GDPR for sales: How to find new customers without breaking the law!

GDPR for sales: How to find new customers without breaking the law!

Post summary: 

  • There’s no escaping GDPR for sales teams. The way you prospect has changed, and sales techniques must fall in line with the General Data Protection Regulation – or you risk being fined.
  • For sales teams, the question is what is considered compliant with the new EU regulation and how can you find new prospects without breaking the law? We have the answers.
  • Along with our Data Protection Officer (DPO), we have reviewed 7 of the most common sales techniques and share how (and if) you can use them during the sales process under GDPR.

B2B sales is competitive by nature.

And given that 50% of all sales go to the first company to respond to a prospect, having an effective sales process in place is business critical.

Whether you pick up the phone to cold call prospects, meet potential customers while networking at events, or do something else entirely, proven strategies that quickly turn strangers into customers are considered the ‘holy grail’ in sales.

That’s because there’s a science to sales and once you master it, you can use multiple sales techniques to quickly reach sales quotas and collect that well-earned sales commission.

But, this has now changed.

The way you used to prospect has received a major update due to the EU data protection regulation known as GDPR – which came into affect in May 2018.

Failure to comply with GDPR can leave your company facing fines of up to €20 million or 4% of global turnover – whichever is greater.

For example, British Airways are facing fines of up to €200 million for a data breach that occurred in September 2018, while the hotel chain, Marriott International are expected to be fined in the region of €99 million for a data breach between 2014 and 2018

There’s no escaping it:

The EU’s biggest privacy update in more than two decades has now come into effect – and with 57% of B2B sales professionals not aware of what GDPR is (via Demand Gen Report) – now is the time to look at how GDPR has affected your sales team and how you can “legally” prospect under GDPR.

Sales reps not ready for GDPR

With that being said, let’s get started.

Will GDPR affect your sales team?

You might think that GDPR doesn’t apply to you, but for many sales reps, GDPR has represented a big shift in your day-to-day prospecting.

Ask yourself this:

  • Do you still rely on purchased leads to fill up your sales pipeline?
  • Do you automatically add business card contact data to your mailing list?
  • Do you ask existing customers for referrals and recommendations?

If you answered “yes” to any of the questions above, then GDPR has an impact you and your organization.

Also, in case you think that the GDPR only impacts European businesses, you’d be wrong.

It doesn’t matter if your business is based in the EU or not – if the data you collect on at least one of your prospects belongs to an EU citizen then you’re liable to comply with GDPR.

GDPR for Sales

GDPR is the term used to describe a series of major updates to the EU data protection law that came into effect on May 25th, 2018.

In essence, GDPR provides citizens of the EU with greater control over their personal data and offers assurances that their information is secure, regardless of whether the data processing takes place in the EU or not.

For sales teams, personal data is at the heart of how they prospect for new business, and GDPR will change how you collect, store, and process it. And how long you can retain it for.

What is personal data?

Well, it comes in a variety of forms and can include things like name, email, phone number, and interests – the kind of information that sales reps typically store in their CRM system about your prospects.

On a bigger scale, personal data also includes things like IP address, social media posts, bank details, and even medical information – so it’s important to make sure you’re handling all types of personal data appropriately.

How sales prospecting will change under GDPR

First you have the collecting and storing of the data and then, you have the processing.

Let’s take a closer look at how this has changed under GDPR.

Collecting the data and seeking permission from the individual

GDPR revolves around correctly seeking permission to collect, store and use personal data.

The most typical examples for seeking permission is through a web form – including a link to a privacy statement – or in a follow-up email.

Under GDPR, individuals have the right to be informed about what data you collect, why you are collecting it and how you intend to use it.

But, that’s not all.

Individuals also have the right to be informed about the purposes of processing their data and the period for which their personal data will be stored (you can read more about the individuals rights under article 13 and article 14).

So, if you haven’t obtained their consent at the time you have collected their personal data, you must inform them – within 30 days of obtaining the data – that you have done so and the purpose for why you are keeping their personal data in your system.

Consent notification email

If the person replies to a message like this and requests that you delete their data, you have to comply with that request and remove them from your CRM database. Or, at the very minimum, keep as little information as possible to ensure no future contact will be made.

Although, this is easier said than done.

In some cases, you may be legally required to store their data, even if they request that you remove it. If this happens, your Data Protection Officer (DPO) will need to inform the person that you are required to keep their data stored and the reasons for doing so.

However, if you don’t hear back after making a fair and reasonable effort to contact them, then you can assume that storing their data isn’t a problem – providing you have a legitimate interest.

Just make sure you do not send any marketing messages (unless they have opted-in) and to keep a record of the consent, in order to remain GDPR compliant.

Processing the data

Once you’ve sought permission to store the data you have on a prospect, the next step is to use it to help you in your quest for new sales. However, you have to be careful, because GDPR restricts the way you can process (or use) this data.

When you collect information from a prospect, they are usually added to a variety of sales and marketing activities.

For example, if someone:

  • downloads a white paper, you later send them an email with a webinar invitation.
  • requests more information on your pricing packages, you add them to your lead nurturing email list.
  • calls up your business to asks for a free trial, you send him a series of onboarding emails.

If you’re still doing this, then you need to stop it – or you risk being fined.

When you collect personal data such as an email address, not only do you need to inform the individual that you have stored it, but you also need to make sure that your prospects actively ‘opt-in’ or choose to join a specific email list before you start sending them marketing messages.

Simply put:

You cannot assume that you have permission to send mass email campaigns just because you have their email address.

One way to handle this is to allow prospects to manage their email subscriptions, using a subscription management tool.

Subscription management settings inline with GDPR compliance

However, before you can begin to think about storing and processing personal data, you first need to find it – so let’s look at how you can prospect under GDPR.

7 ways to prospect under GDPR

For many companies, GDPR means sales teams need to make some changes to their sales techniques to stay compliant. Here are 7 sales prospecting techniques that you should consider adopting now that the new regulation has came into effect.

1. Sales outreach

If you’ve been sending out cold prospecting emails and sales pitches on auto-pilot lately, then you’re going to have to stop.

Immediately.

With GDPR, you cannot send automated sales emails to prospects without getting their permission first. This includes product demo, quick catch up and “just reaching out” emails, or any other form of communication that your prospects didn’t ask to receive.

If you’ve never had contact with a prospect before, you should demonstrate in the sales outreach email that you have tried to contact them by phone prior to emailing them.

In the example below, it’s clear that no attempt has been made to reach out to me by phone and therefore falls under direct marketing communications.

Cold sales email example

If you’re going to send out these kinds of outreach emails in a post-GDPR world, then you need to have been granted consent by the prospect first. Without it, you’re failing to comply.

That being said, you can continue to send cold sales emails to prospects, if the email is sent to an individual and not to a group of recipients (if it includes an unsubscribe link, it’s most likely automated), and if you have included a link to your privacy statement explaining why you are contacting them in the first place (i.e. you have a legitimate interest).

So, good news to sales and marketing teams that have implemented account-based marketing campaigns.

2. Social selling

Social selling is a new term to many sales reps.

Yet, only 1 in 4 sales reps actually use social selling.

For those that do use it, it’s fast becoming a popular way to prospect!

The good news is that GDPR doesn’t prevent you from finding and connecting with potential customers on social media networks. Whether you connect with customers online and ask for recommendations or if you decide to reach out to new prospects directly, you can continue to use social media as part of your overall sales strategy.

If you use LinkedIn or any other social network for businesses, here’s a handy template to copy and paste each time you send out a connection request to get the conversation started.

LinkedIn connection request template

Once these contacts have accepted your connection request, you can reach out and message them with the aim to gain consent to nurture and sell to them.

Bearing in mind that the principle of providing value before asking for something still holds in the social media world. Spamming your social media contacts will not provide any better results than if you were spamming prospects in any other channel.

If the conversation shifts outside of social media, you will need to establish that there is a legitimate interest in contacting them by email or by phone. The best way to do this is to gain their consent. However, consent to contact them cannot be treated as consent to send them mass marketing campaigns!

