5 Simple Steps To Sending GDPR-Compliant B2B Cold Emails

Contrary to popular belief, it is still legal and effective to send businesses sales emails now the GDPR is enforceable. This article dispels the myths around cold emailing under the new regulations and gives you some simple, actionable tips to ensure your campaigns stay compliant.

First off, I am sure you have seen a few definitions of what the GDPR is and what it means so I will keep this brief. The General Data Protection Regulation is a legal regulation issued by the Council of the European Union and The European Parliament. Its main purpose is to protect the personal data of EU citizens.

The GDPR is not about cold emailing. It is not about businesses. It is about personal data protection.

However, sending business emails does mean processing personal data so there are some key things you need to keep in mind when emailing in a post-GDPR environment.

Here are the key points I’ll be running through:

  • Step One: Ensure Your Prospecting Is Targeted and Appropriate
  • Step Two: Explain Legitimate Interest In Your Email Copy
  • Step Three: Make It Quick And Easy To Unsubscribe or Opt-Out
  • Step Four: Regularly Cleanse And Maintain Your Database
  • Step Five: Prepare An Informative Reply For GDPR Complaints And Questions

Read more about Taskeater’s preparations for the GDPR: How Taskeater is Preparing For GDPR

Why is it OK to email businesses after GDPR?

First off, I am going to briefly deal with this question as I know that anyone who has experienced the onslaught of GDPR articles and emails from B2C companies will be confused about this point.

The GDPR protects individuals, NOT businesses.

The EU even declares: “The proposed Regulation on Privacy and Electronic Communications will increase the protection of people’s private life and open up new opportunities for business.”

The ePrivacy Regulation specifically leaves it up to the individual countries within the EU to decide whether ‘unsolicited commercial communications’ (a.k.a B2B cold email campaigns) should be opt-in or opt-out.

In the UK we have opted to follow PECR (the Privacy and Electronic Communications Regulations of 2003) which means that business to business communications do not require opt-in consent.

For more information about this, read the Information Commissioner published guidelines on cold B2B marketing outreach or for something shorter, my recent article: Why GDPR Doesn’t Mean We Are Going To Stop Contacting Businesses

Step One: Ensure Your Prospecting Is Targeted and Appropriate

Lead generation and prospecting are essentially sourcing personal data to use in sales campaigns.

Despite protecting personal data, the GDPR doesn’t stop people prospecting or collecting leads, it simply demands a greater level of care and accuracy from lead generators.

Under the GDPR, the personal data you collect should be adequate and relevant to the purpose of its processing (Principle c: Data Minimisation). That means you have to consider two key things: the adequacy of your data collection (how much data do you really need for what you are going to achieve) and the relevancy of your data collection (is the data you are collecting the right data for your purposes).

Ensuring Adequacy: Collect Only What You Need

You should only collect data that is strictly necessary to you as data administrator or data processor.

A simple way to ensure you do this is don’t ask for data if you don’t plan on using it. There is no concept of ‘for safekeeping’ or ‘just in case’ in GDPR-compliant marketing. Only take a phone number if you plan to call your prospect. Only take their home address if you plan to send them something in the post. Simple.

Ensuring Relevance: Collect Only What Is Relevant

An easy test for whether the leads you are collecting are relevant is simply would the prospect be surprised to hear from you?

If your targeting is accurate, no prospect should ever wonder why you’ve emailed. It should be obvious based on what you do and what they do.

Ensure you are extremely precise in choosing who your ideal prospects are and who your segments are, and tailor your copy and campaigns to those prospects and their pain points.

As professional lead generators, we help set the target criteria for our client’s prospecting activities routinely.

Here are a few simple qualifiers to work with:

  • Geographical location: where are the prospects you want to speak to? Where will your service or product be most relevant?
  • Target industries: who do you already work with? Which of your clients are most profitable/find your service most useful? Who have you spoken to who has a use for your service? What experts can you consult to evaluate industry need?
  • Company size: are the companies you are approaching large enough or small enough to require your service? How many employees do they have? What is their annual revenue?
  • Titles: are you contacting the right person from your chose company? Are they senior enough to make a decision? Are they in a department with a use for your product or service?

