th May???

Reply

Steven MacDonald

about 2 months ago

Thanks for the kind words, Tina! Great question, have you initiated contact with these prospects yet? Have they been added to your mailing list?

Reply

Audrey Bedford

about 2 months ago

Steven. Thank you for an excellent article. You've answered a lot of questions. I have a question regarding contacts made whilst networking. Our normal practice is to add a new contacts details to our CRM from their business cards for example and then follow up with a call/email depending on what was initially discussed. Do we need to confirm consent, within 30 days, that we have collected and are storing their personal data on our CRM, regardless of whether or not we are going to request consent for automated marketing purposes?

Reply

Steven MacDonald

about 2 months ago

Thanks, Audrey! No, you won't need to confirm consent, unless you want to market to them. You can store as many contacts as you wish, but if you plan to send marketing emails to these contacts, then you need their permission.

Reply

Eren E

about 2 months ago

Hi Steven, I have 2 burning questions about GDPR and using Linked In. 1) If I send a request to someone and they accept, my understanding is that they have consented to sharing their personal information including email. If I want to then email them using the email provided in their LI profile, this should be ok and not breaking any GDPR rules? 2) My bigger questions is whether I am in violation of GDPR if I do this on a broader scale ie. i do 500 intros a week and then send emails to each person who accepts my invite via an email campaign which most likely would be circa 20 people a week. If I delete the email addresses (which I have full access to via LI once they have accepted my invite) if I don't hear back from them after the email campaign, is this ok OR do I need to send individual emails? I am trying to understand whether I can send email campaigns that send emails individually every 30 seconds using an automated tool OR do I need to send individual personalised emails? Thanks!!

Reply

Steven MacDonald

about 2 months ago

Hi Eren, thanks for dropping by and leaving a comment. If you send out a connection request to someone on LinkedIn and they accept it, you can continue the dialogue with them on LinkedIn. It's here you can try to move the conversation over to email or phone, but you shouldn't assume that because they have accepted your request that you can now start sending them marketing emails. Hope this helps with your sales outreach.

Reply

John

about 2 months ago

We have an SaaS business and when someone signs up for a trial, we send him an automated series of onboarding emails with things like tips + tutorials. At the conclusion of the trial, we send a few more emails if they have not converted. You mentioned that it is no longer possible to send these onboarding emails. Are there any alternatives to this?

Reply

Steven MacDonald

about 2 months ago

Hi John, in your first email, where you include the username/ password/ account creation information, you can include a link to a self-service section on your website to help the free trial user learn more about product and how to get started. Or, if you're a SuperOffice customer, you can send the "consent" email where new users can subscribe to onboarding material.

Reply

John

about 2 months ago

Thank you Steven! Just a follow up question: We are planning to do a double opt-in when someone signs up for a trial to activate the trial. Is it OK if we start the onboarding sequence once the confirmation link has been clicked? Basically the link activates the trial and puts them in the sequence (once clicked) and it will be clear that they are opting into the onboarding sequence. From my understanding, if we want to send them other marketing, we will need to send them to a page with checkboxes.

Reply

Steven MacDonald

about 2 months ago

Hi John. To be honest, I'm not sure the double opt-in makes any difference here, in terms of whether you can send them onboarding emails or not. Onboarding is a tricky area. It's not strictly marketing material (more likely classed as training material), but the free trial user is not a customer either. If you're 100% sure you will send onbaording emails out to new free trial sign ups, I recommend getting something in writing from a lawyer, just to be sure. And please share any new knowledge you gain here. I would really appreciate it.

