Disclaimer: This is not a piece of legal advice. Please consult with a lawyer or legal advisor before acting on processing any personal data. Every business has a unique context in which the data is processed so legal advice is way more important to stay relevant.
What is GDPR?
GDPR (General Data Protection Regulation) is a legal regulation, issued by the European Union (EU), that is intended to protect the personal data of natural persons in the EU and tighten rules around the processing of personal data.
Personal data can be processed for many different reasons, depending on the context. Sometimes this means that we need to process it in order to fulfil an agreement with our client or because they have given consent for us to do so – but there are other situations where legal obligations force companies into action too!
What is personal data?
Any data that identifies a person or uniquely points to a person is classed as personal data. For example, email@example.com and firstname.lastname@example.org are both classed as personal data but email@example.com would not be classed as personal data.
This means that if you have to send emails to firstname.lastname@example.org then it is not covered under GDPR as it does not identify a person. However, if you write to email@example.com then you need to comply with the GDPR regulations.
Why should I care?
There are hefty fines for not complying with GDPR. In the last 12 months, the ICO has issued 32 monetary penalties to organisations from various sectors for making nuisance marketing calls and sending spam text messages. The total fines for nuisance marketing are over three million pounds!
If your business is intending to cold email or cold call persons in the EU (including the UK), have customers in the EU, or deal with the personal data of EU citizens then GDPR applies to you.
For example, your business is based in the US and you have a newsletter subscription form on your website that captures the email address. If a visitor from the EU subscribes to your newsletter then GDPR will apply to you.
At the time of writing this article, the energy company Northern Gas & Power has been issued a penalty notice for £75,000 after they made direct marketing calls to subscribers who were registered with the TPS or CTPS and hadn’t provided valid consent.
The marketing preferences reminders of 450k broadband subscribers to Virgin Media were accidentally emailed out on or around August 2020, resulting in a £50K fine from the ICO!
The ICO fined a marketing agency £200,000 after it sent 191.4 million emails and 3.6 messages to individuals without fully satisfying the requirements for an “opt-in” – meaning that 42 complaints were made against them!
The Solarwave of Grays, Essex has been fined £100,000 for making 73k unsolicited marketing calls about solar panel maintenance. These were to people who should not have received them and are registered with the Telephone Preference Service (TPS) list!
These are a few of the examples of how many companies aren’t following GDPR standards with regards to their outreach campaigns; as such, The Information Commissioner has enforced monetary penalties. Check the ICO website for a full list of recent enforcements and actions taken.
Does GDPR only apply to cold emailing?
Email is just one of the ways you can identify a person. Other pieces of data like phone numbers, IP addresses, postal addresses and other forms of ids are also covered under GDPR.
GDRP is about regulating how personal data is consumed and processed so any data that has the potential to identify a person is covered under GDPR.
Is B2B Cold Outreach Allowed Under GDPR?
For B2C communications you must obtain explicit consent from the individuals but for B2B communications you do not necessarily need explicit consent as long as you can demonstrate a legitimate interest (explained in a section below) for both parties involved.
So let’s say that you sell HR software services and you are cold emailing businesses. If you drop a business interest to an HR executive or HR head of a company with details of your offer then that would be fine but if you send the same email to a web designer in that company then that would not be okay.
For your communication to be compliant, the business activity of the individual you are targeting must be related to what you are offering.
Now, let’s say that the HR executive you reached out to asks you to remove his/her data from your mailing list. Then, you cannot cold email the individual again because they have explicitly asked you to not communicate.
Principles to guide your cold outreach
If you intend to send B2B cold outreach then you may be allowed provided you follow the principles outlined here. (Note you must consult a lawyer for your unique cold outreach needs)
Obtaining personal data
GDPR starts the moment you come in contact with personal data which usually is when you start collecting emails for your mailing lists. There are many ways to source your marketing leads including public directors and it’s your responsibility to make sure every action you take in building and maintaining a successful email list is completely legal, fair-for both yourself as well any parties involved.
You should only capture data just enough for what you intend to use it for. For example, if you are obtaining data to cold email other businesses then there is no need to collect their phone numbers.