3. Purchased lead lists

Purchased leads lists can often be a great way to fill up the sales pipeline – either when there’s a drought or to compliment your existing prospecting work.

But, since May 25th, this has changed.

If you acquire leads that contain personal data from third-party ‘lead generators’, then not only do they need to have consent to share that information with you, but you will also be required to get specific consent to use the email addresses on the list – unless they have given their consent to be approached by associated partners. (i.e. said “yes” to their data being transferred to third parties).

In this case, you can contact them.

However, you must document proof of their consent from the third party you purchased the list from, and you will also need to allow people to unsubscribe from your email campaigns.

This GDPR-related change affects existing purchased leads, too. If you already have purchased leads in your mailing list – but you haven’t contacted them yet – then you will need to document their consent from the third-party vendor before you send marketing messages.

4. Cold calling

 Cold calling is one of the most effective ways to build new relationships with potential customers.

But, is cold calling allowed under GDPR?

The good news is that cold calling doesn’t come under the same regulation as the GDPR and is being given a new lease of life as a result, which is good news to cold calling experts!

At this stage, it is worth repeating that each time you add a new prospect to your CRM database, you’ll need to get their consent before you can start sending them promotional offers.

So, while you are on the call with the prospect, just ask them if they would like to receive newsletters. If they say yes, you can send them a link to a “manage my subscriptions” page where they can opt-in to specific news, content and updates.

The challenge with cold calling is that it can be difficult to document their consent, unless you record a call with a prospect. To overcome this, you can follow up the call with an email that sums up everything you have discussed.

In this email, make sure you include:

  • The purpose of why you called them,
  • What was agreed during the call,
  • Why you are following up by email.

Here’s an example what this email could look like.

Cold call follow up email template

Each time you send an email with this information, make sure you store it in your database under the prospect’s details. If the prospect responds and asks to be removed from your mailing list, then you have to comply with their request.

5. Networking

Networking at conferences and events is a great place to meet new customers.

A large part of networking includes the time-old tradition of exchanging business cards. In the past, this meant taking the contact information on a business card, such as name, company and email address and storing it in your CRM system.

While you can continue to exchange and store business card information, you cannot use their email address for marketing purposes, unless you have their consent and they have opted-in to receive marketing emails.

But, all is not lost.

You can still send one-to-one emails and follow up with prospects that have given you their business card since a legitimate interest has been established. So, don’t give up on networking just yet!

6. References

One of the most successful ways to find new customers is to ask your existing customers for referrals or recommendations to people they know who might be interested in your product or service. Today, you can simply pick up the phone and give new prospects referred to you by existing customers a call or send them an email.

Under GDPR, you can continue to call and email prospects based on recommendations from existing customers.

One of the best ways to reach new prospects through referrals is to ask your existing customer to introduce the both of you and tell them why he/she is doing it. Plus, using email means that the introduction is digitally recorded.

Of course, not every customer will be willing to write an email for your benefit.

To help you with this, here’s a sales email template that your customers can send to introduce you.

Introduction email template for reference customers

7. Website

Websites are a great place to capture new leads.

If you’re using a web form to capture contact information, then now is the time to review the type of information you collect as GDPR requires you to legally justify the personal data you capture from website visitors.

What this means is that going forward, you can only ask for information you need, rather than information you would like to have. And while asking for the size of personal income and date of birth will help you identify and prioritize the leads you get, you need to make sure that you can prove why you’re asking for it.

Otherwise, if you can’t justify the extra information, then just concentrate on asking for name, company and business email address.

You also need be clear and upfront about how you use their data and for what purpose as well as giving them the opportunity to opt-in or opt-out accordingly (via a subscription management tool).

This means that just because they’ve entered their email address to sign up for a webinar, it doesn’t mean they are subscribing to every mailing list you have.

Prospects need to opt-in to receive email marketing campaigns, so be clear on how they can subscribe.

GDPR compliant forms on website

Conclusion

Since May 25 2018, sales prospecting has changed.

But, ultimately, it’s for the better.

Instead of trying to sell to new prospects that are not in the market to buy, GDPR forces you to focus on building relationships and selling to people that actually want to hear from you.  In doing so, you’re dealing with prospects that are much more engaged and ready to buy.

GDPR helps you focus on quality prospects over a quantity of prospects – so it should make your job easier in the long-term.

Remember, GDPR is not about restricting the way you prospect and generate new business. In fact, by complying with GDPR, you and your sales team will quickly meet your sales KPIs, generate better quality leads, reach more engaged prospects and ultimately, win higher close rates.

P.S. If you enjoyed reading this post, you can share it easily here!

Is the prospect data you collect and store compliant with GDPR?

If not, then download this free GDPR checklist.

GDPR checklist for customer data

Disclaimer: The content in this blog post (including all responses to comments) is not to be considered legal advice and should be used for information purposes only.

Sales

About Steven MacDonald

Steven MacDonald

Steven Macdonald is a digital marketer based in Tallinn, Estonia. Since working with SuperOffice, he has led the growth of the blog from 0 to 2.5 million visitors per year. You can connect with Steven on LinkedIn and Twitter.

145 Comments

Sian

about 2 years ago

Can you clarify the bit on cold calling? I understood that consent also applied to telephone calls, i.e. you had to have specific consent to contact an individual. I am confused to read that cold calling doesn't fall under the same GDPR compliance.

Reply

Steven MacDonald

about 2 years ago

Hi Sian, thanks for commenting! You do not have to get consent to contact an individual. But, you will have to inform the individual that you have stored their data within 30 days of obtaining it, and explain why you have stored it. Thus, if they respond to you and ask you to remove their data, you should do so.

Reply

Sylvester

about 1 year ago

I understand the client has to opt-in before you can pitch them in a cold call. Can you help as to how such an opt-in statement at the beginning of the call should look like

Reply

Steven MacDonald

about 1 year ago

Thanks for commenting Sylvester! I suggest asking for consent and opt-in after the call, rather than an the beginning. This way, you can build the relationship first and once you feel like things are going well, you can ask for permission.

Reply

Nick

about 1 year ago

Great explanation for sales teams. Thanks a lot!

Reply

Tom Newton

about 1 year ago

Well done, Steven! This is a must-read for any sales rep wanting to learn more about GDPR.

Reply

Jon Wick

about 1 year ago

Hi Steven, Where you say: “you can continue to send cold sales emails to prospects, if the email is sent to an individual and not to a group of recipients (if it includes an unsubscribe link, it’s most likely automated), and if you have included a link to your privacy statement explaining why you are contacting them in the first place (i.e. you have a legitimate interest).” Does this mean a cold email can be sent only to one individual without prior consent? As long as it’s not part of a mass email campaign and there is legitimate interest. Thanks Jon

Reply

Steven MacDonald

about 1 year ago

Thanks, Jon. Yes, that is correct. You can still send cold emails to prospects without their consent, providing you have a legitimate interest and it is not part of a mass email campaign.

Reply

Giuseppe

about 1 year ago

Just one comment on cold telephone calls. In the midst of all this GDPR, we have all forgotten about TPS, Telephone Preference Service, which we should check the number is not registered first before calling, should we not?

Reply

Steven MacDonald

about 1 year ago

That's an excellent point, Giuseppe! You're right. Check the TPS first before making a cold call to a prospect.

Reply

Rebecca

about 1 year ago

Hi i read this blog as an answer to the storing of sales information from customers that form part of an accounts management system. So i have an ecommerce business - what is still not clear here or anywhere else is what you must do if a customer says they wish to "be forgotten" but you need their sales data for accounting purposes? Customer X buys something online. their details are stored in my accountancy software. They wish to be removed. How do i comply with this but not potentially loose all my accounting info which in turnwilllead to much bigger issues than the GDPR fines?!? If you have any advice that would be much appreciated!

Reply

Steven MacDonald

about 1 year ago

Hi Rebecca, great question! So, if you have a customer that asks you to remove them from your database, but you need to keep their data for accounting purposes, then you or your DPO need to inform the person that you are required to keep their data stored and also include the reasons for doing so.