Reply

Paul Faulkner

about 2 months ago

Hello everyone, How I have worked up until now is I make contact with a target company and either speak directly to the person I want to speak with (eg the Office Manager) and then either get blown out or get a name / email address and seek permission to keep in touch with an occasional call and reminder email OR if said Office Manager is not around / available, try to get his (or her name) and an email address and then send an email to introduce me and what I do... and again then go onto make periodic (usually around once a quarter) follow-up calls on a keep in touch basis either way. I *only* ever send one email at a time after a call (whether I've directly spoken that time with the right person or not [perhaps the Office Manager is out at lunch] in which case I send a "I called earlier but missed you" type email. I cannot emphasise enough that it it is only ever one email at a time after each call. I don't send multiple individuals emails from a list on autopilot at all. Only ever where I've made a call and then sent my name / co-name and contact details. Am I still allowed to do this? Entirely (ie nothing need change) not at all (ie stop completely) or partially? If so, what parts do I need to stop or take special care with?? Every "support email" I've sent for the last 3 years or so in the way I've described has a "click here to be removed / not contacted again" opt out box and when someone sends me such an email back (which they do from time to time) I always acknowledge their email AFTER I have marked my CRM with "do not call again". I have never ever had a complaint (though of course, I have had the odd "I'm / we're not interested" [the whole reason for having the opt out box]. Right now I do not have a link to my 'privacy policy' but on reading through this I think I will update my support emails to add this anyway. So - can I continue exactly as I am? Mostly but not entirely? Stop sending emails completely? I will add then when I ask for an email address, it's fairly obvious that I want to send an email and I always ask whether I can keep in touch (during the call) - but of course I cannot do this where I get an answerphone, for example. I have to say that this is the most draconian, difficult to understand mess imaginable - but the law is the law and I will obey it because I don't want the fines! Please help me understand it. It affects how I earn a living.

Reply

Steven MacDonald

about 2 months ago

Hi Paul, great question and thank you for leaving a comment. I'm sure a lot of sales reps/ business owners are wondering the same thing! The good news is that your existing sales outreach seems perfectly fine - even under GDPR. You attempt to speak with the prospect by phone, send a follow up email that references the call you made and you manually follow up with each individual every few months. Plus, there's an option for the prospect to opt-out, so to me it seems as if you are covered here. Well done!

Reply

Annonymous

about 2 months ago

I am not sure if it depends per country, but in the UK that is not allowed under GDPR. This is how Honda and FlyBe got in £83,000 worth of fines. Steve Exckersley from the ICO advises that: "Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law." Even if the receptionists gives out an email address from the office manager, you can not email that office manager without speaking to them and getting their consent on the phone.

Reply

Steven MacDonald

about 2 months ago

Thanks for leaving the comment, I appreciate your wish to remain anonymous. You're absolutely right! You cannot send re-permission emails to subscribers that have previously opted-out. That is marketing and that is why those companies (and others) were fined.

Reply

Natalie

about 2 months ago

Hi Steven, Interesting article, but I'm concerned that you're tracking me via Google Analytics without my explicit permission? How can I trust the validity of your posts when you yourself are not GDPR compliant?

Reply

Steven MacDonald

about 2 months ago

Hi Natalie. Thanks for leaving your comment and I appreciate your concern. We're tracking visitors anonymously through Google Analytics and we're not processing any personal data, so we cannot identify you and what you as a person do/ does on our website.

Reply

Natalie

about 2 months ago

Steven, Bit offended that you appear to have deleted my last comment? To add to my previous comments of Google Analytic tracking without consent; my understanding is that if you're using it for any sort of advertising, it needs my explicit permission... yet I have not given you permission and I can see that you are tracking me with a Google DoubleClick cookie... which is used for advertising =\

Reply

Steven MacDonald

about 2 months ago

Hi Natalie, your comment hasn't been deleted - all comments are modified. You can see your comment listed in this section.

Reply

Stephen

about 2 months ago

Hi there Steven, thanks for the detailed and informative article. After reading through all the comments and your replies to each there is just one grey area that I would like some clarification on. In replying to Paul Faulkners post you mentioned that the process he was following seemed perfectly fine under GDPR. However the anonymous poster contradicted one of Pauls points stating that ''Even if the receptionists gives out an email address from the office manager, you can not email that office manager without speaking to them and getting their consent on the phone''. I just wanted to double check your thoughts on this. So if a call is made to an organisation and you are informed by a receptionist that bob jones is the best point of contact for your query but bob is only contactable by email at bob.jones@example.com are you ok under GDPR to send Bob Jones an email referencing your conversation with the reception team and then introducing your product to Rob, providing that you include a link to a privacy statement and an option to opt out of receiving any future correspondence?

