GDPR Guidelines for B2B Outbound Sales: A Comprehensive Guide

Introduction

GDPR is arguably the world's strongest data privacy legislation, and salespeople should be well informed so that they don’t accidentally breach it. We’ve had numerous questions about the real impact of GDPR on outbound sales processes from our clients and have decided to put all our thoughts into a comprehensive guide.

We created a practical e-guide outlining our recommendations on how to adapt or implement your sales processes to be compliant with the GDPR, which you can find at the bottom of the article. Now, having received lots of great feedback on this resource, we want to share the answers to the top 5 FAQs with you. This article provides practical advice on how to adapt your outbound sales process to GDPR guidelines.

Disclaimer

This article is an interpretation of the GDPR from a direct marketer or outbound sales professional’s perspective, meaning to be specifically used for cold outreach. It cannot be regarded as official guidelines. The author and other affiliated parties cannot be held responsible for any damages caused by these guidelines.

While this post offers an interpretation of the GDPR that permits the practice of cold outreach, the author and other affiliated parties do not endorse the use of any channels for spamming and scamming purposes. If you’re interested in carrying out a fully compliant outbound strategy that leverages the power of AI while simultaneously increasing the quality of your output, feel free to get in touch.

Definitions

You can find the official GDPR definitions in the appendix of this guide, yet to simplify the reading of these guidelines, please find below an interpretation of the definitions from the B2B outbound sales perspective.

Personal Data

Information related to your lead, such as full name, job title, email, and any other information collected from different sources over the internet.

Processing

means the process of collecting the personal data. For example, in your CRM and updating this data. ‘restriction of processing’ means the lead’s personal data can not be used anymore for outbound sales. This can be considered as the equivalent of “unsubscribe” in order to guarantee that the lead will not receive any further marketing or sales materials.

Controller

means your company.

Processor

can be a service or a tool that your company uses to process the data like your CRM system.

Third party

can be a service provider that works with your lead’s data within your CRM.

Consent

means that your lead has freely given her/his consent to process her/his personal data and she/he is fully aware of the processing purpose.

Data subject or subject

means your prospects.

Direct Marketing

While the GDPR doesn’t include a definition of ‘direct marketing’, The FEDMA (Federation Of European Direct Marketing) provides the following definition : “The communication by whatever means (including but not limited to mail, fax, telephone, on-line services etc…) of any advertising or marketing material, which is carried out by the Direct Marketer itself or on its behalf and which is directed to particular individuals.” According to this definition, outbound B2B sales can be considered as direct marketing.

Top 5 FAQs on GDPR for B2B Outbound Sales

Do I need consent from the data subject prior to cold outreach?

No, according to Recital #47: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” In other words, the controller does not need the data subject’s consent to collect their personal data for direct marketing. However, the legitimate interest must be carefully assessed to ensure it is reasonable and not considered spam.

Nevertheless, the direct marketing purpose might be questioned if the controller is not able to demonstrate processes that can justify its legitimate interest for direct marketing. As per Recital #47: “At any rate, the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.”

To conclude, while the GDPR may consider direct marketing as a legitimate interest, we strongly believe that the GDPR uses the term “may” to ensure that controllers do not process data for poor direct marketing with poor list-building and overall poor targeting that could be assimilated to spam activities and therefore wouldn’t be considered a legitimate interest.

Does the data subject have rights if I process their data for direct marketing purposes?

Yes, according to the Articles 15, 16, 17, 18, 19 and 21 the data subject has the following rights:

Article 15: “Right of access by the data subject”

Meaning that the data subject has the right to access his/her personal data and the purpose of the processing.

Article 16: “Right to rectification”

Meaning the data subject has the right to rectify incorrect information regarding his/her personal data.

