New guide: Thriving in tough times
A leaders guide to successful business growth

GDPR & Sales prospecting: How to find new customers without breaking the law

Ilustration of money bag with the EU stars around

Sales is competitive by nature.

And given that 50% of all sales go to the first company to respond to a prospect, having an effective process in place is business critical.

Whether you pick up the phone to cold call prospects, meet potential customers while networking at events, or do something else entirely, proven strategies that quickly turn strangers into customers are considered the ‘holy grail’ in sales.

That’s because there’s a science to sales and once you master it, you can use multiple sales techniques to quickly reach quotas and collect that well-earned sales commission.

But, this is all about to change.

The way you prospect today is about to receive a major update due to the EU data protection regulation known as GDPR – which comes into effect in less than a month!

Failure to comply with GDPR can leave your company facing fines of up to €20 million or 4% of global turnover – whichever is greater.

There’s no escaping it.

The EU’s biggest privacy update in more than two decades is soon upon us – and with 57% of B2B sales professionals still unaware of what GDPR is – now is the time to look at how GDPR affects your sales team and how you can prospect under GDPR.

Let’s get started.

Will GDPR affect your sales team?

You might think that GDPR won’t apply to you, but for many sales reps, GDPR represents a big shift in your day-to-day prospecting.

Ask yourself this:

  • Do you still rely on purchased leads to fill up your sales pipeline?
  • Do you automatically add business card contact data to your mailing list?
  • Do you ask existing customers for referrals and recommendations?

If you answered “yes” to any of the questions above, then GDPR is going to impact you and your organization.

Also, in case you think that the GDPR only impacts European businesses, you’d be wrong.

It doesn’t matter if your business is based in the EU or not – if the data you collect on at least one of your prospects belongs to an EU citizen then you’re liable to comply with GDPR.

GDPR and Sales

GDPR is the term used to describe a series of major updates to the EU data protection law that will come into effect on May 25th, 2018.

In essence, GDPR provides citizens of the EU with greater control over their personal data and offers assurances that their information is secure, regardless of whether the data processing takes place in the EU or not.

For sales teams, personal data is at the heart of how they prospect for new business, and GDPR will change how they collect, store, and process it. And how long you retain it for.

What is personal data?

Personal data comes in a variety of forms and can include things like name, email, phone number, and interests – the kind of information that sales reps typically store in their CRM system about your prospects.

On a bigger scale, personal data also includes things like IP address, social media posts, bank details, and even medical information – so it’s important to make sure you’re handling all types of personal data appropriately.

How prospecting will change under GDPR

Let’s take a closer look at how it will change under GDPR.

Collecting the data and seeking permission from the individual

The most typical examples for seeking permission is through a web form - including a link to a privacy statement - or in a follow-up email.

Under GDPR, individuals have the right to be informed about what data you collect, why you are collecting it and how you intend to use it.

But, that`s not all.

Individuals also have the right to be informed about the purposes of processing their data and the period for which their personal data will be stored (you can read more about the individuals rights under article 13 and article 14).

So, if you haven’t obtained their consent at the time you have collected their personal data, you must inform them – within 30 days of obtaining their data – that you have done so and the purpose for why you are keeping their personal data in your system.

If the person replies to a message like this and requests that you delete their data, you have to comply with that request and remove them from your CRM or database. Or, at the very minimum, keep as little information as possible to ensure no future contact will be made.

Although, this is easier said than done.

In some cases, you may be legally required to store their data, even if they request that you remove it. If this happens, your Data Protection Officer (DPO) will need to inform the person that you are required to keep their data stored and the reasons for doing so.

However, if you don’t hear back after making a fair and reasonable effort to contact them, then you can assume that storing their data isn’t a problem – providing you have a legitimate interest.

Just make sure you do not send any marketing messages (unless they have opted-in) and to keep a record of the consent to keep yourself GDPR compliant.

Processing the data

Once you’ve sought permission to store the data you have on a prospect, the next step is to use it to help you in your quest for new sales. However, you have to be careful, because GDPR restricts the way you can process (or use) this data.