Reply

Steven MacDonald

about 2 months ago

Hi Stephen, thanks for leaving a comment. To clarify, the comment made by the anonymous poster was referring to mass marketing emails, and not sales outreach emails. Honda and FlyBe were fined by the ICO because they sent out their re-permission emails to their entire mailing list, including those that had previously opted out. You can send individual emails to prospects if there is a legitimate interest, but you cannot call up a business, get Bob Jones' email address from the receptionist and then add Bob to your mailing list without his consent.

Reply

Terry Scott-Alexander

about 2 months ago

Thank goodness I have just retired!

Reply

Steven MacDonald

about 2 months ago

Congratulations, Terry! You have definitely chosen the right time to retire!

Reply

Ash

about 2 months ago

What is the definition of a legitimate interest? Is company A wanting to offer a saas to company B counts as one?

Reply

Steven MacDonald

about 2 months ago

Great question, Ash. Here's how the official GDPR website defines a legitimate interest https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/what-does-grounds-legitimate-interest-mean_en

Reply

Jon Wicks

about 2 months ago

Hi Steven Just a quick one; Would I need two privacy policies? One post someone opting in (as once they’ve opted in we then share their info with investment product providers with their consent) And then one pre someone opting in (as we never share their details unless they opt in) Or just one policy which explains the above? Thanks

Reply

Steven MacDonald

about 2 months ago

Hi Jon, in this case, I would recommend having two policies so you are extremely clear to the prospect that if they opt-in, their data will be shared.

Reply

Jack

about 2 months ago

Hi Steven I use social selling on Facebook and instergram, I currently message direct to pages on Facebook messenger and people on instagram with an offer for a free sample under the new law is this ok ?

Reply

Steven MacDonald

about 2 months ago

Hi Jack, I believe that as long as you do not include them in your mailing list and this approach to social selling is based on a one-to-one basis, then you should be fine.

Reply

Rob

about 2 months ago

Hi Steven. Im a little, confused about calling website registrations eg if someone registers on our website with a phone number can we then call them up - does this count as a cold call and is it therefore allowed? Or is using this data for contact not permissible unless they have opted in? Thanks, Rob

Reply

Steven MacDonald

about 2 months ago

Hi Rob, yes, you are allowed to contact a prospect by phone if they leave their phone number. For example, if they fill out a price request form on your website and leave their phone number, but no email address, then you have no other choice than to contact them by phone.

Reply

Silas

about 2 months ago

I'm afraid I disagree with your suggestion that things will be ok / better. Sadly, the days of the internet being the saviour of the little guy are somewhat over with GDPR! Time was, a startup could get the message out by email. Now we're back to expensive sales people making telephone calls or manually writing individual emails. Or building inbound sales funnels (more expense) or buying advertising (more expense). Very sad. There was a brief period in which the internet tilted the balance, but the good old EU seems always to favour large businesses over startups! On a personal note, I *much* prefer receiving unsolicited email (that I can scan quickly whilst doing something else) than taking yet another intrusive phone call - and as an employer I can tell you that I don't like my staff's time being taken up with inbound calls! But never mind, too late to call foul on the good ol' GDPR :)

Reply

Steven MacDonald

about 2 months ago

Great comment, Silas. It's very important that someone like yourself voices your concerns under GDPR as I'm sure there are thousands/ millions of people who feel the same way you do.

Reply

Mike

about 2 months ago

Hi Steven and thanks for your work! I would like to address a few questions: 1. Is it a must to have opt-out functionality for personalized mails (not automated - mailing), which are sent to corporate prospect (representatives of other companies, not consumers)? 2. You can only store corporate prospects' contact details in your data-base, based on their consent? If so, why legitimate interests as a legal basis would not be sufficient? 3. If a corporate prospect shared his/her data on LinkedIn, why I cannot assume that I can send to him/her personalized marketing mail? The access was granted to the contact details belonging to him/her and therefore a statement, at the end of the mail body/at the footer, indicating the source of the information and the scope of processing should be enough. This is my understanding, could you please endorse?