A quick word about bought lists…

It is your responsibility to ensure any lists you buy are fully compliant under the new regulations.

As a supplier of email lists and leads for countries across Europe Taskeater has taken steps to ensure total compliance.

How do we do this? We build and verify lists for ourselves and for our clients from scratch according to very specific targeting criteria, from publicly available sources.

Building the lists ourselves with target criteria in mind means we can ensure the adequacy and relevance of the data collected, and that we can keep detailed records of our lead generation process.

Whether you are buying data or collecting it yourself, you should always keep (or ask for) a record of how and why you have collected and processed data. This way you have an accurate response to “where did you get my email address from?” and can also provide some context for your legitimate interest.

Read more about Taskeater’s preparations for the GDPR: How Taskeater is Preparing For GDPR

Step Two: Explain Your Legitimate Interest In Your Email Copy

With effective targeting your reasons for contacting a prospect should be self-evident, but always follow through in your email copy and explain exactly why your offering is relevant and why you are reaching out.

You need to immediately cut to why you think your recipient is a relevant person for you to be contacting and how you have then processed their data to make contact.

Using the Legitimate Interest basis correctly

(Image credit: SAPInsider)

Legitimate interest is one of the 6 lawful bases of processing data under the GDPR and covers business interests. The ICO describe it as the most appropriate basis when “the processing is not required by law but is of a clear benefit to you or others”.

However, the legitimate interest basis is NOT a catchall excuse you can use to cover anything in the realm of business. A process needs to be followed to ensure you remain compliant with the GDPR.

Using legitimate interest as a lawful reason for processing data is only legal if your interest outweighs an individual’s right to privacy.

As Article 6, Clause 1 in the GDPR Legislative Acts states, legitimate interest is only legal if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Unlike the other legal bases, your basis for processing data can be contested. Whether your interest overrides right to privacy is fundamentally open to debate.

This is another reason for the importance of keeping lead generation records. As the ICO outlines, “The onus is also on you to ensure — and demonstrate — that your interests are balanced with the individual.” It is key you are aware of the full context and logic behind your use of legitimate interest.

Now you could make the point that the company will have an obvious interest in your business BUT when using that line of reasoning you must ensure that your offering relates to a specific business activity declared in the company statute.

For example, an email automation company needs to protect the data it is automating and its users, so an email server security solution does have a legitimate interest in contacting them.

However, if we were to approach a company like Deliveroo with our sales process automation solution, our service does not explicitly relate to their company statute, despite them having a sales team.

In these cases take the time to do some background research into your prospect and provide some context in your email copy.

Here are a few examples of reasons for Legitimate Interest:

  • Look up the company’s LinkedIn profile or website and check to see if your offering would support their goals
  • Check for recent investment or funding if your offering supports growth
  • Check to see if any of your past clients are in a similar industry or have a similar offering
  • Look for referrals or inside information from your network
  • Check to see if the company is expanding into a relevant area for your service, or expanding generally if your offering supports growth
  • Check to see if the contact has asked for any information or has begun a search for a service or product your provide

How to include Legitimate Interest in your email copy

There are a few ways to do this. Woodpecker in their excellent guide to GDPR preparation suggests including a disclaimer that informs the recipient of your email their data has been processed.

This should include three key pieces of information:

  • a statement informing the recipient how you have processed their data;
  • a short explanation of why are you processing it;
  • Instructions the recipient can follow to change the data you process or request removal of their data from your list

Here is a quick example based on what we would include in our email campaigns:

“I have chosen to contact you because based on [company name]’s LinkedIn profile I have strong reasons to assume that you can benefit from the information I am sharing. I have processed your name and email address solely for the purposes of sending this message to you. If you want me to change the data I used to contact you or remove your data from my list, just reply ‘No thanks’ and I’ll remove you from our database.”

