3 Must Read Points About GDPR Compliance If You Are In Sales Or Marketing

[social_share style=”circle” align=”horizontal” heading_align=”inline” text=”” heading=”” facebook=”1″ twitter=”1″ google_plus=”0″ linkedin=”1″ pinterest=”1″ link=”” /]
The General Data Protection Regulation (GDPR) Act will take effect this May 25th, 2018, which means time is of the essence. In light of this, we have prepared a brief analysis of the aspects of GDPR which are highly relevant for those working in sales and marketing.

First off – GDPR compliance is necessary to continue activities as a legitimate SDR or Marketeer based in/dealing with the European market. The purpose is not to scare you from doing what you do best, but rather help tailor efforts in correspondence to GDPR.

What is GDPR? GDPR is a regulation that aims to protect the privacy of individuals. Therefore, it is our responsibility to respect and act upon these regulations to the best of our ability.


GDPR summary Cloudlead


Please note: This article is intended to save you some time by providing insights on GDPR compliance. However, it is recommended that you go through your business case individually with a lawyer. This is not legal advice, but our interpretation of a regulation.


1. Is Cold Outreach Out Of Your Sales Equation?

First and foremost let’s address all this discussion about GDPR and how it will impact B2B cold outreach strategy.

Refresher(just in case)… cold outreach strategy includes cold emailing and cold calling. This is an unsolicited approach with the intention to mostly engage with and sell to the recipient.

If you’re looking for the short answer then cold outreach is far from over but it’s been regulated. If you require a more relevant and thorough understanding(which you should) keep reading because this will definitely come in handy. First, you need to understand processing rights and what legitimate interest is. Then, as a responsible Marketeer/SDR, you can see what you can do to stay within the boundaries of what is legitimate.


Conditions Under Which You Can Process Personal Data

Marketing & Sales, Data Analysts, Business Intelligence Operatives need to process data to do what they do best, period.  But GDPR can’t be ignored and doesn’t need to be an obstacle. To help you with GDPR compliance, here are a few conditions listed down. Do note that at least one of the points below should be applied. Processing is fine if it’s:

a) Being done under the consent of the individual

b) Necessary to perform a task in public interest

c) Necessary for initiating a contract

d) Required under a legal obligation

e) Needed to protect the vital interests of an individual

f) Within the category of legitimate interest 


Legitimate Interest: Glimmer of Hope 


GDPR legitimate interest Cloudlead


Legitimate interest could save most marketeers and salespeople from the ramifications of processing personal data (depending on a few conditions). However, the concept of legitimate interest can be confusing and due to slightly vague wording in the GDPR, there is mixed opinion regarding the concept.

According to an interpretation by ICO (Information Commissioners Office), legitimate interest is the most “flexible and lawful basis for processing”. Therefore, it is recommended that you carefully evaluate your processing needs at a legal level.

Important note: If your job does not require you to collect, obtain, retain or process personal data, then legitimate interest most certainly does not apply to you.

GDPR augments regulations like the 1995 EU Data Protection Directive (which will be replaced by GDPR upon application). You need to ensure that your data controller/person in charge of data must be lawful, transparent and fair. It’s recommended that you attend GDPR workshops and conduct in-house sessions to get a better understanding of how it will affect your business in particular.

Now that you know the conditions under which you can process data and what legitimate interest is,  here’s the question you probably wanted answered should be eager to know.


Does Direct Marketing Count as a Legitimate Reason For Processing Data?

The answer to this question lies in recital number 47 of GDPR, that is: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. 

Your direct marketing efforts should ideally not be affected but reiterating the previous point, your data controller needs to be fair while processing data.

So how should you go about writing a cold email?  Ensure these 6 points be included in your future cold emails:


GDPR coldemail Cloudlead


[1] Subject line should not be misleading, clearly indicating the purpose of the email

[2] Introduction is clear and to the point

[3] Content and purpose of email in the body is aligned with the subject line

[4] A clear consent to continue chatting on this subject

[5] Your signature should include your full name, designation, location and website link. Being clear to your prospect about who you are is vital

[6] It is always good to add an unsubscribe or opt-out link so that your recipient has a visible option to withdraw from these kinds of emails from you in the future



CRM is all about processing data on prospects, leads, and customers. It is important that Marketing and Sales follow certain processes to work towards GDPR compliance. Most importantly, processing data of EU citizens must be done under strict conditions and with a legitimate reason.

To understand this, you need to understand what all is included in ‘data processing’. Data processing includes, but is not limited to altering, deleting, organizing and disseminating personal data.

