The way sales teams used to prospect for sales has received a major update due to the EU General Data Protection Regulation (GDPR) which came into effect on 25 May 2018.

Failure to comply with GDPR can leave a company facing fines of up to €20m or 4% of global turnover whichever is greater.

The EU’s biggest privacy update in more than two decades is now upon us so it’s time to look at how GDPR might affect your sales team and how you can prospect for sales under GDPR.

Will GDPR affect your sales team?

You might think that GDPR won’t apply to you but for many sales reps GDPR represents a big shift in day-to-day sales prospecting.  Ask yourself this:

  • Do you still rely on purchased leads to fill up your sales pipeline?
  • Do you automatically add business card contact data to your mailing list?
  • Do you ask existing customers for referrals and recommendations?

If you answered “yes” to any of those questions then GDPR has an impact you and your organisation.

Also, in case you think that the GDPR only impacts European businesses then you’d be wrong.

It doesn’t matter if your business is based in the EU or not – if the data you collect on at least one of your prospects belongs to an EU citizen or resident then you’re liable to comply with GDPR.



Personal data is any piece of information that identifies an individual.  In practice it comes in a variety of forms and can include things like name, email, phone number, and interests – the kind of information that sales reps typically store in their CRM system about their prospects.

Personal data also includes things like IP addresses, social media posts, bank details, and medical information – so it’s important to make sure you’re handling all types of personal data appropriately.

GDPR provides residents and citizens of the EU with greater control over their personal data and offers assurances that their information is secure, regardless of whether the data processing takes place in the EU or not.

For sales teams, personal data is at the heart of how they prospect for new business and GDPR changes how they collect, store, and process it as well as how long you can retain it.


How sales prospecting will change under GDPR

Collecting the data and seeking permission from the individual

GDPR revolves around correctly seeking permission to collect, store and use personal data.

The most common method of seeking permission is through a web form (including a Privacy Policy) or in a follow up email.

Under GDPR, individuals have the right to be informed about what data you collect, why you are collecting it and how you intend to use it.

But, that’s not all.

Individuals also have the right to be informed about the purposes of processing their data and the period for which their personal data will be stored (you can read more about the individuals rights under Article 13 and Article 14 of GDPR.)

So, if you haven’t obtained an individual’s consent at the time you collected their personal data, you must inform them (within 30 days of obtaining the data) that you have done so and the purpose for which you are keeping their personal data in your system.  Perhaps by an email something along the lines of:

We just wanted to inform you that your contact details have now been stored in our CRM system.

Your contact details may include your name, date of birth, postal address, email address and phone numbers.  We do this to be able to serve your requirements in the best possible way.  All personal information is stored securely and in accordance with current laws and regulations.

If you have any questions or objections to this, please let us know by replying to this email or by contacting our customer service team.  For more information on this topic please visit our Privacy Policy here.  

We would like to share with you our blog, helpful newsletters, details of special offers, invitations to our events and more.  Please let us know what you would like to receive from us by completing your communication preferences.

If the person in question responds to a message like this about their personal data by requesting that you delete their data then you have to comply with that request and remove them from your database.

In some cases, you may be legally required to store their data even if they request that you remove it. If this happens then the Data Protection Officer (DPO) will need to inform the person that you are required to keep their data stored and the reasons for doing so.

If, however, you don’t hear back after making a fair and reasonable effort to contact them then you can assume that storing their data isn’t a problem – providing you have a legitimate interest.

In order to stay GDPR compliant make sure you do not send any marketing messages (unless they have opted-in) and keep a record of the consent.

Processing the data

Once you’ve sought permission to store the data you have on a prospect the next step is to use it to help you in your quest for new sales.  You have to be careful, however, because GDPR restricts the way you can process (or use) the data.

For example, it has been the practice that when you collect an email address from a prospect they have been added to a variety of sales and marketing email lists, for instance:

  • If someone downloads a white paper, you later send them an email with a webinar invitation.
  • If someone requests more information on your pricing packages, you add them to your lead nurturing email list.
  • If someone calls up your business to ask for a free trial, you send a series of onboarding emails.

