GDPR Compliance for Outbound Sales: Practical Guide & FAQs

By: JB Daguené
Published on: October 24, 2023

Introduction

If you live in the EU, chances are your inbox was overflowing with a countless number of emails concerning the General Data Protection Regulation (GDPR) that went into force a few weeks ago (and so was mine). Besides the overwhelming volume of privacy policy updates, we also had a huge amount of questions about the real impact of the GDPR on outbound sales processes coming from our clients.

So we created a practical e-guide outlining our recommendations on how to adapt or implement your sales processes to be compliant with the GDPR. Now, having received lots of great feedback on this resource, we want to share the answers to the top 5 FAQs with you. Read on if you need practical advice on how to adapt your outbound sales process to the GDPR.

Note: While the answers from these FAQs might also apply to some inbound and content marketing processes, they were not created for that purpose.

This post is an interpretation of the GDPR from a direct marketer’s, aka outbound sales professional’s, perspective for cold outreach. It can not be regarded as official guidelines. The author and other affiliated parties cannot be held responsible for any damages caused by these guidelines.

While this post offers an interpretation of the GDPR that permits the practice of cold outreach, the author and other affiliated parties do not endorse the use of any channels for spamming and scamming purposes. Feel free to read the B2B sales manifesto written by the author to learn more about the author’s principles and recommended code of conduct regarding cold outreach in B2B sales.

Definitions

You can find the official GDPR definitions in the appendix of this guide, yet to simplify the reading of these guidelines, please find below an interpretation of the definitions from the B2B outbound sales perspective.

Personal Data

means the personal data, such as full name, job title, email and any other information related to your lead that you might have collected from different sources over the internet.

Processing

means the process of collecting the personal data. For example, in your CRM and updating this data.‘restriction of processing’ means the lead’s personal data can not be used anymore for outbound sales. This can be considered as the equivalent of “unsubscribe” in order to guarantee that the lead will not receive any further marketing or sales materials.

Controller

means your company.

Processor

can be a service or a tool that your company uses to process the data like your CRM system.

Third party

can be a service provider that works with your lead’s data within your CRM.

Consent

means that your lead has freely given her/his consent to process her/his personal data and she/he is fully aware of the processing purpose.

Data subject or subject

means your prospects.

Direct Marketing

While the GDPR doesn’t include a definition of ‘direct marketing’, The FEDMA (Federation Of European Direct Marketing) provides the following definition : “The communication by whatever means (including but not limited to mail, fax, telephone, on-line services etc…) of any advertising or marketing material, which is carried out by the Direct Marketer itself or on its behalf and which is directed to particular individuals.” According to this definition, outbound B2B sales can be considered as direct marketing.

TOP 5 FAQs

DO I NEED TO GET CONSENT FROM THE DATA SUBJECT PRIOR TO MY COLD OUTREACH?

No*, according to the Recital #47: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

In other words, the controller (your company) does NOT need to have the data subject’s (your prospect’s) consent (opt-in) to collect their personal data (full name, job title, and email) for direct marketing (outbound outreach) because direct marketing "may" be regarded as legitimate interest.

*Nevertheless, the direct marketing purpose might be questioned if the controller is not able to demonstrate processes that can justify its legitimate interest for direct marketing. As per the Recital #47: “At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.”

To conclude, while the GDPR may consider direct marketing as a legitimate interest, we strongly believe that the GDPR uses the term “may” to make sure the controller is not processing data for poor direct marketing with poor list-building and overall poor targeting that could be assimilated to spam activities and therefore wouldn’t be considered as a legitimate interest.

DOES THE DATA SUBJECT HAVE RIGHTS IF I PROCESS HER/HIS PERSONAL DATA FOR DIRECT MARKETING PURPOSE?

Yes, according to the Articles 15, 16, 17, 18, 19 and 21 the data subject has the following rights:

Article 15: “Right of access by the data subject”

Meaning that the data subject has the right to access his/her personal data and the purpose of the processing.