Article 17: “Right to erasure (“right to be forgotten”)”

Meaning the data subject has the right to request a full erasure of his personal data from your CRM and any other place where her/his personal data was processed or stored.Note: For the interest of the data subject and in the context of direct marketing purpose, if the data subject does not want to receive any additional direct marketing material from the controller, then we highly suggest the controller recommends the data subject to exercise his/her right to object according to the Article 21 (see below).Article 18: “Right to restriction of processing”

This article’s main purpose is to hold proof of the data subject’s personal data if the data subject contests the legitimate interest of the controller to process her/his personal data.Unless, the processor does not follow the GDPR recommendation in Article 14 (see next question) or uses the personal data for any other purpose than direct marketing, then it’s unclear how this Article can be applied in a direct marketing context.Article 19: “Notification obligation regarding rectification or erasure of personal data or restriction of processing“

Meaning that the controller should notify other recipients to whom personal data have been disclosed (If any) if the data subject expressed her/his right(s) from Article 16, Article 17 and Article 18.Article 21: “Right to object”

Meaning that the data subject has the right to object to any further processing. This is the equivalent to traditional opt-out like unsubscribe etc. In that case, the controller must have CRM processes in order to guarantee that the data subject personal data won’t be processed anymore.

Do I need to inform the data subject of their rights if I process their data for direct marketing purposes?

Yes, according to the Article 14 in the GDPR, which concerns the rights of the data subject, when it comes to her/his personal data that have not been obtained from the data subject, the controller must provide the below information to the data subjects:

Point (a) of Article 14(1): “The identity and the contact details of the controller”

Meaning your cold emails should include your company name and address.Point (b) of Article 14(1): “The contact details of the data protection officer, where applicable”

According to Article 38(4): “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.” Meaning, if the main point of contact in your organisation for personal data related issue is your data protection officer, then this point is applicable.

Point (c) of Article 14(1):“The purposes of the processing for which the personal data are intended as well as the legal basis for the processing” and Point (b) of Article 14(2): “Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party”

Meaning, you need to inform the data subject that you processed their data for direct marketing purpose which, according to the Recital #47, is considered as a legitimate interest.

Point (d) of Article 14(1): “The categories of personal data concerned”

Meaning, you should inform the data subject what type of personal data you have collected. For example, Full name, Job title, email etc.

Point (a) of Article 14(2): “The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”

Meaning, you should explain the criteria you used in your sales process to keep their data in your CRM for an undefined period.

Point (c) of Article 14(2): “The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability”

Meaning, that the data subject must be informed about her/his right to object to any further processing (e.g., if they’re not interested in your services and do not want to be contacted again), get a copy of his/her personal data and request a full erasure of his/her personal data from your CRM.

Point (e) of Article 14(2): “The right to lodge a complaint with a supervisory authority”

Meaning, if the data subject has concerns about the lawfulness of processing related to their personal data, they must be informed by the controller about their right to lodge a complaint.

Point (f) of Article 14(2): “From which source the personal data originate, and if applicable, whether it came from publicly accessible sources”

For example, the full name and job title were found on LinkedIn and the email address was guessed based on the company’s email structure which is publicly available.

Point (b) of Article 14(3): “if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject”

Meaning, you need to inform the data subjects about all the above points in your first outreach.

Recital #70: “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”

Meaning, you need to inform the data subject in a clear way about their rights separately from your direct marketing message. For example, all of the above points can be included in an email disclaimer.

Special note regarding cold calls: To be fair, if you’re doing cold calls, even with the best intentions, it might be difficult to include all of the above information during your cold call. Furthermore, it might also be difficult to document you’ve given all of the above information to the data subjects during your cold call. While one could say that the Point (b) of Article 14(5) “the provision of such information proves impossible or would involve a disproportionate effort”, which refers to the exceptions where the paragraphs 1 and 2 of the Article 14 will not apply, might be applicable in that case. We strongly recommend to not leave room for doubt and do the first outreach via cold email and eventually follow-up with a cold call in order to guarantee compliance with Point (b) of Article 14(3).

Do I need to document my internal processes to applying GDPR?

Yes, we strongly recommend you document your legitimate interest for direct marketing purpose, but also when it comes to respecting and honoring the data subject’s rights.

This will also be necessary in order to be compliant with the Article 35 related to the “Data protection impact assessment”, meaning you will need to self-assess your internal processes concerning but not limited to the below topics:

Document your legitimate interest:

Define your ideal customer profiles

Implement dedicated fields in your CRM to systemize your homework prior to contacting a data subject

Personal data processing:

Collection sources

Ensure the tools used to process the data subject’s personal data are secured and GDPR compliant

Flowcharts where the data is shared with any third party (if applicable)

Data subjects’ rights:

To record the requests made by data subjects

To have clear and transparent processes related to the data subjects’ request status

Template to confirm and honor requests made by data subjects

These types of tasks will have to be performed by your data protection officer which, according to the Point (b) of Article 37(1), will have to be designated by the controller.