For example, today when you collect an email address from a prospect, they are usually added to a variety of sales and marketing email lists, such as:

  • If someone downloads a white paper, you later send them an email with a webinar invitation.
  • If someone requests more information on your pricing packages, you add them to your lead nurturing email list.
  • If someone calls up your business to asks for a free trial, you send him a series of onboarding emails.

If you continue to do this after May 25th, 2018, then you risk being fined.

When you collect personal data such as an email address, not only do you need to inform the individual that you have stored it, but you also need to make sure that your prospects actively ‘opt-in’ or choose to join a specific email list before you start sending them marketing messages.

Simply put:

You cannot assume that you have permission to send mass email campaigns just because you have their email address.

One way to handle this is to allow prospects to manage their email subscriptions, using a subscription management tool.

However, before you can begin to think about storing and processing personal data, you first need to find it – so let’s look at how to prospect under GDPR.

How to prospect under GDPR

For many companies, GDRP means sales teams need to make some changes to their prospecting techniques to stay compliant. Here are 7 sales prospecting techniques that you may consider adopting before the new regulation comes into effect in May 2018.

1. Email outreach

If you’ve been sending out cold prospecting emails on auto-pilot lately, then you’re going to have to stop. Immediately.

With GDPR, you can’t send automated sales emails to prospects without getting their permission first. This includes product demo, quick catch up and “just reaching out” emails, or any other form of communication that your prospects didn’t ask to receive.

If you’ve never had contact with a prospect before, you should demonstrate in the sales outreach email that you have tried to contact them by phone prior to emailing them.

In the example below, it’s clear that no attempt has been made to reach out to me by phone and therefore falls under direct marketing communication.

If you’re going to send out these kinds of outreach emails in a post-GDPR world, then you need to have been granted consent by the prospect first. Without it, you’re failing to comply.

That being said, you can continue to send cold sales emails to prospects, if the email is sent to an individual and not to a group of recipients, and if you have included a link to your privacy statement explaining why you are contacting them in the first place (i.e. you have a legitimate interest).

2. Social selling

Social selling is a new term to many sales reps (only 1 in 4 reps use it), but for those that do use it, it’s fast becoming a popular way to prospect.

The good news is that GDPR doesn’t prevent you from finding and connecting with potential customers on social media. Whether you connect with customers online and ask for recommendations or if you decide to reach out to new prospects directly, you can continue to use social media as part of your overall sales strategy.

If you use LinkedIn or Xing, here’s a handy template to copy and paste each time you send out a connection request to get the conversation started.

Once these contacts have accepted your connection request, you can reach out and message them with the aim to gain consent to nurture and sell to them.

Bearing in mind that the principle of providing value before asking for something still holds in the social media world. Spamming your social media contacts will not provide any better results than if you were spamming prospects in any other channel.

Also, if the conversation shifts outside of social media you will need to establish that there is a legitimate interest in contacting them by email or by phone. The best way to do this is to gain their consent. However, consent to contact them cannot be treated as consent to send them mass marketing campaigns!

3. Purchased lead lists

Purchased leads lists can often be a great way to fill up the sales pipeline – either when there’s a drought or to compliment your existing prospecting work.

But, from May 25th, this will change.

If you acquire leads that contain personal data from third-party ‘lead generators’, then not only do they need to have consent to share that information with you, but you will also be required to get specific consent to use the email addresses on the list – unless they have given their consent to be approached by associated partners. (i.e. said “yes” to their data being transferred to third parties).

In this case, you can contact them.

However, you must document proof of their consent from the third party you purchased the list from, and you will also need to allow people to unsubscribe from your email campaigns.

This GDPR-related change affects existing purchased leads, too. If you already have purchased leads in your mailing list – but you haven’t contacted them yet – then you will need to document their consent from the third-party vendor before you send marketing messages.