Article 16: “Right to rectification”

Meaning the data subject has the right to rectify incorrect information regarding his/her personal data.

Article 17: “Right to erasure (“right to be forgotten”)”

Meaning the data subject has the right to request a full erasure of his personal data from your CRM and any other place where her/his personal data was processed or stored.Note: For the interest of the data subject and in the context of direct marketing purpose, if the data subject does not want to receive any additional direct marketing material from the controller, then we highly suggest the controller recommends the data subject to exercise his/her right to object according to the Article 21 (see below).Article 18: “Right to restriction of processing”

This article’s main purpose is to hold proof of the data subject’s personal data if the data subject contests the legitimate interest of the controller to process her/his personal data.Unless, the processor does not follow the GDPR recommendation in Article 14 (see next question) or uses the personal data for any other purpose than direct marketing, then it’s unclear how this Article can be applied in a direct marketing context.Article 19: “Notification obligation regarding rectification or erasure of personal data or restriction of processing“

Meaning that the controller should notify other recipients to whom personal data have been disclosed (If any) if the data subject expressed her/his right(s) from Article 16, Article 17 and Article 18.Article 21: “Right to object”

Meaning that the data subject has the right to object to any further processing. This is the equivalent to traditional opt-out like unsubscribe etc. In that case, the controller must have CRM processes in order to guarantee that the data subject personal data won’t be processed anymore.

DO I NEED TO INFORM DATA SUBJECT ABOUT HIS/HER RIGHTS IF I PROCESS HER/HIS PERSONAL DATA FOR DIRECT MARKETING PURPOSE?

Yes, according to the Article 14 in the GDPR, which concerns the rights of the data subject, when it comes to her/his personal data that have not been obtained from the data subject, the controller must provide the below information to the data subjects:

Point (a) of Article 14(1): “The identity and the contact details of the controller”

Meaning your cold emails should include your company name and address.Point (b) of Article 14(1): “The contact details of the data protection officer, where applicable”

According to Article 38(4): “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.” Meaning, if the main point of contact in your organisation for personal data related issue is your data protection officer, then this point is applicable.

Point (c) of Article 14(1):“The purposes of the processing for which the personal data are intended as well as the legal basis for the processing” and Point (b) of Article 14(2): “Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party”

Meaning, you need to inform the data subject that you processed their data for direct marketing purpose which, according to the Recital #47, is considered as a legitimate interest.

Point (d) of Article 14(1): “The categories of personal data concerned”

Meaning, you should inform the data subject what type of personal data you have collected. For example, Full name, Job title, email etc.

Point (a) of Article 14(2): “The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”

Meaning, you should explain the criteria you used in your sales process to keep their data in your CRM for an undefined period.

Point (c) of Article 14(2): “The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability”

Meaning, that the data subject must be informed about her/his right to object to any further processing (e.g., if they’re not interested in your services and do not want to be contacted again), get a copy of his/her personal data and request a full erasure of his/her personal data from your CRM.

Point (e) of Article 14(2): “The right to lodge a complaint with a supervisory authority”

Meaning, if the data subject has concerns about the lawfulness of processing related to their personal data, they must be informed by the controller about their right to lodge a complaint.

Point (f) of Article 14(2): “From which source the personal data originate, and if applicable, whether it came from publicly accessible sources”

For example, the full name and job title were found on LinkedIn and the email address was guessed based on the company’s email structure which is publicly available.

Point (b) of Article 14(3): “if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject”

Meaning, you need to inform the data subjects about all the above points in your first outreach.

Recital #70: “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”

Meaning, you need to inform the data subject in a clear way about their rights separately from your direct marketing message. For example, all of the above points can be included in an email disclaimer.

Special note regarding cold calls: To be fair, if you’re doing cold calls, even with the best intentions, it might be difficult to include all of the above information during your cold call. Furthermore, it might also be difficult to document you’ve given all of the above information to the data subjects during your cold call. While one could say that the Point (b) of Article 14(5) “the provision of such information proves impossible or would involve a disproportionate effort”, which refers to the exceptions where the paragraphs 1 and 2 of the Article 14 will not apply, might be applicable in that case. We strongly recommend to not leave room for doubt and do the first outreach via cold email and eventually follow-up with a cold call in order to guarantee compliance with Point (b) of Article 14(3).

