It isn't a particularly sexy piece of legislation, to be sure. But it is critical to protect your business if you do outbound sales.
Now, for inbound sales, it is less critical. If you are using lead generation tools like Leadfeeer to see who has been on your site and then look up their email and phone number, then GDPR may apply.
In our recent webinar, GDPR Guidelines for B2B Outbound Sales, Peter, the customer success lead here at Leadfeeder, was joined by JB from Evergrowth.io to discuss how GDPR can impact your B2B sales outreach—and how to ensure your processes stay compliant.
Keep in mind that GDPR fines can reach up to 10 million euros or 2% of a company's global turnover in the previous year. GDPR isn't anything you want to mess around with.
Frequently asked questions about GDPR in the sales world
The GDPR is a complex set of laws and rules — comprising 11 chapters and 99 articles. There's a lot to unpack, as you can see in the screenshot of all the laws below.
In the first part of the webinar, Peter and JB answered the most frequently asked questions about GDPR in sales. Here's what you need to know.
1. If I find someone on LinkedIn, can I contact them without consent?
Yes, you can. At the beginning of the text of the GDPR, there is a list of what we call recitals, basically bullet points. Recital 47 clearly states, "The processing of personal data for direct marketing purposes may be regarded as a legitimate interest." What that means is when you have a legitimate interest, you do not need to ask for consent to contact these people.
Now, this doesn't mean you can buy a random list of contacts and send them random emails. You need to make sure you have a legitimate interest, that the people you're contacting actually match your ideal customer profile, and that you have a legitimate reason to contact them because your other customers look exactly like them.
2. Does the data subject have rights if I process their personal data for direct marketing purposes?
Yes, absolutely. Article 15 says the data subject has the right of access. This means they can ask you to extract their data from your CRM and send it to them at any time; they have the right to do that.
They also have the right to rectify the data, meaning that they could say, "I changed my job title, I got promoted; please update it in your CRM." According to GDPR, they have the right to do this, and you have to comply.
They also have the right of erasure, to be forgotten. That's coming from many articles in the GDPR and its recitals. And while some big, big internet companies might not make it very transparent, people have the right to be forgotten, or remove their data.
They also have the right to restrict the processing of their data, which means they can question your legitimate interest. They might say, "Keep my data, but I am going to question your legitimate interest with whatever authority is in my region. Restrict the processing, and we're just going to ask an authority to say who is right here."
3. Do I need to inform the data subject about their rights?
This is a big one. The short answer is yes. You need to inform them of the controller's identity and contact details, i.e., your company's identity and the data protection officer's contact details. You may also need to tell them what you will use their data for and name the legitimate interest.
You'll also need to tell them which categories of personal data you have, such as their full name, email address, job title, and phone number, if you have it.
Then you'll need to tell them how long you will store their data, and if that is not possible, then the criteria used to determine that period. For example, how long will you store their data in your CRM, and at what point would you delete it?
All of this information needs to be shared when contacting them for the first time.
4. Do I need to follow the GDPR regulation if my organization is based outside of the EU?
Yes, because GDPR is about EU data subjects, not about the organization. So if your organization is located in a place where the EU laws apply by virtue of public international law, you do have to comply.
Now, maybe if you're in North Korea, you don't need to follow the GDPR because EU laws don't really apply there. But if you are based somewhere else, such as the United States, Europe, or most other countries, you do need to comply with the GDPR. The laws concern EU citizens' data, so it's not about where the company is located.
How to keep your sales process GDPR compliant
The easiest way to stay GDPR compliant is to use an email disclaimer the first time you reach out. It might feel a bit clunky at first, but it protects your company and shows your prospects that you are committed to following the rules.
So, what do you need to include?
Address and full details of your company. This can be included in your email signature line.
Inform them of their rights, including where you found their data, what information categories you have, the purpose of the data, where it will be stored, and how long you will store it for.
Let them know they have the right to lodge a complaint, the right to be forgotten, and the right to obtain a copy of their data.
How to express their rights. For example, you could tell them to reply to the email with the number of rights they want to apply. So if I want you to stop contacting me, I just reply "One". If I want you to erase my data and also get a copy, I reply, "Two and Three."
There are pros and cons to this type of disclaimer. The main pro is that, according to our understanding, it complies with the GDPR and offers a straightforward, painless process for the data subject to make a request.
The format is also straightforward in terms of the internal process. If I get a reply with one, then I just put the status in my CRM as "Do not contact," and that's it, done. The con is that it's not sexy to have this big fat piece of text at the bottom of your email, right? But that's a compromise that has to happen to be compliant.
Another process you could use is to send the disclaimer in an email and tell them to follow a link to another form where they can select the right they want to express.
The cons of this approach are that you might need to integrate with an API, integrate with your CRM, and so forth. If you don't have that, then it adds extra steps to your process because you need to delete information in your CRM. You'll need some kind of reminder or task system to ensure the information is properly deleted.
Want to learn more about GDPR in outbound sales?
Watch the full webinar here, where Peter and JB answer more frequently asked questions, share more ways to make sure you are GDPR compliant in sales, and answer audience questions.
Team Lead Growth AM/Sales Team @ Leadfeeder
Thijs Schutyser is Sales Manager at Leadfeeder with more than a decade of experience in B2B sales and pipeline generation. He has worked across account executive and leadership roles, helping companies turn website visitor data into qualified sales opportunities.
Having delivered hundreds of product demos and worked directly with sales teams across Europe, Thijs brings firsthand experience in modern sales prospecting and buyer engagement. His experience using visitor insights and intent signals to prioritize outreach informs his perspective on building a predictable pipeline and improving sales prospecting strategies.