Reply

Jon Wicks

about 1 year ago

That’s great. Thanks for your reply. Do I need a warning under bottom saying this was sent on grounds of legitimate interest then an opt out link and or link to data privacy policy? Or do I just need to say this is sent on grounds of legitimate interest. Also, is this just opinion from you or a fact? Sorry don’t mean to question your experience but if we do this then are we sure to comply.

Reply

Steven MacDonald

about 1 year ago

Thanks, Jon. I recommend including both a privacy policy and opt-out link in your cold emails (this is my opinion, and not a fact).

Reply

Michael Covington

about 1 year ago

I've been looking for an in-depth piece on GDPR and sales for a while now. Thank you!

Reply

Alex

about 1 year ago

Thanks for great article Steven But what about consent on a workplace while someone is performing on behalf of his/her employer? If I got email and full name from open sources like LinkedIn do I need consent still? I agree that there is still a need in transparency and respect but LinkedIn has its own invision to allow people to communicate.

Reply

Steven MacDonald

about 1 year ago

Hi Alex, thank you. Not sure I understand the question here. Can you please rephrase? You can store information that you obtain from LinkedIn. But, you cannot add these contacts to your mailing list.

Reply

Jon

about 1 year ago

Thanks. If the prospect doesn’t reply can we sent one further say a week or two later to remind them of the initial prospect? If obviously no reply after that then no future contact. Also, if the person receives the email and then agrees to receiving updates. Do we need to gather any further info or just simply store what’s necessary? Best Jon

Reply

Steven MacDonald

about 1 year ago

Hi Jon! Yes, you can resend a second sales email and remind them. After that, you can then stop trying to contact them if they do not reply. As for the second question - yes, store the information of consent. That should be enough.

Reply

Gajanan Wankhede

about 1 year ago

I am a little confused with the cold calling regulation. We buy leads from a 3rd party leads provider and I am not sure whether he acquires consent before he sells the leads to us? Kindly advise.

Reply

Steven MacDonald

about 1 year ago

Thanks, Gajanan. I highly recommend you get confirmation of consent from your third party lead provider before you try to contact/ sell to these leads.

Reply

Alex

about 1 year ago

Hi Steven, Great article and very interesting. I have a few questions that I would appreciate your opinion on: 1. How does the new GDPR laws affect a leads list kept in a sales team? and also what information are we allowed / not allowed to keep? This could be keeping info before first point of contact as a means of prospecting. 2. On a first cold email if they reply and say they are not interested, do we have to remove their details from our CRM? As we keep information on why people say no and also which companies to not get in contact with. 3. On any cold email to a business, do you have to include an opt out? Although it is for a legitimate reason, not just marketing. Thank you, Alex

Reply

Steven MacDonald

about 1 year ago

Thanks, Alex! 1. You can still keep in contact with existing leads, unless they have opted out. 2. You can store their contact information, unless they request to be removed from your CRM. But, this in itself changes if you are required to keep their information by another law/ regulation. 3. Personally, I would always include an opt-out link, just to be sure.

Reply

Simon Munch

about 1 year ago

Hi Steven Thank you for this very interesting post. Like many others I am also a bit in doubt about how these rules work. 1: For how long can we store contact information on our customer? And do we need to inform them about this. If we have called a prospect, and the person does not want to buy from us, but neither says we can't contact them again. Is it okay if we keep the contact information for next year? 2: The border between personal info and business info is a bit unclear to us. We write notes on all conversations with customers and prospects. These conversations are typically about the customer's firm and their situation, but would it still be regarded as personal information if we have this information related to the person who said it? I really hope you can help us with this.

Reply

Steven MacDonald

about 1 year ago

Hi Simon, and thank you! Here's my comments based on your questions: 1. Yes, it is OK to keep their information. But, for how long is something you must decide. 2. Yes, I believe so. Any information you store that can identify a person is impacted by GDPR.

Reply

Sarah Taylor

about 1 year ago

Hi Simon We are an SME manufacturing business with about 800 customers on our database. About 30% are customers who have bought machines or spares over the years and what I call our 'regular' customers as we have known these from the days of old - some over 30 years. Can I still phone these customers for a general 'keep in contact' call or do I need their permission to do so? Can I send them a 'catch up' email if their receptionist says I can if they are not in the office or do I need them to 'opt in'? Sarah

Reply

Steven MacDonald

about 1 year ago

Hi Sarah, great question! If they're paying customers, you can continue to contact them - by either by phone or email.

Reply

Jules Bandrow

about 1 year ago

There's no reason to be so upbeat about this. It will be great to see less spam, but this can go bad in many ways for businesses. One of the big concerns I have: often you only start with someone's email address for having registered to use your online service, but then a salesperson "processes" that into knowing the name and company of the user and then invites the user on LinkedIn and Skype and other social media to stay in contact. If someone objects to your suddenly knowing their name from their email address, your company is protected from having conducted a breach of the law because there was a legitimate interest in providing your contact information to the registrant of your service via social media. Knowing their name and contact information from their email address is simply a normal thing salespeople do. Or is that in breach of the law now?

Reply

Steven MacDonald

about 1 year ago

Great point, Jules! You can continue to contact prospects by email or by phone, but if they withdraw consent or ask you to remove their details, you have to honor their request.

Reply

Tina Enright

about 1 year ago

Steven, A brilliant article for sales reps, thank you so much!!! direct, and very informative and not vague like a lot of articles!! Well done!! One question, what if my sales rep has a prospect customer database he collected himself from research etc... what do we do with this as of the 26th May???

Reply

Steven MacDonald

about 1 year ago

Thanks for the kind words, Tina! Great question, have you initiated contact with these prospects yet? Have they been added to your mailing list?

Reply

Audrey Bedford

about 1 year ago

Steven. Thank you for an excellent article. You've answered a lot of questions. I have a question regarding contacts made whilst networking. Our normal practice is to add a new contacts details to our CRM from their business cards for example and then follow up with a call/email depending on what was initially discussed. Do we need to confirm consent, within 30 days, that we have collected and are storing their personal data on our CRM, regardless of whether or not we are going to request consent for automated marketing purposes?

Reply

Steven MacDonald

about 1 year ago

Thanks, Audrey! No, you won't need to confirm consent, unless you want to market to them. You can store as many contacts as you wish, but if you plan to send marketing emails to these contacts, then you need their permission.

Reply

Eren E

about 1 year ago

Hi Steven, I have 2 burning questions about GDPR and using Linked In. 1) If I send a request to someone and they accept, my understanding is that they have consented to sharing their personal information including email. If I want to then email them using the email provided in their LI profile, this should be ok and not breaking any GDPR rules? 2) My bigger questions is whether I am in violation of GDPR if I do this on a broader scale ie. i do 500 intros a week and then send emails to each person who accepts my invite via an email campaign which most likely would be circa 20 people a week. If I delete the email addresses (which I have full access to via LI once they have accepted my invite) if I don't hear back from them after the email campaign, is this ok OR do I need to send individual emails? I am trying to understand whether I can send email campaigns that send emails individually every 30 seconds using an automated tool OR do I need to send individual personalised emails? Thanks!!

Reply

Steven MacDonald

about 1 year ago

Hi Eren, thanks for dropping by and leaving a comment. If you send out a connection request to someone on LinkedIn and they accept it, you can continue the dialogue with them on LinkedIn. It's here you can try to move the conversation over to email or phone, but you shouldn't assume that because they have accepted your request that you can now start sending them marketing emails. Hope this helps with your sales outreach.

Reply

John

about 1 year ago

We have an SaaS business and when someone signs up for a trial, we send him an automated series of onboarding emails with things like tips + tutorials. At the conclusion of the trial, we send a few more emails if they have not converted. You mentioned that it is no longer possible to send these onboarding emails. Are there any alternatives to this?

Reply

Steven MacDonald

about 1 year ago

Hi John, in your first email, where you include the username/ password/ account creation information, you can include a link to a self-service section on your website to help the free trial user learn more about product and how to get started. Or, if you're a SuperOffice customer, you can send the "consent" email where new users can subscribe to onboarding material.