DO I NEED TO DOCUMENT MY INTERNAL PROCESSES TO APPLY THE GDPR?

Yes, we strongly recommend you document your legitimate interest for direct marketing purpose, but also when it comes to respecting and honoring the data subject’s rights.

This will also be necessary in order to be compliant with the Article 35 related to the “Data protection impact assessment”, meaning you will need to self-assess your internal processes concerning but not limited to the below topics:

Document your legitimate interest:

Define your ideal customer profiles

Implement dedicated fields in your CRM to systemize your homework prior to contacting a data subject

Personal data processing:

Collection sources

Ensure the tools used to process the data subject’s personal data are secured and GDPR compliant

Flowcharts where the data is shared with any third party (if applicable)

Data subjects’ rights:

To record the requests made by data subjects

To have clear and transparent processes related to the data subjects’ request status

Template to confirm and honor requests made by data subjects

These types of tasks will have to be performed by your data protection officer which, according to the Point (b) of Article 37(1), will have to be designated by the controller.

According to the Article 37(6), the data protection officer can be a staff member or a third party consultant. According to the Article 37(7), the controller will also have to: “Publish the contact details of the data protection officer and communicate them to the supervisory authority”.

Finally, according to Point (b) of the Article 39(1), the most important task of the data protection officer is to monitor the compliance with the regulation and, according to Point (c) of the Article 39(1), to provide advice on the self-assessment. More information about the other tasks of the data protection officer can be found in the Article 39.

Note: If you use a third-party supplier to build or enrich your list of contacts, then, according to the Article 29, we highly recommend to have a signed agreement which indicates that the supplier will only work with the data subjects’ personal data according to your instructions.

Do I need to follow GDPR regulations if my organisation is based outside of the EU?

Yes, according to the Article 3(2), as long as your organisation processes personal data of EU data subjects for direct marketing purpose and, according to the Article 3(3), if your organisation is located in a place where the EU law applies by virtue of public international law.

Meaning, if your organisation sells in the EU and if your organisation is located where international law applies, then you should follow the GDPR.

Is the GDPR  still a bit of a mystery to you?

Our practical e-guide will walk you through the three main aspects that need to be addressed:

Data-processing

Outreach

Honoring data subject’s requests

Pooling together top recommendations and best practices, this e-guide will help you implement or adapt your B2B outbound sales process to be GDPR compliant. It comes packed with flowcharts, templates and a recommended framework to save you time and streamline the fine-tuning of your sales processes.

Article by

JB Daguené

I eat SaaS for breakfast, B2B Sales for lunch, and Data for dinner. I like my food spicy! Since 2014, I've helped 100+ companies to build and scale specialized sales teams with 6 main playbooks.

Other Posts

Guideline

Hubspot CRM Setup Guide: Mapping & Optimization Tips

Follow this guide to set up your HubSpot CRM system for Account-Based Sales (ABS) and discover how to leverage CRM workflows effectively to streamline your sales processes and optimize your sales team's productivity.
Read more
Guidelines

Pipedrive CRM Setup: Your Ultimate Guide & Workflow Chart

This guide will teach you to efficiently set up your Pipedrive CRM system for Account-Based Sales (ABS). With it, you will be able to leverage your Pipedrive CRM workflow effectively to streamline your sales processes and optimize your sales team's productivity
Read more
Start moving towards your full revenue potential today
Get Started
All rights reserved.
Evergrowth, uab, with Offices AT Gyneju G. 4-333, Vilnius, 01109, Lithuania
EVERGROWTH HOLDINGS, INC., with offiecs AT 500 7TH AVENUE, 8TH FLOOR, NEW YORK, NY, 10018, United states
Terms & conditions
Privacy policy.