How to find new customers without falling foul of GDPR

By Ryan Welmans, below, founder and CEO, Sopro

At Sopro, our entire business is built on data. Since the General Data Protection Regulation (GDPR) came into play in 2018 we’ve had to take extra care with the way we handle personal information in order to stay compliant while losing none of our effectiveness as a sales enablement team. In this article I’ve provided a summary of GDPR and its implications for outbound sales, along with some tips to help you continue to grow your business while staying within the rules. 

GDPR basics

In case it’s been a while since you brushed up on your regulations, GDPR applies to everyone who collects, uses or stores the personal information of people from the EU and EEA. Even if your company is based outside the region, if you are handling personal data of people within the zone, you need to follow the rules.

Breaking GDPR laws can lead to some serious financial consequences, with fines as high as 4% of your company’s total income. It could also have an impact on your reputation.

The following elements of personal information are protected under GDPR:

  • Personal names (not the business name)
  • Contact phone numbers
  • Email addresses for communication
  • IP addresses of devices
  • Mobile device IDs (IMEI/MEID)
  • Encrypted data, including sensitive information (Yes, even encrypted data is subject to GDPR rules!)

Prospecting and GDPR

SME Publications/ SME XPO 2024

If you’re processing any form of personal data (think cold emails, cold calls, or even selling through social media) you and your sales team must comply with GDPR.

  • Email outreach

The most important thing to remember when sending out sales emails is that you need to have permission before contacting someone. In B2B email marketing, it’s not necessary to seek explicit consent for data processing. If there’s a “legitimate interest”, businesses can send direct marketing to their business contacts without actively requesting consent. The most commonly used definition of legitimate interest is that the recipient is likely to be genuinely interested in your product or service, based on their particular job title or company. Other examples include the fact that they might expect you to reach out to them – that they wouldn’t be surprised that their data was being used in this way –  and that the risk of infringing on their privacy is low.

  • Cold calling

Similar to B2B email marketing, cold calling is allowed under GDPR if the caller knows the prospect has a legitimate interest – but you have to state who you are and why you’re calling. You can’t contact that person if the individual has objected to receiving such calls or if the call doesn’t relate to the individual’s business role or responsibilities.

  • Social selling

Under GDPR, you’re free to contact prospective customers via social platforms as they’ve chosen to put their information on that site. For this reason it can be a great way to reach out to them. Using websites such as LinkedIn, where you can often see someone’s company and their job role, you can get a feel for whether they’d be interested in your product or services. It is worth noting, however, that if the conversation then continues over email or on the phone, you need to make sure there’s legitimate interest.

To remain GDPR compliant when you start your B2B email marketing campaign, consider following the following ten steps.

1 Have a valid reason for collecting and processing personal data. This includes obtaining explicit consent from individuals.

2 Inform individuals about what personal data you are collecting. This includes how you’re using it and who you’re sharing it with. The information should be provided in a concise, transparent, intelligible, and easily accessible manner.

3 Only collect a minimum amount of data required for a specific purpose. Unnecessary or excessive data should not be collected or stored.

4 Keep personal data accurate and up to date. You must take steps to ensure that inaccurate or outdated data is corrected or deleted.

5 Keep data secure. Personal data must be protected from unauthorised access, destruction, or disclosure. Appropriate technical and organisational measures must be put in place to ensure data security.

6 Supply someone’s personal data if they ask. Individuals have the right to access, correct, and delete their personal data. You must also provide them with information about their right to object to the processing of their personal data and the right to data portability.

7 Consider data protection from the outset. Privacy and security should be built into the design of any new project or system development.

8 Have contracts in place with third-party processors. If you share personal data with third parties, set up agreements should outline the responsibilities of both parties with regard to GDPR compliance.

9 Report any data breaches to the relevant authorities within 72 hours. The clock starts ticking as soon as you are aware of the breach. You must also inform individuals whose personal data has been affected.

10 Regularly review and update your processes. Continue to monitor your data processing activities to make sure you remain compliant with GDPR requirements.

It’s easy for prospecting teams to see the GDPR as a barrier between a company and its potential customers, but the reality is that following its rules reflects good sales practice. By respecting the privacy of the individuals you are contacting, and by offering them information that is genuinely in their interest, you will not only remain compliant – you’ll also sell more effectively. 

Ryan Welmans is the founder and CEO of Sopro, an award-winning email prospecting business that enhances B2B sales engagement through the use of technology and expertise

SME Publications/ SME XPO 2024