Reply

John

about 1 year ago

Thank you Steven! Just a follow up question: We are planning to do a double opt-in when someone signs up for a trial to activate the trial. Is it OK if we start the onboarding sequence once the confirmation link has been clicked? Basically the link activates the trial and puts them in the sequence (once clicked) and it will be clear that they are opting into the onboarding sequence. From my understanding, if we want to send them other marketing, we will need to send them to a page with checkboxes.

Reply

Steven MacDonald

about 1 year ago

Hi John. To be honest, I'm not sure the double opt-in makes any difference here, in terms of whether you can send them onboarding emails or not. Onboarding is a tricky area. It's not strictly marketing material (more likely classed as training material), but the free trial user is not a customer either. If you're 100% sure you will send onbaording emails out to new free trial sign ups, I recommend getting something in writing from a lawyer, just to be sure. And please share any new knowledge you gain here. I would really appreciate it.

Reply

Paul Faulkner

about 1 year ago

Hello everyone, How I have worked up until now is I make contact with a target company and either speak directly to the person I want to speak with (eg the Office Manager) and then either get blown out or get a name / email address and seek permission to keep in touch with an occasional call and reminder email OR if said Office Manager is not around / available, try to get his (or her name) and an email address and then send an email to introduce me and what I do... and again then go onto make periodic (usually around once a quarter) follow-up calls on a keep in touch basis either way. I *only* ever send one email at a time after a call (whether I've directly spoken that time with the right person or not [perhaps the Office Manager is out at lunch] in which case I send a "I called earlier but missed you" type email. I cannot emphasise enough that it it is only ever one email at a time after each call. I don't send multiple individuals emails from a list on autopilot at all. Only ever where I've made a call and then sent my name / co-name and contact details. Am I still allowed to do this? Entirely (ie nothing need change) not at all (ie stop completely) or partially? If so, what parts do I need to stop or take special care with?? Every "support email" I've sent for the last 3 years or so in the way I've described has a "click here to be removed / not contacted again" opt out box and when someone sends me such an email back (which they do from time to time) I always acknowledge their email AFTER I have marked my CRM with "do not call again". I have never ever had a complaint (though of course, I have had the odd "I'm / we're not interested" [the whole reason for having the opt out box]. Right now I do not have a link to my 'privacy policy' but on reading through this I think I will update my support emails to add this anyway. So - can I continue exactly as I am? Mostly but not entirely? Stop sending emails completely? I will add then when I ask for an email address, it's fairly obvious that I want to send an email and I always ask whether I can keep in touch (during the call) - but of course I cannot do this where I get an answerphone, for example. I have to say that this is the most draconian, difficult to understand mess imaginable - but the law is the law and I will obey it because I don't want the fines! Please help me understand it. It affects how I earn a living.

Reply

Steven MacDonald

about 1 year ago

Hi Paul, great question and thank you for leaving a comment. I'm sure a lot of sales reps/ business owners are wondering the same thing! The good news is that your existing sales outreach seems perfectly fine - even under GDPR. You attempt to speak with the prospect by phone, send a follow up email that references the call you made and you manually follow up with each individual every few months. Plus, there's an option for the prospect to opt-out, so to me it seems as if you are covered here. Well done!

Reply

Annonymous

about 1 year ago

I am not sure if it depends per country, but in the UK that is not allowed under GDPR. This is how Honda and FlyBe got in £83,000 worth of fines. Steve Exckersley from the ICO advises that: "Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law." Even if the receptionists gives out an email address from the office manager, you can not email that office manager without speaking to them and getting their consent on the phone.

Reply

Steven MacDonald

about 1 year ago

Thanks for leaving the comment, I appreciate your wish to remain anonymous. You're absolutely right! You cannot send re-permission emails to subscribers that have previously opted-out. That is marketing and that is why those companies (and others) were fined.

Reply

Natalie

about 1 year ago

Hi Steven, Interesting article, but I'm concerned that you're tracking me via Google Analytics without my explicit permission? How can I trust the validity of your posts when you yourself are not GDPR compliant?

Reply

Steven MacDonald

about 1 year ago

Hi Natalie. Thanks for leaving your comment and I appreciate your concern. We're tracking visitors anonymously through Google Analytics and we're not processing any personal data, so we cannot identify you and what you as a person do/ does on our website.

Reply

Natalie

about 1 year ago

Steven, Bit offended that you appear to have deleted my last comment? To add to my previous comments of Google Analytic tracking without consent; my understanding is that if you're using it for any sort of advertising, it needs my explicit permission... yet I have not given you permission and I can see that you are tracking me with a Google DoubleClick cookie... which is used for advertising =\

Reply

Steven MacDonald

about 1 year ago

Hi Natalie, your comment hasn't been deleted - all comments are modified. You can see your comment listed in this section.

Reply

Stephen

about 1 year ago

Hi there Steven, thanks for the detailed and informative article. After reading through all the comments and your replies to each there is just one grey area that I would like some clarification on. In replying to Paul Faulkners post you mentioned that the process he was following seemed perfectly fine under GDPR. However the anonymous poster contradicted one of Pauls points stating that ''Even if the receptionists gives out an email address from the office manager, you can not email that office manager without speaking to them and getting their consent on the phone''. I just wanted to double check your thoughts on this. So if a call is made to an organisation and you are informed by a receptionist that bob jones is the best point of contact for your query but bob is only contactable by email at bob.jones@example.com are you ok under GDPR to send Bob Jones an email referencing your conversation with the reception team and then introducing your product to Rob, providing that you include a link to a privacy statement and an option to opt out of receiving any future correspondence?

Reply

Steven MacDonald

about 1 year ago

Hi Stephen, thanks for leaving a comment. To clarify, the comment made by the anonymous poster was referring to mass marketing emails, and not sales outreach emails. Honda and FlyBe were fined by the ICO because they sent out their re-permission emails to their entire mailing list, including those that had previously opted out. You can send individual emails to prospects if there is a legitimate interest, but you cannot call up a business, get Bob Jones' email address from the receptionist and then add Bob to your mailing list without his consent.

Reply

Terry Scott-Alexander

about 1 year ago

Thank goodness I have just retired!

Reply

Steven MacDonald

about 1 year ago

Congratulations, Terry! You have definitely chosen the right time to retire!

Reply

Ash

about 1 year ago

What is the definition of a legitimate interest? Is company A wanting to offer a saas to company B counts as one?

Reply

Steven MacDonald

about 1 year ago

Great question, Ash. Here's how the official GDPR website defines a legitimate interest https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/what-does-grounds-legitimate-interest-mean_en

Reply

Jon Wicks

about 1 year ago

Hi Steven Just a quick one; Would I need two privacy policies? One post someone opting in (as once they’ve opted in we then share their info with investment product providers with their consent) And then one pre someone opting in (as we never share their details unless they opt in) Or just one policy which explains the above? Thanks

Reply

Steven MacDonald

about 1 year ago

Hi Jon, in this case, I would recommend having two policies so you are extremely clear to the prospect that if they opt-in, their data will be shared.

Reply

Jack

about 1 year ago

Hi Steven I use social selling on Facebook and instergram, I currently message direct to pages on Facebook messenger and people on instagram with an offer for a free sample under the new law is this ok ?

Reply

Steven MacDonald

about 1 year ago

Hi Jack, I believe that as long as you do not include them in your mailing list and this approach to social selling is based on a one-to-one basis, then you should be fine.

Reply

Rob

about 1 year ago

Hi Steven. Im a little, confused about calling website registrations eg if someone registers on our website with a phone number can we then call them up - does this count as a cold call and is it therefore allowed? Or is using this data for contact not permissible unless they have opted in? Thanks, Rob

Reply

Steven MacDonald

about 1 year ago

Hi Rob, yes, you are allowed to contact a prospect by phone if they leave their phone number. For example, if they fill out a price request form on your website and leave their phone number, but no email address, then you have no other choice than to contact them by phone.