CRM’s are fueled by data – some of which may be incorrect, more than what is needed or may be outdated or irrelevant. Following this, data cleansing requirements should be internally analyzed. Data cleansing can, therefore, be considered as the first step towards GDPR compliance.

According to the official GDPR guidelines (Article 5 (d)): “every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).”

Yes, this will require you to remove a lot of data from your database, but on the bright side, you will have a more accurate and targeted list. Businesses that opt for CRM data audits through data cleansing service providers don’t have to worry about this step, which can be a huge relief.


As tricky as this question can be, it is still quite necessary. Marketeers need to specify what they are obtaining consent for. You cannot mislead prospects into signing up for exclusive offers from Company A while utilizing the same personal data to send news from company B.

That’s the thing about consent – it needs to be freely given, specific, informed and clear in language. Furthermore, a proper opt-out must be given to leads and be clearly indicated. This means explicit consent under GDPR must be obtained with these conditions kept in mind.

So you need to review your consent forms, landing pages, pop-ups, chat boxes and other data collection mediums and make sure they are in line with GDPR requirements. Another point to note here is that you need to be sure not to ask information which you do not need. Remember, consent needs to be specific. Here’s how you can be specific about consent forms:


Specific Consent form Cloudlead


  • Do note that you are specifically asking for permission to contact a person via email and not any other source
  • Be sure that there is an alignment between the information you are asking and your need for it. For example, when you meet a prospect face-to-face, would you discuss his business case or ask them what car they drive?

While the concept initially does seem basic, on a micro level, it can get as tricky as developing a marketing plan from scratch. According to BakerMcKenzie some takeaways for consent under GDPR include:


Source: BakerMcKenzie


Individuals Have The Right To Ask For Their Data

People always have the right to know what information is being kept about them. However, GDPR enhances this rule and requestees will need to provide an easier means for individuals to access their data. Of course, the reasons will need to be suitable based on company terms and privacy policy.

What this means: This means that marketeers and SDR’s should be ready to have a process in place to make this information easily accessible. Like having an audit sheet showing where, when and how the consent was taken.


3. What About Email Marketing?  

Email marketing will be directly impacted by GDPR. You need to review the following checklist to see how you can comply with this new regulation:

  • Conduct CRM and Employee audits – Get your data cleansed, conduct geographic segmentation of all personal data and finally have a trail established signifying when, where and how you obtained that individuals data
  • Previous Consent Practices – This will make a huge impact on your current database, but you will need to include explicit consent with a double opt-in and of course, proper documentation system so you’re ready to present the data if need be
  • Be transparent about your marketing practices – you should ideally have a disclosure document (which most companies do), but you need to make sure your disclosure includes your marketing practices so your prospect knows what to expect


Targeted B2B Data For GDPR Compliance

In addition to these points, you need to ensure that you are targeting the right market. If you sell an HR software, you need to segment your cold outreach strategy. Target those who would be interested or deal with your product like, HR Directors, Head of HR, HR Manager etc. This way, legitimate interest could become your best friend when faced with strict GDPR requirements.

Cold emailing is far from dead, but it has been regulated. This will compel marketeers and SDR’s to be more concise customer profiling. Honestly, this is a good thing – in reality, our pitches will be more relevant and less invasive.

It’s imperative that you engage with B2B data that is targeted, human verified and customized towards your product niche.  bad data can not only cost your business,  your company could also be subject to a fine of 4% of your annual revenue or €20m – whichever is higher(ouch!).

It is for this reason, at Cloudlead, we always ask our clients about their target market and business model. This allows us to provide better B2B data and keep our clients within data privacy guidelines.



Be sure to follow-up on these guidelines and consider the checklists so that you can incorporate them well before the 25th of May. It would be ideal to appoint a legal consultant who can overlook all marketing and sales activities at your company. It can get difficult to adjust your day to day business operations. Three things you can do today to make this simple for you:

  • Hire a consultant and add an internal leader as an official overlooking this process completely
  • Make an internal GDPR checklist with the timelines
  • Assign a team to overlook and assure completion of the checklist

Following this, you can continue implementing amazing sales and marketing strategies without the worry of what problems you can potentially face with GDPR compliance.

Previous Post
Lead Generation with B2B data, Cloudlead, Sales, Selling

Guide To Supercharging B2B Lead Generation Strategies With Targeted Data

Next Post

Why is B2B Data The Most Important Part Of Your CRM Experience

Related Posts