The Cold Emailer’s Guide to GDPR

Disclaimer: The content below is provided for informational purposes only and is not meant to serve as legal advice.  You may seek professional legal counsel to determine exactly how GDPR is applicable to you and your customers. 
And, now the answer to the question everyone’s asking….

Can I Still send cold emails?

The answer is YES, assuming you have a ‘legitimate interest’ that is a ‘lawful reason’ to ‘process data’ compliant with GDPR.  Get all that?

The General Data Protection Regulation (GDPR) is The European Union’s (EU) new 88-page privacy law. GDPR requires global data protection rights for individuals in the European Union that you may be prospecting whether you live in the EU or not.  Specifically, GDPR regulates how you obtain, use and store personal data for their 750 million residents.

GDPR goes into effect on May 25th 2018 and non-compliance carries stiff fines.

“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, credit card, posts on social networking websites, medical information, or even a computer IP address.”   Personal data can even include data about an individual that has been hashed or encrypted.

Your Role in GDPR

Are you acting as a Data Controller, a Data Processor or both?

“Data Controller”: Anyone who is collecting data (ie- building prospect lists) and determining how it will be “processed” or used (ie – sending emails). As the Data Controller, you are responsible for safeguarding the data of your prospects and customers as they interact directly with you or your services.

“Data Processor”: Any third party gathering or processing information on behalf of the Data Controller.  This could be your email verifier (ie – SellHack) or your cold emailing tech (ie – Replyify). The Data Processor is responsible for safeguarding your data and the data of your partners, customers, users, prospects, leads, etc.

For the purposes of this article being written for a BtoB salesperson, the EU authorities classify you as a Data Controller since you may need personal data to make calls, conduct meetings, and send emails.

This is complicated stuff, but for folks in sales, Article 6(1)(f) gives you a lawful basis for processing which can be broken down into a three part test.  It’s important to document your Legitimate Interest Assessment (LIA) to demonstrate your accountability under Articles 5(2) and 24 if you’re ever questioned on the legitimacy of your data processing.

Your 3 Part Test To Determine if You can Send a Cold Email

This three part test is used to define your ‘legitimate interest’ (ICO’s ‘Purpose Test’), your necessity to process the data (ICO’s ‘Necessity Test’), and whether your ‘legitimate interest’  balances out the individual’s right to privacy (ICO’s ‘Balancing Test’).

As a cold emailer, your legitimate interests are always weighed against the data subject’s right to privacy. You must make it clear why this particular person might want to hear from you.  You must have a legitimate interest for each person you prospect which makes purchasing a list built by a third party could get you into trouble.

First, Identify the legitimate interest and be prepared to answer the question “how did you get my email address?”

Your response needs to clearly describe the method you used and your legitimate interest:

  • A Bad response citing your legitimate interest: “I bought a list of emails from a freelancer on Upwork”
  • A Good response citing your legitimate interest: “In the process of my research, I discovered that your company recently changed CRMs and may be interested in our software that help companies who use ‘Abc CRM’ send and track email communication with prospects.  After confirming that you are the VP of Sales, I researched that your company uses the same email pattern (, so I sent an introduction email and a Linkedin connection inquiring if you are interested in speaking to learn more.”
An example logical argument could be made to confirm the use of cold email or cold calling prospects in the EU:

  1. Purpose test: Are you pursuing a legitimate interest?  You need to verify that EVERY person on your prospect list can benefit from your business offer and that your message(s) are relevant to the prospect’s business.
    • Based on our interpretation, you can’t cold email a prospect from a generic list sold by a third party unless they can verify the legitimate interest of every single person on that list.  You’re better off using a tool, like SellHack, to build your list or you may be required to gain consent from the prospect prior to emailing them.
    • You can’t email contacts found from a service that crawls the web and provides a random assortment of email addresses tied to a particular company/domain.  You must verify the legitimate interest of each person on your prospect list.  Just working at a company doesn’t pass the Purpose Test.
  2. Necessity test: Is the processing of the data necessary for that purpose (legitimate interest)?  If you are sending an email and/or making a phone call you need an email and/or phone number.  Researching and/or verifying an email address and/or phone number are necessary for the purpose of fulfilling your ‘legitimate interest’.  *According to GDPR Recital 47, which includes direct marketing, if the data you collect is both public and B2B, GDPR consent or a hard opt-in may not be legally required as long as a clear opt-out is provided.
  3. Balancing test: Do the individual’s interests override the legitimate interest?  If your prospect would not reasonably expect the processing of their data, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.  If the ‘legitimate interest’ would benefit the prospect’s company and they would reasonably expect to be contacted via email, then processing the email address may be acceptable if you don’t believe the processing would cause them ‘unjustified harm.’  And… make sure you provides a clear opt-out for all emails.
Breathe.  The world is not ending.  B2B sales is NOT dead.
ps – If you want to learn more about how Replyify prepared for GDPR, check this post out.