Reply

Silas

about 1 year ago

I'm afraid I disagree with your suggestion that things will be ok / better. Sadly, the days of the internet being the saviour of the little guy are somewhat over with GDPR! Time was, a startup could get the message out by email. Now we're back to expensive sales people making telephone calls or manually writing individual emails. Or building inbound sales funnels (more expense) or buying advertising (more expense). Very sad. There was a brief period in which the internet tilted the balance, but the good old EU seems always to favour large businesses over startups! On a personal note, I *much* prefer receiving unsolicited email (that I can scan quickly whilst doing something else) than taking yet another intrusive phone call - and as an employer I can tell you that I don't like my staff's time being taken up with inbound calls! But never mind, too late to call foul on the good ol' GDPR :)

Reply

Steven MacDonald

about 1 year ago

Great comment, Silas. It's very important that someone like yourself voices your concerns under GDPR as I'm sure there are thousands/ millions of people who feel the same way you do.

Reply

Mike

about 1 year ago

Hi Steven and thanks for your work! I would like to address a few questions: 1. Is it a must to have opt-out functionality for personalized mails (not automated - mailing), which are sent to corporate prospect (representatives of other companies, not consumers)? 2. You can only store corporate prospects' contact details in your data-base, based on their consent? If so, why legitimate interests as a legal basis would not be sufficient? 3. If a corporate prospect shared his/her data on LinkedIn, why I cannot assume that I can send to him/her personalized marketing mail? The access was granted to the contact details belonging to him/her and therefore a statement, at the end of the mail body/at the footer, indicating the source of the information and the scope of processing should be enough. This is my understanding, could you please endorse?

Reply

Steven MacDonald

about 1 year ago

Thanks, Mike! Here's my recommendations based on your questions: 1. I would always include an opt-out in your emails, just in case. 2. You can store prospects without their consent. You just need to inform them if you plan to process (use) it. 3. If a prospect shares their email address with you and asks the conversation to move from social media to email, then that's fine. What you cannot do is connect with someone on LinkedIn, scrape their email address and then add them to your mailing list.

Reply

Petia

about 1 year ago

Hi Steven, thank you for the explanatory article. I am from the old-fashioned sales persons. I gather contact information from the websites of my prospective clients, which includes their e-mails, company name and address, and the most appropriate contact person. I keep their data in a plain Excel document and send them individual emails manually (on one-to-one basis, without using any automated system). Do I breach the law if I continue doing that in the same way, providing that I give them the opportunity to opt-out and a link to our data privacy politics? And another question. How should I get their consent or refusal without opt-in / opt-out automated system? Would it be enough to get their confirmation/rejection by email?

Reply

Steven MacDonald

about 1 year ago

Hi Petia, you are welcome. Glad you enjoyed the article. What you are doing is fine, but I recommend that you begin conversation with a phone call, rather than an email. Make an attempt to speak with the prospect first by phone. If you cannot reach them, only then send an email.

Reply

Petia

about 1 year ago

Thank you for the reply. And what about my second question regarding getting their consent/refusal without automated opt-in/opt-out system?

Reply

Steven MacDonald

about 1 year ago

Sorry I missed that, Petia. Yes, a confirmation/ rejection email should be sufficient.

Reply

Gio

about 1 year ago

Hi Steven, I am a bit concerned, when you mention that I can acquire personal data on the legitimate interest basis and keep e-mailing the prospect as well as saving the data, unless I have his/her request to stop contacting or deleting the data. 1. So does it mean that I can keep communicating unless I have response from him/her even if it continues in the long term ? 2. In this case what is the distinguishing factor between marketing e-mail and this type of e-mail? I consider any e-mail as the marketing which explicitly or implicitly has the selling or nurturing (again the end goal is to sell right?) purpose as the end goal ? 3. Also, why I can not use personal data for the selling purposes, in case the third party provides me with the data without the consent, however on the legitimate interest basis ? Do not you think that there is something common between this case and the one described by you in "Collecting the data and seeking permission from the individual" section ? Thank you

Reply

Steven MacDonald

about 1 year ago

Hi Gio, Thanks for stopping by. So, to answer your questions: 1. If you contact a prospect and they do not respond, you can make a second or even third attempt to reach them. But, they are most likely not interested if they don't respond by then, so it makes sense to remove them from your prospecting list. 2. The best way to differentiate between the two is this - If you send an email to more than one person then it's considered mass marketing. 3. Good question! To be honest, I wouldn't purchase third-party lead data unless you have their consent. If you do, then you can send them marketing emails. Without it, you can still target them, on a one-to-one basis, but it's an expensive way to prospect. But, if you have the budget, then why not?

Reply

Gio

about 1 year ago

Where is my question ? : ))

Reply

Steven MacDonald

about 1 year ago

Hi Gio! All comments are moderated. We receive over 100 comments per day, with 80% of them being spam, so each comment in manually approved by myself. I've just approved (and responded) to your comment now.

Reply

Clare

about 1 year ago

Hello Steven, Your article has been extremely helpful! Thank you! Please may I ask a quick question? the majority of our sales emails are not sent to a specific individuals emails address for example Tom@###' but a companies 'info@#####' type of email address. Therefore, as we do not email a specific 'individual' is it okay to email the 'info@### without gaining consent first? Many thanks

Reply

Steven MacDonald

about 1 year ago

Hi Clare, thank you! I'm happy to hear you enjoyed the article. To answer your question - yes, it should be fine to continue to send sales outreach emails to a general company email addresses without gaining their consent.

Reply

Lucia

about 1 year ago

Hi Steven, great article! I also have a question! I have heard here and there that GDPR may cause an issue for the sales person contacting their customers via email. For example, an issue i had today - I requested some details about my car finance and possible plans for the futures via email, and the response i got was 'youll have to book an appointment due to GDPR we cant offer this over email' - is this really the case? If so should we be implementing that into our business? Surely, if a customer is requesting information and asking about possible sales in the future you are able to communicate back via email rather than making everything a face to face meeting? Thanks

Reply

Steven MacDonald

about 1 year ago

Hi Lucia, when it comes to communicating with customers, you should be fine to use email. For example, a software provider must inform their customers if an upgrade or downtime is planned on a specific date. If you have 100,000 customers, you cannot be expected to call each and ever one of them. Therefore, you must use email.

Reply

Sam

about 1 year ago

Hi Steven, Great article, very helpful. I do have a quick question when it comes to cold calling, if you have sourced the details from Linkedin such as a name and job title, is it still OK to cold-call that company and ask to speak to that person? Thanks

Reply

Steven MacDonald

about 1 year ago

Hi Sam, thanks for leaving a comment. Yes, if you find a prospect on LinkedIn, you can cold call their company and ask to speak with them.

Reply

KT

about 1 year ago

Hi Steven, found your article really helpful - thank you! I have a question about storing data. If a prospect does not opt in, or subsequently unsubscribes are we ok to store their details to ensure we don't re-add them to future prospecting activities? We have a sales team who check whether there is an existing record of a prospect on our CRM but unless we keep details of those who opt-out or have unsubscribed there is a danger we will contact them again in the future. Hope you can offer some guidance, I cannot find anything relating to storing unsubscribe lists on any GDPR websites!

Reply

Steven MacDonald

about 1 year ago

Hi KT, I'm happy that you enjoyed the article. Yes, if a prospect unsubscribes from your marketing messages, it is OK to store their details, unless they request to be removed (i.e. The right to be forgotten).

Reply

Mike

about 1 year ago

Hi. Great article and very informative! How does GDPR affect using land registry to prospect? As it is a public record is it still ok to prospect people directly knowing that they are the owner of a certain property? Can we still use the old fashioned letter and a stamp or is that outlawed

Reply

Steven MacDonald

about 1 year ago

Great question, Mike. I recommend checking with a lawyer here as I'm not entirely sure if it falls under GDPR. I would assume it is OK to prospect by post, but it's worth double checking, just to be sure.

Reply

Sandhya

about 1 year ago

Excellent article, Steven. I wish I had seen it earlier!