However, if you are worried about spooking prospects with a disclaimer, you can also simply ensure that you integrate the above three points into the copy of your email.

Open with something that clearly explains how you have sourced their data, why you believe it to be relevant. For example:

“Hi Patrick, I found your profile on LinkedIn as I was looking to build up my network of influential leaders in sales and after some research into [company name] I thought our service might be of interest.”

Then ensure that the opt-out mechanism is clear and visible at the bottom of your email.

Step Three: Make It Quick And Easy To Unsubscribe or Opt-Out

As someone sending cold email campaigns, you need to inform your recipients how to exercise their right to erasure and their right to restriction.

In layman’s terms — you need to give people a clear way to opt-out.

An ‘unsubscribe link’ at the bottom of your email is the easiest way to automate that process and ensure compliance across your lists. Any outreach program or software today will have an automated unsubscribe feature as a basic part of the service.

However an unsubscribe link is only one of the suggested ways of opting out. In gov.uk’s official Marketing & Advertising guidelines, they say: “You must make it easy to opt-out — for example by sending a ‘STOP’ text to a short number, or using an ‘unsubscribe’ link.” Although they have cited the ‘unsubscribe’ link, they by no means say this is the only way of doing things.

We opt to simply write in our email footer than any of our campaign recipients are free to reply and say they aren’t interested, in which case we will remove them from our database and mailing list. If this method works better with the way you run your database and the automation software you use, it is a completely justifiable opt-out.

Here is an example of an email footer we’d use:

“If you aren’t interested and don’t want to hear from me again, just reply ‘No thanks’ and I’ll remove you from my list.”

The most important aspect of the opt out is that it is clear, easy to follow, and enforced on your end.

That means that as soon as someone has asked you to delete their data, you should delete their data. Create a list (a suppression list) of all the companies and individuals who have asked to be removed from your database, then ensure that you and your team members do not contact them again. Find a process that works for you and then strictly keep to it.

Step Four: Regularly Cleanse And Maintain Your Database

Beyond simply removing people who have opted out or unsubscribed, the GDPR also means that you shouldn’t be holding onto leads for months on end or inaccurate contact information.

You must cleanse your CRM database regularly of inactive or unresponsive leads, check that your contact records are fully up-to-date, and appropriately label and tag your data to record how you have collected and processed personal data.

For further information about what CRM cleansing is and whether you need it have a read of these articles we have published over the last month:

Or for a more comprehensive guide to CRM maintenance, you can download our ebook — How To Deal With CRM Data Erosion

How To Deal With CRM Data Erosion

If you are worried about having the time to perform CRM cleansing, outsource it. This is not something you want to take chances with. Taskeater offers CRM cleansing and data discovery services to B2B companies of all sizes. We also remove leads you no longer need and replace them with active contacts with accurate contact details — which is a key part of the service to provide. Look for lead replacement if you are talking to another service provider. You can talk to someone about our service here.

If you plan to share personal data you must inform the data owner.

The individual’s right to privacy and confidentiality means that any personal data you collect is not yours to manage freely. You must clearly notify data owners that you intend to share their data or process their data if that is your intention.

For example, if you collaborate on a piece of content with another company, you need to inform anyone who subscribes of your intention to share the subscription list with your partner.

You should also openly inform any of your users, customers or people who have subscribed to your newsletter where their personal data is actually stored. If you have servers in other countries you must openly state this in your Privacy Policy or on your website.

If you are storing personal data you must take the necessary precautions to keep it safe.

So far, before May the 25th, the big fines have gone to companies who have failed to prevent data breaches and delayed informing the data owners of breaches. Both TalkTalk and Carphone Warehouse received 400k fines for this particular offence.

Data security is a key aspect of the GDPR and needs to be a focus for you if you are storing personal data.