Reply

Steven MacDonald

about 2 months ago

Thanks, Mike! Here's my recommendations based on your questions: 1. I would always include an opt-out in your emails, just in case. 2. You can store prospects without their consent. You just need to inform them if you plan to process (use) it. 3. If a prospect shares their email address with you and asks the conversation to move from social media to email, then that's fine. What you cannot do is connect with someone on LinkedIn, scrape their email address and then add them to your mailing list.

Reply

Petia

about 2 months ago

Hi Steven, thank you for the explanatory article. I am from the old-fashioned sales persons. I gather contact information from the websites of my prospective clients, which includes their e-mails, company name and address, and the most appropriate contact person. I keep their data in a plain Excel document and send them individual emails manually (on one-to-one basis, without using any automated system). Do I breach the law if I continue doing that in the same way, providing that I give them the opportunity to opt-out and a link to our data privacy politics? And another question. How should I get their consent or refusal without opt-in / opt-out automated system? Would it be enough to get their confirmation/rejection by email?

Reply

Steven MacDonald

about 2 months ago

Hi Petia, you are welcome. Glad you enjoyed the article. What you are doing is fine, but I recommend that you begin conversation with a phone call, rather than an email. Make an attempt to speak with the prospect first by phone. If you cannot reach them, only then send an email.

Reply

Petia

about 2 months ago

Thank you for the reply. And what about my second question regarding getting their consent/refusal without automated opt-in/opt-out system?

Reply

Steven MacDonald

about 2 months ago

Sorry I missed that, Petia. Yes, a confirmation/ rejection email should be sufficient.

Reply

Gio

about 2 months ago

Hi Steven, I am a bit concerned, when you mention that I can acquire personal data on the legitimate interest basis and keep e-mailing the prospect as well as saving the data, unless I have his/her request to stop contacting or deleting the data. 1. So does it mean that I can keep communicating unless I have response from him/her even if it continues in the long term ? 2. In this case what is the distinguishing factor between marketing e-mail and this type of e-mail? I consider any e-mail as the marketing which explicitly or implicitly has the selling or nurturing (again the end goal is to sell right?) purpose as the end goal ? 3. Also, why I can not use personal data for the selling purposes, in case the third party provides me with the data without the consent, however on the legitimate interest basis ? Do not you think that there is something common between this case and the one described by you in "Collecting the data and seeking permission from the individual" section ? Thank you

Reply

Steven MacDonald

about 2 months ago

Hi Gio, Thanks for stopping by. So, to answer your questions: 1. If you contact a prospect and they do not respond, you can make a second or even third attempt to reach them. But, they are most likely not interested if they don't respond by then, so it makes sense to remove them from your prospecting list. 2. The best way to differentiate between the two is this - If you send an email to more than one person then it's considered mass marketing. 3. Good question! To be honest, I wouldn't purchase third-party lead data unless you have their consent. If you do, then you can send them marketing emails. Without it, you can still target them, on a one-to-one basis, but it's an expensive way to prospect. But, if you have the budget, then why not?

Reply

Gio

about 2 months ago

Where is my question ? : ))

Reply

Steven MacDonald

about 2 months ago

Hi Gio! All comments are moderated. We receive over 100 comments per day, with 80% of them being spam, so each comment in manually approved by myself. I've just approved (and responded) to your comment now.

Reply

Clare

about 2 months ago

Hello Steven, Your article has been extremely helpful! Thank you! Please may I ask a quick question? the majority of our sales emails are not sent to a specific individuals emails address for example Tom@###' but a companies 'info@#####' type of email address. Therefore, as we do not email a specific 'individual' is it okay to email the 'info@### without gaining consent first? Many thanks

Reply

Steven MacDonald

about 2 months ago

Hi Clare, thank you! I'm happy to hear you enjoyed the article. To answer your question - yes, it should be fine to continue to send sales outreach emails to a general company email addresses without gaining their consent.