If you’re still doing this today, then you risk being fined for a breach of GDPR.

When you collect personal data, such as an email address, not only do you need to inform the individual that you have stored it but you also need to make sure that your prospects actively ‘opt-in’ or choose to join a specific email list before you start sending them marketing messages.

Simply put:

You cannot assume that you have permission to send emails to an individual as part of a mass email campaign just because you have their email address.  One way to handle this is to allow prospects to manage their email subscriptions, using a subscription management tool (see below) in which they can control the type of information they wish to receive.

However, before you can begin to think about storing and processing personal data, you first need to find it – so let’s look at how to prospect under GDPR.

7 ways to prospect under GDPR

For many companies, GDPR means sales teams need to make some changes to their sales techniques to stay compliant.  Here are 7 sales prospecting techniques that you could consider adopting now GDPR has come into effect.

  1. Sales outreach emails

If you are, or have recently been, sending out bulk cold prospecting emails and sales pitches then you must stop, immediately.  Under GDPR you can’t send automated sales emails to prospects without getting their permission first.  This includes product demo, quick catch up and “just reaching out” emails or any other form of communication that your prospects didn’t ask to receive.

If you’ve never had contact with a prospect before then you should demonstrate in the sales outreach email that you have tried to contact them by phone prior to emailing them.  If no such attempt to reach out has been made then any email contact falls under direct and unsolicited marketing communication in breach of GDPR.

If you’re going to send out these kinds of outreach emails in a post-GDPR world, then you need to have been granted consent by the prospect first.  Without it, you’re failing to comply with GDPR.

You can, however, continue to send cold sales emails if the email is sent to an individual (as opposed to a group of recipients), contains an unsubscribe link and if you have included a link to your Privacy Policy explaining why you are contacting them in the first place, for instance, you have a legitimate interest.

  1. Social selling

Social selling is a new term to many sales reps.  It is estimated that only about 25% of sales reps are using social selling but, for those that do, it’s fast becoming a popular way to prospect.

The good news is that GDPR doesn’t prevent you from finding and connecting with potential customers on social media.  Whether you connect with customers online and ask for recommendations or if you decide to reach out to new prospects directly, you can continue to use social media as part of your overall sales strategy.

If you use LinkedIn or any other social network for businesses, here’s an example of a connection request to get the conversation started.

Once this potential contact has accepted your connection request you can reach out and message them with the aim of gaining consent to nurture and sell to them.

If the conversation shifts outside the social media platform then you will need to establish that there is a legitimate interest in contacting them by email or by phone.  The best way to do this is to gain their consent.  However, consent to contact them cannot be treated as consent to send them mass marketing campaigns.

  1. Purchased lead lists

Purchased leads lists can often be a great way to fill up the sales pipeline, either when there’s a drought or to compliment your existing prospecting work.  But, since 25 May 2018 this has changed.

If you acquire leads that contain individuals’ personal data from third-party ‘lead generators’ then not only do those individuals need to have consented to that information being shared with you but unless they have previously given their consent to be approached by associated partners you will also be required to get their specific consent to use the email addresses on the list.

If they have previously consented to the information being shared (typically by saying “yes” to their data being transferred to third parties) then you can contact them but you must document proof of their consent from the third party you purchased the list from and you will also need to allow them to unsubscribe from your email campaigns.

This GDPR change also affects existing purchased leads so if you already have purchased leads in your mailing list, but haven’t contacted them yet, then you will need to document their consent from the third-party vendor before you send marketing messages.

  1. Cold calling

Cold calling is one of the most effective ways to build new relationships with potential customers.

But, is cold calling allowed under GDPR?

The good news is that cold calling doesn’t come under GDPR and is being given a new lease of life as a result.

Remember, however, that each time you add a new prospect to your CRM database you’ll need to get their consent before you can start sending them promotional offers.

