Handling GDPR complaints from your cold outreach

Updated on March 8, 2023

Hearing about GDPR creeps you out every time? Then you must be working in sales!

With the implementation of the General Data Protection Regulation (GDPR), cold emailing and calling for sales have become a more complicated process. All businesses that handle personal data must comply with GDPR regulations so as to not face hefty fines or other penalties from the European Commission. In order to stick with GDPR best practices, sales reps need to stay up-to-date on the latest guidelines, policies, and procedures that come with the regulation. 

Here are several areas of particular importance they should pay attention to:

First, they need to make sure that all communication is relevant and useful to their target audiences. According to GDPR rules, businesses can only contact individuals if they have previously consented or have an existing business relationship in place. Second, they need to double-check check all contact information is accurate and up-to-date so as not to create any data privacy issues. Third, companies must ensure their bulk emails are sent using a secure connection for encrypted data transfers between servers. And so on…

Sound like a lot does it? And we just got started.

In this article, we are going to give you some ideas on how you can handle GDPR complaints from cold outreach.

What data falls under GDPR?

GDPR affects companies worldwide selling anything to EU customers, and not following the guidelines can lead to fines. Making sure customers know your data processing procedures is crucial – try a cookie banner for clear communication! Adhering to GDPR doesn’t have to be a chore when you have a solid plan in place.

Keep your business and personal data separate so they don’t get mixed up – it’s essential!

The GDPR outlines the differences between natural persons, personal data processing, and data released within a business context. Here is a summary of the main distinctions.

Personal data & processing

  • Private email addresses (independent of where it was published or available)
  • Sensitive personal data (birthdays, sexual orientation, religious orientation, fingerprints, etc.)
  • Processing of data where there is no mutual connection of any kind (business or personal related)
  • Collected data of the subject is being processed or reserved without any reason

Business data & processing

  • Company data that is publicly available and open (business emails, company phone numbers, addresses, etc.)
  • Processing of data where there is a mutual connection of any kind (business or personal related)
  • Collected data of the subject is being processed or reserved with reasoning and can be traced (referral or prior given consent)

According to the GDPR, personal data refers to any information that can be used to identify an individual. This can include identifiers such as name, identification number, location data, or online identifier, and one or more factors specific to the individual.

Let’s review what type of data is subject to GDPR regulations and what can be used safely when conducting sales.

Data not affected by GDPR
  • Company name of a justice person,
  • Business contact data – company general email and phone number
  • Business information – revenue, size, etc.
  • Anonymous data (collected from website entities)
Only used for identification
  • Full name of a person
  • Private email address
  • Private phone number
  • IP address
  • Phone dial extension (regional identification)
Problematic approach (used only with given consent)
  • Age and date of birth
  • Sexual orientation
  • Residential address
  • Bank and financial details
Sensitive (not used for any scoring)
  • Medical and health information
  • Religion, ethnicity, and political background
  • Biometrical data

This paragraph of the GDPR looks at the legal repercussions associated with the processing of various categories of data. Let us consider its contents.

  1. a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”
  2. b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, …
  3. f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

This paragraph outlines three options to cover sales prospecting under the GDPR.

The first 2 are clear:

  • The subject has given explicit consent for their data to be processed
  • The subject is directly entering a contract with the data processor

And, data processing for legitimate interests is explained in the third statement.

Cold Emailing businesses upon legitimate interest

Legitimate interest is a legal principle that permits the pursuit of goals or interests necessary for the operation of businesses – such as gathering data, engaging in marketing activities, direct email allowances, and other opportunities.

So the legitimate interest can be used, to some extent, to reach out to ideal customers, current customers, and even once-was customers. It is the most convenient way to target people who are likely interested in what you have to offer, without infringing on any laws or regulations concerning sales outreach.

However, a lot of people are not aware of the legitimate interest concept and, of course, if your prospecting and target lists were not done right, you are still at risk that people will complain about them receiving some ‘sales pitch’ from an ‘unknown’ brand contacted by a cold email campaign without an unsubscribe link.

This is why you need to learn all about the approach, what to include in your cold email templates, and create your Ideal Customer Profile in the best way possible to avoid misunderstandings and reactions from potential customers, as long as you are sure that you are not processing any private, sensitive or crucial information.

Explaining Legitimate Interest in cold emails

If your prospect is still not responding positively to your cold email campaign, it may be necessary to provide further explanation.

An organization is able to utilize direct contact data that the data subject would expect. This aspect includes, but is not restricted to:

  • Use of client or employee data
  • Marketing
  • Fraud prevention
  • Intra-group transfers
  • IT security

Before utilizing the Legitimate Interest to send business-to-business cold emails, it is important to ensure that it is applicable. Prior to initiating a cold email campaign, it is recommended that you research your prospect’s profile. Check their company’s LinkedIn profile, website, and other sources prior to making contact. This can help you to determine if they may benefit from your product or service, as well as provide insight into any recent investments or funding that could potentially be supported by your offer. Gathering this information will lay the groundwork for an informed introduction.