The best way to ensure that your message is reaching the right people and solving their problems, it’s important you be extremely precise in choosing who those prospects are. You should tailor copy or campaigns specifically for them so they can have an improved experience with whatever product or service you’re offering! The prospect must not get totally surprised by your offer. Your communication must be relevant for the activities they perform at the business they work for.
Be clear on how you obtained the data
A common question that people ask when you reach out to a cold prospect is “how did you get my contact details?”. You must have a clear answer to how you obtained the personal data. Whether you build your list yourself or whether you hire a third party to do it for you, you must have clear information on how you obtained it.
Do not disguise or conceal your identity
You must not attempt to disguise or conceal your identity and must provide valid contact details for individuals to reply back to should they decide to unsubscribe.
Obtain the consent, if possible
The clear path to staying legal with your communication is to obtain the person’s consent to receive your emails. This works perfectly for inbound marketing where the person expresses interest to subscribe to receive some information. But, this would obviously not be possible when your business needs a cold outreach. This is where cold emailing is different from email marketing. When reaching out to new potential customers it is not possible to always have consented at the onset but if you have referrals or leads where people have explicitly given consent to be contacted by your company then it would be fine.
Target your B2B prospects carefully
The other way to establish a legal basis without their explicit consent is to have a strong reason for claiming that the company they work with can benefit from what you offer in your email, and it should be logically connected to their own business activity as well- this will justify sending someone individualized information without first getting the consent of all those involved on data processing activities. This means that you must make sure that every prospect on your list is the right target for your cold outreach campaign. When unsure remove the person from your list.
Clearly identify the purpose of your outreach
You must be able to clearly justify why you are reaching out to a particular person.
You must ensure that every person you are reaching out to has a legitimate interest in your offer and there must be a clear justification as to why you think the recipients business would benefit from your offer. It should not come as a total surprise to the recipient.
Inform the recipient of their data being processed
Make it very clear in your communication what data are you processing and the purpose.
Clear unsubscribe action followed by your message
It should be very clear to the recipient how to opt-out or unsubscribe from your mailing lists.
Accuracy of the data
The data must be regularly cleaned to keep it in an accurate state. This goes in hand with the adequacy rule in that the less data you keep the less are the chances of it going stale. In addition, it should be clear to the recipient how to amend the data or request to completely remove the data.
Do not keep the data for longer than necessary
The way you send cold emails should follow the data storage limitation principle while also being mindful of GDPR. In general, we recommend removing from your lists any prospects who have not replied within 3-4 weeks after sending them the first message as this will ensure they are only processing personal information needed for specific purposes and does not breach their rights under the European Union law (GDPR).
Keep the data secure
Practice data security principles to protect from breaching the data protection law. Accidental leakage of the data can have severe consequences.
The Information Commissioner’s Office has fined the Cabinet Office £500K for disclosing postal addresses of 2020 New Year Honours recipients online. The ICO found that this was a breach of data protection law!
Respond to complaints
As people are sensitive about their data and more informed it is natural for them to ask hundreds of questions about how or why you are processing their data. Be prompt with your replies to the questions or complaints. Provide clear answers to their questions along with the option to request deletion of their personal data.
Is cold calling and cold emailing dead?
At least, not for B2B cold outreach. As a business, you can still send a cold outreach to other businesses as long as you establish a legal basis and follow the right principles as stated above. The legal basis could be a contract, negotiation, request for a quote, request for information about your products/services or legitimate business interest. Use this tool to get guidance on the lawful basis of processing the data.
When sending a cold email or cold calling, make it absolutely clear why you believe that your offer is a result of the legitimate interest that the recipient has shown, demonstrate a clear benefit to you or the recipient or have a compelling justification for processing the data.
Is GDPR making it difficult to do business?
GDPR is about protecting personal data and the misuse of this data, not about businesses. GDPR is not trying to kill cold outreach. In fact, GDPR should make prospecting a lot better as there should now be less noise in individuals inboxes making it more likely that your legitimate interest is read and picked up.
Can I still purchase email lists from third parties?
It is always best to create your list yourself. We do not recommend purchasing email lists without having a full understanding of how the list is collected, where the list came from and a big NO if there are no details about the user’s consent about the possibility of your business reaching out to them.
B2B cold email is still possible in the world with GDPR, in fact, even better with less nuisance marketing. GDPR and PECR should both be kept in mind when sending email communications.