Reply

Nicola Berry

about 1 year ago

Hi. In the process of building a new website and want to target new customers. Have obtained contact information/email via google/yell.com for 100 more potential customers. Once website is finished would like to invite these to subscribe. How do I do this? Thank you

Reply

Steven MacDonald

about 1 year ago

Hi Nicola, the big question here is - how did you obtain contact information? If they gave their consent to send marketing messages, then you can email them. If you found their information online and do not have their consent, then you need to contact each prospect individually by phone, before you use email.

Reply

Daria Bonne

about 1 year ago

Dear Steven, thank you for such a great overview. Well done! I have a question related to this topic. In case of obtaining personal data of end-users from the data controller in order to execute marketing campaigns via email/SMS, do I have the obligation as a data processor to verify in first place where this data is coming from and if the data controller collected consent of end-users for receiving marketing? If I am not sure if the data controller obtained consent, in case of a complain, would it be shared liability? Article 28 3 (h) GDPR stipulates: "With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions". Do you have any suggestion how to tackle this? Would it be enough to collect from the data controller a statement (extension of DPA), where it is stated that the responsibility is fully taken over the data controller? I would very much appreciate any kind of feedback on this. Best wishes Daria

Reply

Steven MacDonald

about 1 year ago

Hi Daria, thank you! I'm really glad you liked it. To be honest, I don't have an answer to your question. Sorry about that. Is there anyone internally you can speak with?

Reply

Oscar

about 1 year ago

Hi, so when sending a one-on-one email (personalized to that individual) do I have to include an unsubscribe link?

Reply

Steven MacDonald

about 1 year ago

Great question, Oscar! I think you can still include an unsubscribe link when you send out one-on-one emails

Reply

Wendel McClue

about 1 year ago

Hi Great Article Steven - but just my two cents - Why in the world are we adapting our online practices to those of a centralized government entity of europeans? It's just i've been doing digital marketing for 17 years - and one thing is clear from my experience that European companies are in general way behind in all things digital -- and their consumers are as well - why in the world would we change our practices based on regulations they made - the less cutting edge, the less innovative, the more bureaucratic? We are the country that started all this, we have Facebook, Instagram, Google, Twitter, Pinterest, Ebay, Amazon, etc - and our society has the main early adopters to trends - it makes no sense. I love Europe, glad to live there, and love so much about them - but if USA is not a leader in cuisine with our "fast food" great i accept that fact, we simply are not, France certainly is better - but when it comes to digital, Europe is 'obtuse' in their thinking. Lastly - this law just majorly put European companies at a major disadvantage - new tech solutions will not be reaching out to them - google reps Facebook reps won't reach out to new European business - new business improvement solutions - they just put up a barrier to staying ahead of the curve - weird. Good for USA companies, less competition from European companies.

Reply

Steven MacDonald

about 1 year ago

You said it, Wendel. Thank you!

Reply

Ian

about 1 year ago

Hi Steven Best site for GDPR questions, I prospect for customers looking at their web sites, If it looks like our type customer I look for an email address whether its a person or company address and send a one off email targeted at them. is that OK and do I need an unsubscribe link ?? normally if I don't get a reply ill send another email in a couple of months or call them, I don't store a list of these companies.

Reply

Steven MacDonald

about 1 year ago

Hi Ian, and thank you! From what you're saying, it sounds like you are doing things the right way. I'd probably add an unsubscribe link to all my emails, just to be sure.

Reply

orlando

about 1 year ago

Hi Steven, Thanks for all your hard work surrounding GDPR I am hoping to begin a digital marketing company. I will be contacting prospective clients (B2B) by email after searching for their details online. I will email offering our services. At the end of the email I will let them know that this is a 'one - off' email and they are welcome to have their information removed from my database. Is this ok? Or is this considered as direct marketing? Thanks for your help. All of this information is really confusing as I'm sure you can understand.

Reply

Steven MacDonald

about 1 year ago

Hi Orlando, thank you. I appreciate the kind words. A one-off email is fine, providing you do not send the same email to all prospective clients at the same time. Mass marketing emails without consent are not allowed under GDPR.

Reply

Katia - Italy

about 1 year ago

Hi Stevens, thanks for this very clear article (if GDPR can ever be clear in each and every single small aspect of the huge world of sales and marketing...). First, I'd like to reply to that guy who claimed about GDPR being issued by European Council: well the point here is that EU Consumers especially got fed up with the dozens of emails or calls received everyday by any Company they buy something from - a wide-spread abuse of personal space, if we count the hours needed to clean the inbox or to avoid phone calls. Laws are implemented as soon as somebody abuses of somebody's else freedom - this should always be kept in mind. As a consequence to all these mails and calls, have you ever thought what this does to market differentiation? Also in social media, we are encountering an information overload which does no good to marketing itself. Soon people will start leaving social media. Secondly, I wanted to ask you what you recommend as we (a sales and marketing services agency) are taking up the management of a B2B Company database with thousands (!) of leads whom we ignore whether they have ever confirmed their consent before GDPR. They should be soon invited to an exhibition the Company is taking part in, so time is really short and we should ask them for opting-in first (1-to-1?) and then invite them to the exhibiton, if opt-in is obtained. Can you confirm that there is no other way? Thanks.

Reply

Steven MacDonald

about 1 year ago

Thanks, Katia! Great points! Has your company ever contacted these leads by email before? If so, then it should be OK. If not, then I recommend you obtain consent first.

Reply

Derek

about 1 year ago

Hi Steven, Great article! I found this while looking for re-assurance that we are doing things correctly in my team. My question is around purchased lists. Currently when we purchase a list of prospects (legitimate interest based on Industry, Location, Company Size and Job Title) it will have an email for the contact attached. Since GDPR we have felt we cannot email these contacts as we cannot display where we obtained their email address from, so we generally just call through reception and connect through Linkedin. In the response below it suggests that you say it is ok to email these email addresses so long as it's not part of a mass email (which ours are not). Is this correct? Jon Wick about 4 months ago Hi Steven, Where you say: “you can continue to send cold sales emails to prospects, if the email is sent to an individual and not to a group of recipients (if it includes an unsubscribe link, it’s most likely automated), and if you have included a link to your privacy statement explaining why you are contacting them in the first place (i.e. you have a legitimate interest).” Does this mean a cold email can be sent only to one individual without prior consent? As long as it’s not part of a mass email campaign and there is legitimate interest. Thanks Jon REPLY Steven MacDonald about 4 months ago Thanks, Jon. Yes, that is correct. You can still send cold emails to prospects without their consent, providing you have a legitimate interest and it is not part of a mass email campaign.

Reply

Steven MacDonald

about 1 year ago

Hi Derek, Thank you. Yes, you can contact purchased lead prospects by email, but the emails should only be sent on a one-to-one basis.

Reply

David Bennett

about 1 year ago

Hi Steven, I have found your articles interesting and very informative. As a company, we are embarking on a referral based marketing scheme - empowering our customers to bring in more new customers to our business. In your article, you said: 'Under GDPR, you can continue to call and email prospects based on recommendations from existing customers' So, does that mean that if one of our customers refers a third party to us who we have never spoken to but they know or have done business with, then we are free to make contact with them despite no obvious opt in or previous contact? Or do we have to send an email first? (You said this is one of the best ways - that doesn't mean the 'only' way!!) it is much more difficult to ask a customer to 'sell our services' as opposed to us contacting them based on contact information being given to us and then us calling them and pitching them directly. I'm sure you understand what I am saying!! How would you justify it based on GDPR? Thanks very much!! Kind regards David Bennett

Reply

Steven MacDonald

about 1 year ago

Hi David, Thank you! Yes, you are free to make contact them with as you have a legitimate interest. But, I recommend trying to reach them by phone first, before sending an email. As mentioned in previous comments, any email you send to prospects that you have no prior relationship with (i.e. have got gained consent) needs to be sent on a one-to-one basis. Hope this helps! Best, Steven

Reply

Sergio Onorato

about 1 year ago

Great article Steven, I have question on Linkedin, if I share a list of Linkedin links (contact links), e.g. with a telemarketing company, to get them to cold call them. Am I violating GDPR? Thanks Sergio

Reply

Steven MacDonald

about 1 year ago

Hi Sergio. It sounds like that is in violation with GDPR. I would check with your legal team before moving forward with this.

