Gdpr sales prospecting: how to be compliant

GDPR sales prospecting: how to be compliant

Blog post image

What the GDPR is, how it applies to your business, and ways to be fully compliant when reaching out to potential customers.


You know what they say, rules are rules. And when it comes to GDPR, you definitely want stick to them. 

Since GDPR came into play in 2018, it’s become more important than ever to make sure your sales prospecting tactics are compliant. Because otherwise, you could get into serious trouble. 

What is the General Data Protection Regulation or GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive EU data protection law designed to protect the privacy of individuals. It sets out rules for the collection, processing, storage, and transfer of personal data.

So if you’re collecting personal information on anyone, you need to be GDPR compliant. 

What happens if you break the GDPR laws?

Breaking GDPR laws can lead to some serious consequences. We’re talking fines as high as €20 million or 4% of your company’s total income. 

And it’s not just the financial consequences – breaking GDPR rules can damage your reputation and make customers lose trust in you. 

Facebook owner Meta was fined €265 million after Facebook users’ personal data was made available on an online hacking forum (we’re talking full names, phone numbers, birth dates and locations of people using the site in 2018 and 2019).

And Google Ireland was hit with a €90 million fine in 2022 after YouTube’s cookie consent procedures were found to be severely lacking. 

So no one is exempt from GDPR rules! 

What personal information is protected under GDPR?

So does GDPR specifically protect? The rules cover:

  • Personal names (not the business name)
  • Contact phone numbers
  • Email addresses for communication
  • IP addresses of devices
  • Mobile device IDs (IMEI/MEID)
  • Encrypted data, including sensitive information (Yes, even encrypted data is subject to GDPR rules!)

What does GDPR apply to?

If you’re processing any form of personal data (think cold emails, cold calls, or even selling through social media,) you and your sales team must comply with GDPR. But let’s take a closer look at how you can keep your prospecting above board.

Email outreach

It’s no secret – here at Sopro, we love emails. We think it’s the best way to do your outreach, but if you’re not clued up on the regulations then you’re putting your business at risk. 

The most important thing to remember when sending out sales emails is that you need to have permission before contacting someone. However, there are some differences between B2B and B2C email marketing. 

In B2B, it’s not necessary to seek explicit consent for data processing. As long as there’s a “legitimate interest”, businesses can send direct marketing to their business contacts without actively requesting consent. But what counts as “legitimate interest” for your prospects? 

  • They would genuinely be interested in your product or service, looking at their job title or company
  • They’d expect you to reach out to them – in other words, they wouldn’t be surprised their data was being used in this way
  • The risk of infringing on their privacy is low  

Cold calling

Similar to B2B email marketing, cold calling is allowed under GDPR if the caller knows the prospect has a “legitimate interest”. But there are some guidelines when reaching out. You have to say who you are and why you’re calling.

And you can’t contact that person if:

  • the individual has objected to receiving such calls 
  • and the call doesn’t relate to the individual’s business role or responsibilities.

Social selling

Under GDPR, you’re free to contact prospective customers via social platforms as they’ve chosen to put their information on that site. This is why it can be a great way to reach out to prospective customers. Especially using websites such as LinkedIn, where you can often see someone’s company and their job role and whether they’d be interested in your product or services. 

However, if that conversation then continues over email or on the phone, you need to make sure there’s “legitimate interest”! Learn more about social selling.

Where does GDPR apply?

Basically, GDPR applies to anyone who collects, uses, or stores personal info of people from the EU/EEA, no matter where they’re located. So even if a company is based outside the EU/EEA, they still have to follow GDPR rules if they’re handling personal data from people in the EU/EEA.

Prospecting in the US? Take a look at our blog: How to send compliant B2B emails in the US.

10 ways to do GDPR-compliant prospecting

Here’s the 10 things you need to do to stay GDPR-compliant when prospecting:

  1. Have a valid reason for collecting and processing personal data 

This includes obtaining explicit consent from individuals.

  1. Inform individuals about what personal data you are collecting

You also need to inform them of how you’re using it, and who you’re sharing it with. This information should be provided in a concise, transparent, intelligible, and easily accessible manner.

  1. Only collect a minimum amount of data

Only collect and process the minimum amount of personal data required for a specific purpose. Unnecessary or excessive data should not be collected or stored.

  1. Keep personal data accurate and up-to-date

You must take steps to ensure that inaccurate or outdated data is corrected or deleted.

  1. Keep data secure

Personal data must be kept secure and protected from unauthorised access, destruction, or disclosure. Appropriate technical and organisational measures must be put in place to ensure data security.

  1. Supply someone’s personal data if they ask

Individuals have the right to access, correct, and delete their personal data. You must also provide them with information about their right to object to the processing of their personal data and the right to data portability.

  1. Consider data protection from the outset

You should consider data protection from the outset of any new project or system development. Privacy and security should be built into the design of systems and processes by default.

  1. Have contracts in place with third parties

You should have contracts in place with any third-party processors that you share personal data with. These agreements should outline the responsibilities of both parties with regard to GDPR compliance.

  1. Report any data breaches within 72 hours

You must report any data breaches to the relevant authorities within 72 hours of becoming aware of the breach. You must also inform individuals whose personal data has been affected by the breach.

  1. Review regularly

You should regularly review and update your data processing activities and ensure ongoing compliance with GDPR requirements.

If you want to know more about GDPR and prospecting in general, take a look at our FAQs


We love data, it’s how we can make our emails so personalised and reach as many people as we do. Our whole business is built on data! But it wouldn’t be possible if we weren’t GDPR compliant.

Want to know more about the nitty-gritty? Let’s talk legal.

Watch your sales grow

Discover how Sopro helps hundreds of businesses sell more. We do the hard work, so you can do your best work.

Watch now