To be GDPR compliant in cold emails, you should always be prepared to answer three key pieces of information when called upon legitimate interest:

  • A statement advising the recipient how you have processed their data.
  • A short explanation of why you are processing it.
  • Instructions that the receiver of your email can follow in order to change the data you process or request the removal of your data from your list with an unsubscribe link or other methods

Cold calling under GDPR

The GDPR legislation provides Europeans with more control over their data, including the right to understand where a business obtained that data from, the ability to revoke consent, and the option to deny contact without explicit consent.

Cold callers must take note of the potential penalties associated with GDPR non-compliance, which are set at €20 million Euros or 4 percent of global turnover.

Sales organizations may find it difficult to comply with GDPR due to its complexity. To assist sales managers and their representatives in this process, there are some tips they could follow to help them through their way to GDPR-compliant cold calling.

There are several areas that need to be taken into consideration when checking the GDPR policies about cold calling:

  • Individuals that have agreed to their personal data be collected can be contacted
  • They must be aware/notified of how and when that data is collected
  • Requests of viewing the collected data must be made possible for each subject
  • Each subject had the right to request edits in the data set, or complete data removal
  • They should agree to be contacted by salespeople

Explaining legitimate interest in your cold calls

Companies may display contact information for various personnel on their website, which may indicate that it is acceptable to call the relevant person to discuss related sales topics.

It is important to note that a person’s business phone number is classified as personal data. If it is listed on a website or any other platform for the purpose of sales/marketing communications, caution should be exercised.

If the person asks where did you get his number, and says that you shouldn’t be calling them, it usually means that you have the wrong target for your legitimate interest.

On the other hand, if you’ve already warmed up the prospect, and they have interacted with you in any way, this shows a good indication that this person will be aware of your actions and accept your call based on legitimate interest.

Handling GDPR complaints from your cold outreach

Now that we’ve learned everything about data under GDPR and possible reasons for complaints, let’s see what you need to prepare to handle them.

"Where did you find my email?"

This is always expected an and legit question. If you are working with a data provider, you should consult with them regarding the sources and privacy of their data. Do not just blindly buy email lists of b2b leads and start mass emailing or cold calling them. Your data provider should also have public information on the processing of the data in their privacy policies and other documentation. So, a possible answer to this question is:

"We are working with [Data Provider/own processed data/publicly available business data] to create our ideal customer profiles based on legitimate interest. Your email has popped up on the business profile of your company while researching more about [company] and since you are working in/with [industry/field of activity] we could be a good match for a collaboration."
“What rights do you have emailing me?”

The email address used is a corporate one, however, it will contain the name of an individual, thereby giving it a personal touch. Therefore, explaining your valid interests should be prioritized. If your product/service does not relate to your prospect, explain why you considered them a relevant person to contact.

Your answer could be based on information from their LinkedIn profile, website, or recent articles they have read.

A typical response could be:

“We have collected and processed your data on the basis of legitimate interest. Given how beneficial our [product/service] has been to [company profile/prospect profile] in the past, I believed our offer to be of benefit to you.”
“What information do you hold about me?”

The GDPR states that people must be informed of their personal data, and have the right to request any collected data about them. As mentioned previously, you must be ready to answer questions related to data processing.

A model answer might read:

“Your name, email address, company name, and job title are the only data that we hold. As per your rights, we will delete this from our database if you are not interested in our services or wish us to do so.”
"You don't have the right to contact me, I'm filing for a law sue"

Yes, this also might land as a reply to your cold email campaigns or cold calling. However, don’t panic just yet. If you’ve done your homework and you have a good process in place, you shouldn’t have to go through the suing troubles.

According to GDPR Article 12, a subject processing data must remove the data of the person requesting it within 30 days of the request, if the data subject requests it correctly with an appropriate GDPR ‘right to be forgotten’ template. You can explain your prospect that:

"With your email, you have requested data removal from our database, which will be processed no longer than 30 days from your request, according to the GDPR regulations. Every piece of data connected to your profile will also be removed and you won't be contacted again from our end."

If you have an unsubscribe link, as you should, you can also point out that they can do a quick removal from your email list by unsubscribing.

Prepare for handling GDPR complaints

We can’t stop people from reacting and issuing GDPR complaints on cold outreach, it’s their right. However, we can prepare our sales reps and team to feel confident when handling GDPR complaints from cold outreach.

In order to prepare for GDPR complaints, it’s important that sales reps are aware of GDPR compliance and data protection best practices. This means being able to explain the purpose of using customer data, understanding what types of data can lawfully be sourced, as well as how it will be collected and used.

Additionally, reps should know their rights so they can respond effectively and confidently if a customer raises a complaint or shows concerns about their data privacy. Preparing the team in this way will ensure that all proper processes and procedures are followed to ensure GDPR requirements and expectations are met, while also helping sales reps feel equipped and confident when communicating with customers who have concerns about data privacy.

Do compliant Sales prospecting

with Sales.Rocks

Author avatar
CMO at Sales.Rocks - Jana believes in analytical approach to marketing and building up a story around it.