Reply

David Williams

about 1 year ago

Hi Steven What about if i find prospective customers (individuals) via LinkedIn, that in my Companies case would be IT Directors, CIO's, Head of IT Service etc, and i actually write to them via the Royal Mail Post.. Are there certain things i need to say in the letter (apart from the IT service we deliver and they may be interested in), such as "please excuse this unsolicited letter", or "this is a one off letter and we do not hold your personal information on our CRM system"? Just interested to understand how a physical letter in the post differs from an email or phone call. Thanks DW

Reply

Steven MacDonald

about 1 year ago

Hi David, thanks for commenting. You can include a note about not holding personal information, but it is not required.

Reply

Henry

about 12 months ago

Hi Steven, This is great. I have a question my company is ask for consent on the sign up form. But our lawyer have told us that it will be ok to send product update emails even if they don't give us consent because it is on the legitimacy interest. Is this correct? Can we still send a email such as: 'We have 3 new wonderful features' or is this still marketing.

Reply

Steven MacDonald

about 12 months ago

Hi Henry, Glad you like it! If you send a product update email to existing customers, then you are fine. However, if this email is sent to prospects and you do not have consent, then in my opinion, it is not compliant under GDPR.

Reply

Darren

about 12 months ago

Hi Steven , I am looking to start a business next year A question , can I build up a list / database of business names , postcodes and phone numbers from searching google and am i able to store them to make contact with the business to sell a product or service ? So i would be cold calling from the information I found on google , yell etc

Reply

Steven MacDonald

about 12 months ago

Hi Darren, great question! Yes, it is possible to research company information online and then try to contact them by phone. Best of luck with your new business!

Reply

Alex

about 11 months ago

Great article, a lot clearer than most of the others I've read. Quick question. When you're "cold email prospecting", you'll often use the same email template/content (typically text-only) regardless of if you're doing one-to-one emails or bulk emailing – mainly to save time. This raises the question: How do the rules around GDPR differ between you sending out several one-to-one manually, with very similar content, versus doing the same thing through a service such as Mailchimp? Effectively you're doing the same thing for both methods. -Alex

Reply

Steven MacDonald

about 11 months ago

Hi Alex, thank you. Glad to hear that it's clear. Great question! It might be down to scale. One to one prospecting can be done manually to hundreds of potential buyers (providing there's a legitimate interest), but if you use an email service provider, then the number can be in the hundreds of thousands.

Reply

Michael Deacon

about 11 months ago

Hi Steven, Assuming a customer has bought goods as advertised on a website; is it legal to send as part of a packing/delivery note a "Thank You" for buying comment, and also include further information about a different website which has the same and a further range of similar products advertised and to include a discount code/voucher for the customer to use on a new order or re-order. Thanks Mike

Reply

Steven MacDonald

about 11 months ago

Hi Mike, great question! Do you make it clear upfront, before someone purchases the goods that their data will be transferred to a third party? And do you make it easy for them to op-out?

Reply

Michael Deacon

about 11 months ago

Hi Steven, I guess I have not really explained what we intend. No data of the customer is exchanged. Company A offers a service whereby it sells products purchased from third parties, we being one of these. Our product sold by Company A is packaged with a Packing Note as I have previously outlined, the different website I referred to previously is ours and not that of Company A. Company A sells and sends the product, invoices and collects the payment. The purchaser gets the product and information, on the Packing Note, about our website and an opportunity to re-order the goods along with other products we offer at a discounted rate. Furthermore in the Privacy Policy of Company A it states under ‘Using Personal Information’; We may use your personal information to: [send you marketing communications relating to our business or the businesses of carefully-selected third parties which we think may be of interest to you, by post or,…]. Is this still a GDPR issue?

Reply

Steven MacDonald

about 11 months ago

Hi Michael. Thanks for clarifying. It sounds quite specific, so I'm not sure I can help you here. Sorry about that.

Reply

Tracey Duckworth

about 10 months ago

Am I able to send email updates via mail chimp to my existing customers? So if I have 200 existing customers could I send via mail chimp updates to them on a monthly basis. These may include product updates, offers or changes to the business.

Reply

Steven MacDonald

about 9 months ago

Hi Tracy! Yes, sending email campaigns to existing customers is absolutely fine.

Reply

Mauri Palma

about 9 months ago

Hi Steven, I read all the questions, great questions everyone. SO my question is, what if a client referred somebody else? Like: "Hey Mauri Consultant, I sent your number to my friend, he stored it and hes going to call you, you provided such a reliable service next time" well in that case, thats fine! I need more work, im definetely NOT going to opt-out of that! *but* SCENARIO 1: what if, I go to a business event and I happen to run into a prospect, and I say, "hey, you used to work with so and so, and I still have your number from last time, can I call you?" -or should I say like: hey, I got your info in my database from WAYY back prior to GDPR, and now it just so happens that Im emailing you one-by-one basis and not cold calling you because I saw that record on my CRM from 2015 SCENARIO 2: Can I mention another clients' name? Like: "(at a business fair): Nice to meet you Miss MacDonald, yes I provided some services for your brother, in reply to your question, and yes, I'd be happy to work with you, my pleasure, here is my card" SCENARIO 3: "Hey Mr. Smith, you know, I worked with Steven a few months back, the server migration came out great! Can I offer you my services?" ****In this case, #1 nor Mr. Smith knows I obtained their info from something you (steven) mentioned years ago, and #2 nor you know that I am verbally disclosing your name as a prior relationship... by the way this happens a lot in finance because financial Institutions (FIs) Want to be ahead of the curve and they want to know what the bank/credit union/ insurance Co. across the street is doing, so even amongst themselves, clients, they exchange info a lot. Thanks best regards Mauri, the "opt-in" on everything sales guy PS: if you opt-out in "life" generally as a philosophy, you wont even know what you are missing out on, I can always discern and get rid of info I dont need, takes 1 milisecond, human brain is wired for that, BUT, for things I dont know?? Sign me up!

Reply

Steven MacDonald

about 9 months ago

Hi Mauri, thank you! If someone refers you, the best way to initially reach out to them is by phone. If you cannot get hold of them, but you have their email address, you can send an email. If you cannot reach them by email, then it's up to you to decide if you should follow up or decide to let the lead go. Any discussions you have in person can be followed up email.

Reply

Balaji

about 9 months ago

Thanks Steven, Quite an interesting article. I have a query - our company collects publicly available information (name, company , title, email ID) of leads (using LinkedIn, Jigsaw etc.) and deliver them to our clients who use them to send marketing emails for their events. We collect these leads based on the criteria sent by our clients before the task commences. After collecting these leads we deliver them to the clients - we DO NOT SEND ANY EMAILS to these leads and also we do not retain the leads' info once delivered to our clients. All the emailing are done by our clients. We would like to know whether our process is against GDPR. Do we need to do anything in addition like letting know the leads that we have collected their information we intend to use it for a particular purpose or is it our client's responsibility?

Reply

Steven MacDonald

about 9 months ago

Hi Balaji. If you collect information that is freely available online and you do not use this information to send mass marketing emails, then you are OK. However, if you're clients send out mass marketing emails using the lists you provide, then they are not inline with GDPR requirements. They need to get consent before they can send out email campaigns.

Reply

Roxanne Alexander

about 9 months ago

Thank you for this enlightening read. Most organizations are unaware that GDPR has a substantial impact on their business. Quality and relationship building are indeed efficiency increasing in the long run.

