GDPR compliance is a messy process to begin with, but trying to stay ahead of the regulation while B2B cold calling presents a whole other set of problems. In trying to wrap my brain around how to make cold calls under GDPR, I discovered two things: It’s totally doable (and legal) and it’s actually not that hard if you have a set of systems in place to carry it out.
I’ve been following the evolution of the GDPR since before it went into effect in 2018. As a social science researcher working in the European Union (EU) at the time, the new law affected me on multiple fronts — like how I interacted with data for research and how my own personal data could be used.
In the six years since it was put into practice, GDPR’s far-reaching effects (from cookie consent banners to two-factor authentication) have stayed at the forefront of my mind. But one area that escaped me was how businesses marketing by phone could continue to do so. Was B2B cold calling still legal? And if so, what were the mechanisms for staying GDPR compliant?
To answer these queries, I interviewed business leaders who use cold calling as a practice and asked them to share their expert advice. In this guide, I’ll recount what they told me about how to stay GDPR compliant, with pro tips and a list of best practices to tone down any B2B cold calling panic you might have.
Table of Contents
- What Is the GDPR?
- How GDPR Affects B2B Cold Calling
- The Importance of Following GDPR Guidelines
- Best Practices for GDPR-Compliant Cold Calling
- Don’t Be Afraid of Cold Calling (or Compliance)
What Is the GDPR?
Before we dig into this, let me make sure we’re all on the same page. Since 2018, the General Data Protection Regulation (GDPR) has been the EU’s law for governing data privacy and security. Its purpose is to give people more control over their personal data and how it’s used — especially by businesses.
Now, if you’re like me, you might be wondering a few things. First, what’s considered personal data? And second, why do I care about this if I’m not in the EU?
As it turns out, personal data has a really broad definition. It’s any information that could allow an individual to be identified. So, it’s things like names, email addresses, phone numbers, and locations, but also, physical attributes, web cookies, and even pseudonymous data (if it can be easily decoded). And any time you “process” it (meaning collect, record, analyze, store, or perform any action on it in any way), GDPR applies.
On top of that, this law doesn’t just pertain to businesses located in the EU. It covers all entities that process personal data for people in EU countries. So, if you offer products or services to someone in the EU, you are responsible for staying GDPR compliant.
How GDPR Affects B2B Cold Calling
With that out of the way, let’s settle the most important thing first. GDPR doesn’t mean you can’t make B2B cold calls. It only requires that you handle personal data responsibly when you do.
After jumping into the fine print, I learned there are two legal bases that businesses can use to justify processing personal data for direct marketing: legitimate interest and consent.
- Legitimate interest: To demonstrate a legitimate business interest, you have to know what benefit your business gets from processing personal data, and also show that processing the data is necessary to achieve that benefit.
So, for B2B cold calling, your legitimate interest might be to market your products to existing customers to increase sales. Really, it can be that simple. The catch is that you have to demonstrate and document that it’s truly “legitimate.”
Further, individual rights can override your legitimate interest. For example, if someone says they don’t want to be called or is on the Do Not Call list, then you can’t call them.
- Consent: If an individual has given consent to process their data, you can do so. However, you must get consent for each data processing operation separately. So, for example, if you obtain consent for email marketing, you’ll need separate consent for calling.
Now, by definition, a cold call means you haven’t received consent to call. And that’s why legitimate interest is important. It gives you a legal basis for calling to open up the conversation.
That being said, once you’re on the phone, you have to be transparent about the reason for your call. If the person on the other end doesn’t want to talk to you, that’s considered an “opt-out.” This means you’ll have to hang up and not call them again because they’ve explicitly withdrawn consent — and that overrides your legitimate interest.
The Importance of Following GDPR Guidelines
Okay, before you think about jumping ship on this, I want to point out that it’s important to take the GDPR seriously. Like any rules, if you don’t follow them, there are consequences. In this case, non-compliance can lead to stiff penalties ranging from a warning to being banned from data processing to fines of up to 20 million euros or 4% of your annual revenue (whichever is higher), in severe cases.
Aside from that, under the GDPR, people (or “data subjects,” in the legal language of the regulation) have a right to request access to their personal data. If your business receives a data subject access request, having compliance measures in place will ensure that you’re prepared to handle it.
But lastly, following the guidelines can also help build trust with your customers. Data mismanagement can damage a company’s reputation, and having data privacy and security protections as part of your regular business operations is never a bad idea.
Best Practices for GDPR-Compliant Cold Calling
Once I learned about using legitimate interest as a legal basis for cold calling, I set out to interview business leaders about how they actually put it into practice in their companies. What mechanisms do they use to ensure compliance? And which tools are the best for keeping it all organized?
From their answers, here’s a list of GDPR B2B cold calling best practices.
Audit your call logs.
“One vital practice is regularly auditing your call logs,” says Simon Lee, CEO of Glance, an app development company based in the U.K. “Under GDPR, you need to track who is being called and for what purpose, and at what time. When we call a prospect, it is logged with a reason tied back to the prospect’s business and all previous contacts they have had with us.”