Reply

Lucia

about 2 months ago

Hi Steven, great article! I also have a question! I have heard here and there that GDPR may cause an issue for the sales person contacting their customers via email. For example, an issue i had today - I requested some details about my car finance and possible plans for the futures via email, and the response i got was 'youll have to book an appointment due to GDPR we cant offer this over email' - is this really the case? If so should we be implementing that into our business? Surely, if a customer is requesting information and asking about possible sales in the future you are able to communicate back via email rather than making everything a face to face meeting? Thanks

Reply

Steven MacDonald

about 1 month ago

Hi Lucia, when it comes to communicating with customers, you should be fine to use email. For example, a software provider must inform their customers if an upgrade or downtime is planned on a specific date. If you have 100,000 customers, you cannot be expected to call each and ever one of them. Therefore, you must use email.

Reply

Sam

about 1 month ago

Hi Steven, Great article, very helpful. I do have a quick question when it comes to cold calling, if you have sourced the details from Linkedin such as a name and job title, is it still OK to cold-call that company and ask to speak to that person? Thanks

Reply

Steven MacDonald

about 1 month ago

Hi Sam, thanks for leaving a comment. Yes, if you find a prospect on LinkedIn, you can cold call their company and ask to speak with them.

Reply

KT

about 1 month ago

Hi Steven, found your article really helpful - thank you! I have a question about storing data. If a prospect does not opt in, or subsequently unsubscribes are we ok to store their details to ensure we don't re-add them to future prospecting activities? We have a sales team who check whether there is an existing record of a prospect on our CRM but unless we keep details of those who opt-out or have unsubscribed there is a danger we will contact them again in the future. Hope you can offer some guidance, I cannot find anything relating to storing unsubscribe lists on any GDPR websites!

Reply

Steven MacDonald

about 1 month ago

Hi KT, I'm happy that you enjoyed the article. Yes, if a prospect unsubscribes from your marketing messages, it is OK to store their details, unless they request to be removed (i.e. The right to be forgotten).

Reply

Mike

about 1 month ago

Hi. Great article and very informative! How does GDPR affect using land registry to prospect? As it is a public record is it still ok to prospect people directly knowing that they are the owner of a certain property? Can we still use the old fashioned letter and a stamp or is that outlawed

Reply

Steven MacDonald

about 1 month ago

Great question, Mike. I recommend checking with a lawyer here as I'm not entirely sure if it falls under GDPR. I would assume it is OK to prospect by post, but it's worth double checking, just to be sure.

Reply

Sandhya

about 3 weeks ago

Excellent article, Steven. I wish I had seen it earlier!

Reply

Nicola Berry

about 2 weeks ago

Hi. In the process of building a new website and want to target new customers. Have obtained contact information/email via google/yell.com for 100 more potential customers. Once website is finished would like to invite these to subscribe. How do I do this? Thank you

Reply

Steven MacDonald

about 2 weeks ago

Hi Nicola, the big question here is - how did you obtain contact information? If they gave their consent to send marketing messages, then you can email them. If you found their information online and do not have their consent, then you need to contact each prospect individually by phone, before you use email.

Reply

Daria Bonne

about 2 days ago

Dear Steven, thank you for such a great overview. Well done! I have a question related to this topic. In case of obtaining personal data of end-users from the data controller in order to execute marketing campaigns via email/SMS, do I have the obligation as a data processor to verify in first place where this data is coming from and if the data controller collected consent of end-users for receiving marketing? If I am not sure if the data controller obtained consent, in case of a complain, would it be shared liability? Article 28 3 (h) GDPR stipulates: "With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions". Do you have any suggestion how to tackle this? Would it be enough to collect from the data controller a statement (extension of DPA), where it is stated that the responsibility is fully taken over the data controller? I would very much appreciate any kind of feedback on this. Best wishes Daria

Reply

Steven MacDonald

about 1 day ago

Hi Daria, thank you! I'm really glad you liked it. To be honest, I don't have an answer to your question. Sorry about that. Is there anyone internally you can speak with?

Reply

Leave a Comment

Sign up to a free SuperOffice CRM trial.

It’s free for 30 days. No credit card required.

Start Free Trial