Cognism | Blog | Connect

Why You Need GDPR Compliant Data for Sales

Written by Dan Peacock | Jun 7, 2023 9:00:00 AM


🚨 Are you breaking the law?

Your answer to this is likely, “Of course not, I’m a professional salesperson!”

However, you and your team may be doing so without even knowing it. 

How can you avoid this pitfall? 

Our blog will show you how your team can stay on the right side of the law with B2B sales data under the GDPR.

Scroll for more or use the menu to jump to a section 👇

What is the GDPR?

In May 2018, The General Data Protection Regulation (GDPR) came into effect across the whole of the EU and the EEA. 

It aims to give citizens more control over their personal data. 

It does this by setting out ways companies must process and protect the data they hold about their customers. 

Aksa Kalam, Cognism’s Head of Legal, explained:

“The GDPR automatically applies where a company processes the data subject’s data who is an EEA resident.”

The GDPR allows companies to carry out sales and marketing practices if they can prove a lawful basis.

The most commonly used, and arguably most flexible lawful basis B2B companies use for processing personal data, is legitimate interest

If your company is asked to provide a service such as cold outreach, you must ensure that you serve the appropriate notices, records, assessment documentation, privacy policies, DPIA and legitimate interest assessments.

It’s important to note that under the GDPR, the processor of the information and the controller of the information can be different entities. 

In the case of B2B sales, the controller is usually the sales rep. 

You’re probably thinking, “How does the GDPR apply to various sales outreach practices?”

Keep scrolling to find out how to use GDPR compliant data for sales 👇

GDPR and cold calling

Believe it or not, cold calling isn’t directly affected by the GDPR. Calling is covered by the Privacy and Electronic Communications Directive.

But the GDPR does govern how personal data, such as phone numbers, can be used to make cold calls. 

Under Article 6 of the GDPR, there are six laws that allow companies to use personal data:

  1. Explicit consent from the customer to use their data.
  2. To fulfil a legal obligation.
  3. To fulfil a contract with a customer.
  4. To carry out a task in the public interest.
  5. To protect the vital interests of an individual.
  6. To pursue legitimate interest.

When it comes to your reps and cold calling with GDPR compliant data for sales, you’ve got to focus on complying with consent and legitimate interest.

And here’s why 👇


Having a prospect’s phone number doesn’t mean you have consent to contact them.

If your reps are going to cold call prospects, they’ve got to ensure that the consent is:

Clear and explicit 

In order to remain GDPR compliant, the prospect must actively give the controller of the information permission to use their data for the purpose of being contacted via the telephone.

For a specific purpose or organisation 

The prospect must give consent to your organisation. You cannot transfer this consent to pass on their personal data to a third party. 

The prospect must give you consent for cold calling. If a prospect opts in to receive an email, this does not extend the consent for your reps to cold call them.  

Easy opt-out 

If a client wishes to withdraw their consent, your reps need to make this as easy as possible and you must delete their data within one month. 

Although your reps cannot cold call a prospect without their explicit consent, legitimate interest allows cold calling to occur. 

And here’s how 👇

Legitimate interest

Your SDRs are allowed to cold call prospects on the grounds of legitimate interest depending on the targeted jurisdiction. However, this can be overridden by the prospects’ right to not be contacted. 

So, how do you ensure your cold calling is GDPR compliant? 

  • Set up clear roles and rules that adhere to the GDPR requirements for handling personal data.
  • Record conversations and store them securely.
  • Get proof of consent if your leads are from a third party. 
  • Ensure there is legitimate interest before calling prospects. 
  • Ensure you have clear opt-in and opt-out messages. 

GDPR and sales emails

The GDPR doesn’t stop your reps from sending cold emails; it simply puts rules in place that they must follow.

This means that your business needs to be careful of how you store, manage, and collect your data.

When cold emailing prospects, your reps must remember that they should only reach out to people they believe will benefit from your product. 

This means that your data collection needs to be adequate and relevant for the purpose of its processing.

In other words, whatever your salespeople offer in their cold email must be connected to the prospect’s business in some way. 

Next, your reps need to be completely transparent in their outreach.

The email copy must explain: 

  1. Why the prospect is hearing from the salesperson.
  2. Exactly where the salesperson got the prospect’s details from (i.e. LinkedIn). 

If the prospect responds by asking to be removed from your database, your reps need to ensure this happens ASAP. 

Finally, you’ve got to provide an easy opt-out option for your prospects.

Aksa elaborates on this:

“At Cognism, we always make it clear as to where our marketing emails are coming from, how to contact us with any questions, and always send an opt-out link to our data subjects.”

Ensure your cold emails are GDPR compliant by: 

  • Segmenting lists very carefully based on your prospects’ business needs - this only applies to personalised email addresses and not generic ‘info@’ email addresses. 
  • Being able to explain exactly how you got the prospect’s email address. 
  • Protecting the data and only keeping it for as long as required. 
  • Providing an easy way for the prospect to opt-out. 

GDPR and social selling

Your salespeople could land your company a huge fine if their approach to social selling isn’t GDPR compliant. 

What’s the number one social platform your reps will be prospecting on?

You guessed it - LinkedIn!

When it comes to social selling on LinkedIn, the sales rep is no longer the data controller, but rather, LinkedIn is.

LinkedIn is also the processor of the data. That means LinkedIn is responsible for protecting all of the personal information of its users as per the GDPR requirements. 

Why is this the case?

Well, when a user signs up for LinkedIn, they’re agreeing to expect a two-way flow of communication.

So, as long as your salespeople are reaching out to LinkedIn connections on LinkedIn, all is well and compliant. 

Cognism’s globally compliant data

This article got you a bit stressed about your compliance?

Not to worry, Cognism’s got your back! 

Get on track with the world’s best GDPR compliant data for sales - click to speak with one of our experts 👇

The contents of this article are for the purposes of general awareness only. They do not constitute legal or professional advice. The content may have changed since this article was published. Readers should take appropriate professional advice for their own particular circumstances.