Pro tip: Use services that automate this process, such as Aircall or RingCentral. “These tools offer features that allow you to track calls while automatically handling data retention policies, anonymization, and user rights like data access and deletion,” he says.
But, Lee cautions to make sure that “everyone understands call logs are considered personal data under GDPR. This often gets overlooked, but even tracking call attempts without consent can be risky.”
Check contacts against Do Not Call lists.
Ensuring that no one you call is registered on a Do Not Call (DNC) list is one of the best ways to stay compliant while cold calling, since not wanting to be called ranks higher than a legitimate business interest. The problem is that each country has its own list.
According to Ashwin Ramesh, CEO of Synup — a company that helps businesses with branding — there are ways to simplify the task of checking lists across different EU countries by automating the process. This works by cross-referencing your contacts with DNC lists and then flagging, hiding, or removing those numbers from your database.
Pro tip: To avoid accidental calls to prospects on a DNC list, use a DNC scrubbing tool like the one offered by Cognism.
Call during working hours.
“One of the things we have learned in the U.K. is that the timing of your outreach matters as much as how you gather data,” says Simon Lee. “Many businesses assume that just having data is enough, but GDPR mandates that you contact prospects when they’re likely to expect business-related communication.”
“Making cold calls at inconvenient times can get you flagged if a prospect questions your legitimate interest.” He advises to schedule your calls during working hours.
Offer easy opt-outs.
Communicating clearly about why you’re calling — and providing prospects with an easy way to opt out during the call — is imperative for GDPR compliance. Ali Qamar, cybersecurity enthusiast and CEO of ExtremeVPN, tells me that for opt-out requests, “it’s essential to use tools that seamlessly integrate with your CRM system to ensure contacts who opt out are immediately removed from future campaigns.”
And keep in mind that on cold calls, opting out will be much less formal than clicking a button or refusing to agree to a privacy policy. If someone says they’re not interested, then they have officially opted out.
Train sales teams for compliance.
The shift to GDPR compliance has involved “deep training on data ethics and customer rights,” Lee explains. “Our training has focused on educating reps about the ‘legitimate interest’ clause and how to document it while also getting them to think more critically about data protection. This mindset shift has been far more impactful than simply updating scripts.”
In addition, Ali Qamar suggests using role-playing exercises to help the team handle data protection questions. A common misunderstanding, he says, is to assume GDPR doesn’t apply when contacting business phones. But GDPR protects individuals, including those at work.
Use dynamic call scripts.
There may be cases where you do obtain consent to call, but just because you get consent to call about one topic, it doesn’t mean you have consent to call about another.
To keep the conversation on track, “one often overlooked strategy is creating dynamic call scripts that automatically adjust based on the prospect’s data privacy preferences,” Lee advises me. At his company, they’ve developed a call management system that sends a notification to the sales team informing reps about the client’s specific consent history.
So, for example, if a client has only indicated a willingness to hear about a particular service, the script aligns with that preference and keeps the discussion on the service the client has consented to. “This ensures we’re not overstepping, and prospects appreciate the precision,” he says.
Minimize data collection and storage.
Remember that GDPR compliance isn’t just about making the actual call. Protecting collected and stored information — whether or not it’s later used to cold call — is part of staying compliant as well. Ashwin Ramesh recommends using SaaS solutions for “encryption, secure access controls, and automated data minimization.”
To reduce data, Qamar suggests clearly defining what data is essential before launching a campaign. “Avoid collecting any data that doesn’t serve a specific, necessary purpose.” And only keep data for as long as necessary in order to minimize data breaches and cybersecurity risks.
Pro tip: Use privacy management tools like OneTrust to help organize and automate data retention.
Prepare for data subject access requests.
“Data access requests have become much more common, especially in sectors where clients are more data-conscious, such as finance or healthcare,” Lee tells me. On average, he receives 3-5 requests per month. While this may not sound high, the effort required to produce the documentation is significant.
“Setting up a system, like using a CRM with built-in GDPR compliance tools, is essential to manage these requests automatically,” he says. Plus, having all the above-mentioned mechanisms in place ensures that responding to data subject access requests is straightforward — and your company is better protected in case of a compliance failure.
Pro tip: If you’re using HubSpot as your CRM, take a free online lesson from HubSpot Academy on how to implement GDPR functionality in HubSpot.
Don’t Be Afraid of Cold Calling (or Compliance)
When I started out with this research, I had no idea how cold calling could possibly work under GDPR. I mistakenly thought (like most people) that prior consent was required in order to process the personal data of anyone in the EU. But as it turns out, that’s not the case. Documenting legitimate interest is sometimes the better solution for direct marketing, like when it comes to B2B cold calling.
As it’s set up, the legal language of the GDPR makes it all about balance between the rights of individuals and those of businesses. So, in the end, I learned not only that cold calling isn’t impossible, but that compliance isn’t as insurmountable as it sounds. With some best practices in place, you can integrate GDPR B2B cold calling into your regular business routines — and it’s totally legal, so long as it’s also legit.