4. Cold calling

Cold calling is one of the most effective ways to build new relationships with potential customers. In fact, cold calling doesn’t come under the same regulation as GDPR, so chances are it will be given a new lease of life as a result, which is good news to cold calling experts!

At this stage, it is worth repeating that each time you add a new prospect to your database, you’ll need to get their consent before you can start sending them promotional offers.

So, while you are on the call with the prospect, just ask them if they would like to receive newsletters. If they say yes, you can send them a link to a “manage my subscriptions” page where they can opt-in to specific news, content and updates.

The challenge with cold calling is that it can be difficult to document their consent, unless you record a call with a prospect. To overcome this, you can follow up the call with an email that sums up everything you have discussed.

In this email, make sure you include:

  • The purpose of why you called them
  • What was agreed during the call
  • Why you are following up by email

Here’s an example what this email could look like:

Each time you send an email with this information, make sure you store it in your database under the prospect’s details. If the prospect responds and asks to be removed from your mailing list, then you have to comply with their request.

5. Networking

Networking at conferences and events is a great place to meet potential customers.

A large part of networking includes the time-old tradition of exchanging business cards. In the past, this meant taking the contact information on a business card, such as name, company and email address and storing it in your CRM system.

While you can continue to exchange and store business card information, you cannot use their email address for marketing purposes, unless you have their consent and they have opted-in to receive marketing emails.

But, all is not lost. You can still send one-to-one emails and follow up with prospects that have given you their business card since a legitimate interest has been established. So, don’t give up on networking just yet!

6. References

One of the most successful ways to find new customers is to ask your existing customers for referrals or recommendations to people they know who might be interested in your product or service. Today, you can simply pick up the phone and give new prospects referred to you by existing customers a call or send them an email.

Under GDPR, you can continue to call and email prospects based on recommendations from existing customers.

One of the best ways to reach new prospects through referrals is to ask your existing customer to introduce the both of you and tell them why he/she is doing it. Plus, using email means that the introduction is digitally recorded.

Of course, not every customer will be willing to write an email for your benefit.

To help you with this, here’s a sales email template that your customers can send to introduce you:

7. Website

Websites are a great place to capture new leads.

If you’re using a web form to capture contact information, then now is the time to review the type of information you collect. GDPR requires you to legally justify the personal data you capture from website visitors.

What this means is that going forward, you can only ask for information you need, rather than information you would like to have. And while asking for personal income and date of birth will help you identify and prioritize the leads you get, you need to be able to prove why you’re asking it.

Otherwise, if you can’t justify the extra information, then just concentrate on asking for name, company and business email address.

You also need be clear and upfront about how you use their data and for what purpose as well as giving them the opportunity to opt-in or opt-out accordingly – which they can do if you send the “Manage my subscriptions” email we mentioned earlier.

This means that just because they’ve entered their email address to sign up for a webinar, it doesn’t mean they are subscribing to every mailing list you have.

Prospects need to opt-in to receive email campaigns, so be clear on how they can subscribe.


From May 25th, 2018, the way you prospect will ultimately change for the better.

Instead of trying to sell to new prospects that are not in the market to buy, GDPR forces you to focus on building relationships and selling to people that actually want to hear from you. In doing so, you’re dealing with prospects that are much more engaged and ready to buy.

GDPR helps you focus on quality prospects over a quantity of prospects – so it should make your job easier in the long-term.

Remember, GDPR is not about restricting the way you prospect and generate new business. In fact, by complying with GDPR, you and your sales team will quickly meet your sales KPIs, generate better quality leads, reach more engaged prospects and ultimately, win higher close rates.

GDPR-ready features for sales teams

If you’re looking for a GDPR-ready CRM system, then consider SuperOffice CRM.

Built with privacy in mind, SuperOffice allows you to manage prospect information, record consents and easily notify new contacts when their data has been safely stored.

Contact us today to see these new GDPR features in action!


Disclaimer: The content in this article is not to be considered legal advice and should be used for information purposes only.

Want more original content in your inbox?

Sign up to our newsletter to learn the secrets we have learned helping growing companies turn relationships into revenue.