Reply

K. Proc

about 8 months ago

The company I work for has targets they have to reach on data capture, lately they store I work for has been falling below this target and due to this our managers have been falling us that if we don't get our data capture up people below the target will be fired!! As of 2 weeks ago we were told even if the customer says no that we HAVE to select yes to allowing their data to be used for advertising, I told my manager that that is unlawful as you are telling people to break the law or get fired, he in response said that GDPR is a regulation not a law and I am wrong!!! Please can anyone clarify this for me because I'm very certain I'm right and he is wrong Many thanks

Reply

Steven MacDonald

about 8 months ago

I'm sorry to hear that, K. I suggest reaching out to a legal team to document this process. Best of luck!

Reply

Marc Flint

about 7 months ago

Hey Steven, thanks for the great article. One question: I have a lot of old contacts from earlier downloads of my many free ebooks. Since my Gmail account goes back to 2005, the optins are still there. Can I write them all an eMail in the sense of "hey XY, a while ago, you downloaded YZ and agreed to receive eMails from me (a Permission that I never really used, as you know), but this was long before the new EU Data Laws, and I have some really exciting news I'd like to share with you, so I would like to ask you if it's okay if we stay in contact. If so, please click this link to re-confirm your consent to receive marketing eMails from me. As a way of saying Thank You for this ongoing trust, you may download my latest eBook here for free: ..." Would that be okay? Or should I just forget the old leads despite their obvious (yet somewhat ancient) interest in my materials? Thank you for your thoughts on this. Keep up the great work!

Reply

Steven MacDonald

about 7 months ago

Hi Marc, thanks for the kind words. Glad you like the piece! I would slightly change the angle of the email, and simply ask people to continue to subscribe by clicking a link within the email. After that, then you can promote the eBook to your renewed list. Hope that helps!

Reply

Sunaina

about 7 months ago

Hi Steven, This is a helpful article. I would like to know more on how to communicate opt-outs to a purchaser of lists when the consent is with the third party. We have a yearly subscription for list that we base on consents collected from users. The data on the opted in users of our site is made accessible to the purchasers via CSV downloads. The users opt-out from our website, but as you can imagine those opt-outs at times are not integrated with the purchaser's CRM. I would like to know how to manage opt-outs when the lists are delivered via CSV files. Sunaina

Reply

Steven MacDonald

about 7 months ago

Great question, Sunaina! I suggest speaking with the third party to make sure that there is a clear integration that updates opt-outs in real time. Bottom line, if someone opts out, you cannot email them.

Reply

Jonathan

about 7 months ago

Hi Steven, As others have said, I found this a really helpful and coherent summary of best practice in this complicated space. Thank you! Can I follow up on a previous question from Alex a few months ago? He asked about the difference between sending out a volume (say a hundred) one to one cold emails with tailored content, opt out and obvious legitimate interest vs. churning out thousands of generic messages via Mailchimp or simiiar. Looking back at your response I'm not 100% clear that you felt the first would be OK? Your insight would be appreciated. Many thanks, Jonathan

Reply

Steven MacDonald

about 7 months ago

Hi Jonathan, thank you! I appreciate that. Yes, the first one is OK. One to one emails based on legitimate interest are fine.

Reply

Paul Smith

about 6 months ago

Hi Steven, Thanks for the article, but I wanted some clarification about using LinkedIn. Let's say, I send a connection request and someone accepts i.e. a person that would be a potential customer of the services my company sells. I then send 2-3 emails to build rapport and share insight. In my final email I ask if they can talk, but often they don't respond. My question is, am I allowed to cold call them, even though they have not consented to receiving a cold call using LinkedIn. Kind regards, Paul

Reply

Steven MacDonald

about 6 months ago

Hi Paul, glad you liked it! In this case, cold calling is fine. In fact, to connect with them digitally, have a conversation and then try to reach them on the phone is a great way to do business in a post-GDPR world.

Reply

Michaela

about 6 months ago

Hi Steve. First of all very useful information! Good job! My question is about reconnecting with Lost Leads and to what extent this is possible. For example, they were informed that their personal data would be deleted in a certain amount of time after their trial period's expiration date. However, in the CRM system, the communication with a representative from our company remains, and a lead's email is still visible for us. Having this in mind, am I allowed to use the email and send the lead a series of emails? Also, should the content of the communication to be deleted along with the lead's personal data? Thank you!

Reply

Steven MacDonald

about 6 months ago

Hi Michaela, Thank you! In this case, I recommend you send a single, one-to-one email and not a series of emails.

Reply

Victoria Jefferies

about 6 months ago

Hi, Just one quick question - if an individuals email address is public on an organisations website, can I contact them to explore partnership working and share our services? thanks

Reply

Steven MacDonald

about 6 months ago

Hi Victoria, yes - that's perfectly fine. So long as you do not automatically add them to your mailing list. When you contact them, you need to send a one-to-one email.

Reply

Marie

about 6 months ago

Hi, I found your article very helpful, as well as the comments above. However, I can't seem to find the answer to this: If you have customers who choose to opt out or unsubscribe, how can you make a list of people who chose to opt out? I assume you are not allowed to hold their details - how then can you make sure that you don't email them again? I know that in most cases it wont matter and you're unlikely to cross paths again. But, if it's a previous customer who has now said that they want to opt out, you may accidentally contact them again if you haven't stored them in an 'opt out' type list which isn't technically allowed?!

Reply

Steven MacDonald

about 6 months ago

Hi Marie! The way you handle customers under GDPR is different than prospects. For example, if a customer chooses to opt-out of marketing messages, but continues to purchase from you, then you need to keep their data stored in your system in order to register their purchase.

Reply

John Davies

about 5 months ago

Hi Steven, Thank you for the excellent GDPR guide. With regards to ex customers or clients from say 1-5 years previous, whom no longer have an insurance policy with our company, is it permissible to contact / prospect them again for potential business?

Reply

Steven MacDonald

about 5 months ago

Hi John, thank you! Yes, you can contact them, but it has to be on a one-to-one basis and not through a mass marketing campaign. My advice would be to send a one-to-one email (or phone call) to the customers who recently stopped doing business with you. These customers will be most "top of mind" and are the most likely to re-engage with you.

Reply

Ger Stone

about 3 months ago

Hi Steven, Thanks for the guide. Just a quick question about asking for consent over the phone. We don't Cold Call customers but we do have customers who will call us to place orders over the phone. In this situation, do we still have to send them a follow up email with a link to our signup form? Side note: We use a mailchimp GDPR signup form, is this still ok? I seen in different GDPR blogs that sending an email to a buying customer is OK once it's not automated? Is this true? So can we email buying customers to ask them to signup to our newsletter and have a signup link in the newsletter? For how long after a purchase is someone considered a buying customer? Kind Regards, Ger

Reply

Steven MacDonald

about 2 months ago

You're welcome, Ger! There's no need to follow up with an email to customers. This only applies to prospects. So, yes, you can send an email to customers with an invite to join your mailing list, providing they haven't already opted out.

Reply

Henri St-Pierre

about 2 months ago

Hi Steven. If I were to buy a list of emails from a 3P, could I send a one-off email to all of them at once asking if they consent to getting information from us (we would also have a unsubscribe). is this OK?

Reply

Steven MacDonald

about 2 months ago

Hi Henri, in this case, I'm not sure it's GDPR compliant. It would be different if you invited them to an event, for example, but sending emails to people who are not on your list and asking them to subscribe is a form of marketing. Unless, of course, the third party has gained consent from the list that they are open to receiving marketing communication.

Reply

John Novak

about 2 months ago

Hi Steven - I wanted to to set up a local business directory, similar to Yell but much smaller. My aim would be then to add businesses to the directory, initially with a free listing. Could this be done without first contacting the businesses and gaining permission? Or would the best way be to first contact business and explain the aim of directory, ie. give them free advertising channel, ask if their information is correct, and if they would like to be listed? I would also have a list of my services on the directory website, so it would also be a strategy of attracting businesses to my services, similar to how Yell has their marketing services on their website.

Reply

Steven MacDonald

about 2 months ago

Hi John, if company information is freely available online then you are OK to use it on your website.

Reply

Leave a Comment

Sign up to a free SuperOffice CRM trial.

It’s free for 30 days. No credit card required.

Start Free Trial