So, while you are on the call with the prospect simply ask them if they would like to receive newsletters. If they say yes, you can send them a link to a “manage my subscriptions” page where they can opt-in to specific news, content and updates.

The challenge with cold calling is that it can be difficult to document their consent, unless you record a call with a prospect.  To overcome this, you can follow up the call with an email that sums up everything you have discussed.  In this email, make sure you include:

  • The purpose of why you called them
  • What was agreed during the call
  • Why you are following up by email

Here’s an example what this email could say.

This is just a quick email to follow up on our phone conversation earlier today.  The reason for the call was to invite you to our next webinar on the subject of GDPR.

As I mentioned during the call, as a new contact you can register your consent to us holding your personal information through this link [insert link].

Here is the link to our next seminar which you asked me to send [insert link].

We also discussed us sending you our monthly newsletters.  You can opt-in to receive them and emails on any other topics you may want to receive from us through this link [insert link].  You can also use the link to unsubscribe or change your preferences at any time.

Each time you send an email with this information, make sure you store it in your database under the prospect’s details.  If the prospect responds and asks to be removed from your mailing list then you have to comply with their request.

  1. Networking

Networking at conferences and events is a great way to meet new customers.  A large part of networking includes the tradition of exchanging business cards.  In the past, this meant taking the contact information on a business card, such as name, company and email address and storing it in your CRM system.  While you can continue to exchange and store business card information, you cannot use their email address for marketing purposes unless you have their consent and they have opted-in to receive marketing emails..

But, all is not lost.

You can still send one-to-one emails and follow up with prospects that have given you their business card since a legitimate interest has been established.

  1. Referrals

One of the most successful ways to find new customers is to ask your existing customers for referrals or recommendations to people they know who might be interested in your product or service.  Under GDPR you can continue to call and email prospects referred to you by existing customers.  It is best done by email as that creates a digital record.

One of the best ways to reach new prospects through referrals is to ask your existing customer to introduce the both of you and tell them why he/she is doing it, preferably by email.

Once the initial approach has been made the prospect must be given the usual GDPR opportunity to consent, or not, to you holding their personal information.

  1. Website

Websites are a great place to capture new leads.

GDPR requires you to justify the nature of the personal data you capture from website visitors, so if you’re using a web form capture contact information then now is the time to review the type of information you collect.

Under GDPR you can only ask for information specifically related to selling your product or service, rather than general information on the prospect you would like to have.  For instance, whilst asking for things like date of birth and details of personal income may help to identify and prioritise your leads you need to ensure you can prove that it was necessary to ask for it in the context of the product or service you are offering.  If in doubt then stick to simply obtaining the basic contact details i.e. name, phone and email etc.

When capturing information from a website you also need be clear and upfront about how you use the personal data and for what purpose.  That is usually best done by a visible link to a comprehensive Privacy Policy complying with GDPR.

Additionally, any subscriber to future communications has to be given the opportunity to opt-in or opt-out of them at any time via a subscription management tool.  It must also differentiate between the different forms of communication; just because they may want to receive newsletters doesn’t mean they also want to receive invitations to events or details of special offers so the options must apply to each category of communication.


Since 25 May 2018, GDPR has changed the way you prospect for sales but, on balance, it’s for the better.

GDPR helps you focus on the quality of prospects rather than the quantity of prospects.  Instead of trying to sell to new prospects that are not in the market to buy, GDPR encourages you to focus on building relationships and selling to people that actually want to hear from you.  By doing so, you’re dealing with prospects that are much more engaged and ready to buy.

GDPR is not about restricting the way you prospect and generate new business.  In fact, by complying with GDPR, sales teams will have a better opportunity of achieving sales KPIs, generating better quality leads, reaching more engaged prospects and attaining higher close rates.


This article is for general guidance only and specific advice should always be taken before acting on any of the matters discussed.

For more information on GDPR and sales or to talk to me about GDPR generally, please contact me at:


t: +44 1491 411579