According to the Article 37(6), the data protection officer can be a staff member or a third party consultant. According to the Article 37(7), the controller will also have to: “Publish the contact details of the data protection officer and communicate them to the supervisory authority”.

Finally, according to Point (b) of the Article 39(1), the most important task of the data protection officer is to monitor the compliance with the regulation and, according to Point (c) of the Article 39(1), to provide advice on the self-assessment. More information about the other tasks of the data protection officer can be found in the Article 39.

Note: If you use a third-party supplier to build or enrich your list of contacts, then, according to the Article 29, we highly recommend to have a signed agreement which indicates that the supplier will only work with the data subjects’ personal data according to your instructions.

Do I need to follow GDPR regulations if my organisation is based outside of the EU?

Yes, according to the Article 3(2), as long as your organisation processes personal data of EU data subjects for direct marketing purpose and, according to the Article 3(3), if your organisation is located in a place where the EU law applies by virtue of public international law.

Meaning, if your organisation sells in the EU and if your organisation is located where international law applies, then you should follow the GDPR.

Is the GDPR  still a bit of a mystery to you?

Our practical e-guide will walk you through the three main aspects that need to be addressed:

Data-processing

Outreach

Honoring data subject’s requests

Pooling together top recommendations and best practices, this e-guide will help you implement or adapt your B2B outbound sales process to be GDPR compliant. It comes packed with flowcharts, templates and a recommended framework to save you time and streamline the fine-tuning of your sales processes.

Practical Steps to Ensure GDPR Compliance in B2B Outbound Sales

Data Processing

Ensure your CRM setup documents legitimate interests for direct marketing. This includes:

  • Step 1: List Buildingsome text
    • Generate lists of companies that match your ICPs. Lists can be generated manually, from various databases, or simply scraping data that is publicly available on the web. The main goal is to capture the biggest Total Addressable Market (TAM) possible. The GDPR doesn’t concern data related to companies, but this part of the process is important to acknowledge for the second step.
  • Step 2: List Pre-qualificationsome text
    • Verify and check every company on the list to see if they match your ICPs. Document your legitimate interest by updating the CRM with fields like ICP (yes/no) and ICP type.
  • Step 3: Contact Research and Enrichmentsome text
    • Find the best person to contact based on the ICPs document. Use tools like hunter.io to guess the email address and verify it with tools like quickemailverification.com. Document your legitimate interest and the source where the personal data was collected.
  • Example fields to add to your CRM:some text
    • Status: Indicate if the data subject objected to further processing.
    • Expertise: Unify job titles across companies.
    • Type: Categorize contacts into decision-maker, influencer, or champion.
    • GDPR Source: Document where you found the personal data.

Outreach 

Include a GDPR disclaimer in your emails. These can be created using a specific template, or can simply inform users that you are following a specific set o

Honoring Data Subject Requests

Have a clear system in place to respond to data subject requests within one month. This includes templates for confirming requests, providing data copies, and confirming data removal.

Use Case Templates:

  • Data subject objects to processing:some text
    • Confirm request and update CRM to not contact the data-subject anymore.
    • Template: "As per your request, I hereby confirm that your status has been updated in our CRM to ensure that you will not be contacted anymore by anyone in our company for direct marketing purposes."
  • Data subject requests a copy of their personal data:some text
    • Confirm request and extract the data from the CRM.
    • Template: "As per your request, please find enclosed a copy of your personal data from our CRM which includes: Your full name, email, job title, link to Linkedin profile, and the source(s) where the data was collected."
  • Data subject requests a removal of their personal data:some text
    • Confirm request and remove the data from the CRM.
    • Template: "As per your request, I hereby confirm that your personal data has been fully removed from our CRM."

Conclusion

While GDPR might create extra processes for outbound sales, these steps will increase the quality of your prospect lists and benefit both your company and the data subjects receiving your marketing material. Evaluate legitimate interests before each campaign to minimize risk.

By following these guidelines, you can ensure your B2B outbound sales processes are GDPR compliant and maintain the trust of your prospects.

Other Posts

Request a Demo