A few key points about data security:

  • Ensure that the software and systems you are using have taken steps to become fully GDPR compliant. It is your responsibility to use GDPR compliant data processors. Most CRM systems such as Hubspot, Marketo and Pipedrive are GDPR compliant and have taken steps to ensure your data security.
  • Regulate who has access to data at your company and keep records of levels of clearance. This way you have documents to present if questioned.
  • If you are data processors, as we are, take steps to keep your processes and systems secure. We use physical access controls, system access controls, data access controls, transmission controls, input controls, data backups, and data segregation to better protect our data. Read more here.
  • Anonymise, encrypt or pseudonymise data where possible as an extra precaution.

Step Five: Prepare An Informative Reply For GDPR Complaints And Questions

Finally, expect some pushback from your prospects. There is a lot of misinformation about the GDPR and what it means for sales and marketing strategies going forward. Some people are going to be angry you emailed.

Of course, if your targeting is accurate and your copy is respectful and informative, your offer may carry you through. However, if a few cases prospects will lash out. Cold emails are still cold emails, regardless of how relevant they are.

Here are a few questions you might get asked and what to cover in your answer. Any response can include a combination of these three main points.

“What right do you have to email me?”

This is completely within a prospect’s rights to ask, even if the email address in question is corporate. The fact their name is written out within the email address makes it personal. This article by GDPR consultant Mark Gracey explains that a little more — When B2B data is personal data and what that means with the GDPR

Your legitimate interest needs context. If your service does not specifically relate to the company’s statute, explain the reasons you thought them a relevant person to contact.

By keeping detailed records of your lead generation process, you will be able to give a detailed answer about how and why you sourced a person’s data.

If your service does not specifically relate to the company’s statute, explain the reasons you thought them a relevant person to contact. A new company project? Their website? Their LinkedIn profile? An article they have recently shared?

If you are emailing people at scale, take care in researching the companies you are contacting. Is there something on their website or in the press which gives you particular reason to email them? Have you been helpful to other companies in this industry? There are more general answers that do not require a deep dive into someone’s LinkedIn likes.

If you have used past customers to build out your target criteria (a typical customer profile), a response you can use across your campaign is:

“We have collected and processed your data on the basis of legitimate interest. Given how beneficial our [product/service] has been for [company profile/prospect profile]s in the past, I believed our offering to be of benefit to you.”

Here is an example of an answer one of our reps might use:

“I was researching [company name] as I thought our services might be of interest given success we have seen for FinTech solutions in the past and after finding your public profile on LinkedIn I believed you to be the most relevant person to contact regarding our services. I then guessed your email address and ran it through a verification tool we use to build lists for all our clients.”

“Where did you source my details from?”

Explain where you found their data, why you thought they were appropriate to contact and why you thought they’d be interested in your offering.

Again, if you keep detailed lead generation records, or ask for these from your suppliers, then you have a detailed response to this question.

If you are using Taskeater for list building, check with your account manager what sourcing process we are using. For example, if we are using LinkedIn to source your leads, a good response to the prospect would be:

“We are using a third party prospecting service (www.taskeater.com) and they found your profile on LinkedIn as you fit our typical customer profile. They then guessed your email using publicly available information and ran it through a verification tool.”

“What information do you have on me?”

The GDPR enforces your prospects’ right to be informed and right of access (subject request), which means if asked you must provide the information you have collected and how it has been processed.

At Taskeater, we collect minimal prospect information all of which is exclusively B2B and publicly available. A good response for our process would be:

“Your name, email address, company name and job title are the only data that we hold. As per your rights, we will delete this from our database if you are not interested in our services or wish us to do so. Your data is not being held in any other database or being resold.”

Author: Dan Vanrenen

Managing Director of Taskeater and one of Taskeater’s former clients. He has 16 years of sales experience, two boys and loves rugby. Connect with Dan.


This story is published in The Startup, Medium’s largest entrepreneurship publication followed by 332,253+ people.

Subscribe to receive our top stories here.