10 things you need to know about prospecting in the GDPR era

GRPD banner
Back to main blog
Veronika Belova
by Veronika Belova

2 Min. Read

In the 2nd article of our GDPR playbook, we provide you with tips to prospect effectively without violating GDPR policies.

Prospecting is a little different these days. Ever since GDPR came into play in May of 2018, companies need to be more careful than ever not to violate these European privacy policies.

In case you weren’t aware, GDPR stands for General Data Protection Regulation. It’s a law related to data protection and privacy in the European Union and the European Economic Area. GDPR aims to create best practices when it comes to handling data and data compliance in order to protect individuals and their personal data.

It’s extremely important for businesses, especially those in the field of sales, to understand and cooperate with GDPR rules in order to prospect effectively and safely without putting their clients’ data or their own company at risk.

For more information on the policy itself and navigating sales without breaking the rules, read the first article in our GDPR playbook, What is GDPR? How to navigate sales in the GDPR era with Surfe (ex-Leadjet).

How to prospect without violating GDPR

1. You can contact people whose information you’ve found on the internet for legitimate business purposes

Salespeople can cold contact people they’ve found on the internet assuming it’s for a B2B, legitimate business purpose. For example, if you’re a salesperson for a biomedical company contacting a hospital rep in hopes of selling them your products, this is a legitimate business interest and you can legally contact them. However, you can’t contact a person in the computer industry — this would not be deemed legal as it’s not legitimately relevant to your industry.

In order to ensure you comply with this, it’s best to avoid overusing mass automation tools and carefully hand-select your prospects, ensuring they are a good fit for your business proposals.

2. It’s legal to prospect on LinkedIn (just follow the rules)

Assuming you follow tip number one and are prospecting to those for which you have legitimate business interests, you can continue to prospect on LinkedIn, as well as on other social media channels. However, it’s worth noting that LinkedIn will flag robotic or clearly automated behaviors (like adding 1000 people at once), and this could get you banned, which is why you have to be careful when using automation.

When social selling, sending the same mass message to hundreds of prospects may not get you banned, but your messages will likely end up in spam folders, so it’s best, as we suggested above, to carefully select prospects and approach them in a more personalized manner. This way, you’ll get the reply rates you’ve hoped for. If you send 1000 automated messages and they all go into spam, you may not get a single response! Meanwhile, if you send 40 personalized messages, even if only a few prospects respond, you’re already ahead of the game.

For more information on LinkedIn and GDPR, click here.

3. You can (and should) provide an easily accessible option for your prospects to opt-out

It’s critical that you provide an option for your prospects to easily opt-out if they do not wish to continue receiving communications. By doing so, you are allowing your prospects to withdraw their consent from using their data, and contact must be ceased immediately.

This is one of the most important regulations to follow in B2B outreach, so make it a priority before sending any messages. Check out Surfe’s (ex-Leadjet) article that covers GDPR compliant ways to approach prospects to better understand how to integrate opt-out messages into your outreach approach.

4. Inform your prospects and clients about how you plan to use their data

Just because you have a client’s email address doesn’t mean you can add them to all your marketing email lists. They must opt-in, accept terms and conditions of data use, or join an email list. Make sure that any clients you plan to send marketing materials to have agreed to a user agreement.

Having a privacy policy page on your website to notify users on how you’ll use their data is important, and proves to any interested parties that you are GDPR compliant.

5. Proceed with caution when using automation to reply

Technically, auto replies don’t breach any GDPR policies. That being said, an auto reply can seem unprofessional, as prospects will easily realize when they’re talking to a robot/auto-reply. Personalization is key when responding, just as it is when sending those first messages.

We get it though — not every sales rep has hours on end to think up savvy, personalized replies. Here at Surfe (ex-Leadjet), we have special template features that allow users to start with a generic reply, but then personalize it a little to best fit the prospect and situation.

Automation isn’t all bad — just use it sparingly and in the right ways to avoid running into issues. Limit your daily email/LinkedIn connection requests to what’s actually feasible for the average salesperson. (For example, LinkedIn limits connection requests at 100 weekly).

6. Be careful when purchasing bulk lead lists

It is legal to contact prospects from a purchased list assuming these parties have given consent to their data being transferred to a third party (you). That being said, you must document proof of consent, so it’s important that you trust your seller on this one.

To avoid any legal trouble, make sure your purchase agreement contains a specific provision that verifies the legality of the database, meaning that the consent of each subject has already been gathered.

7. Utilizing referrals is legal

Under GDPR, it’s perfectly legal to contact people that have been recommended or referred to you by existing customers. The best way to do this is to have your customer put you both in touch so there’s clear proof there was a recommendation.

8. Be careful when collecting certain types of data (and with the tools you use to do so) and watch your words

When prospecting, it’s best to be cautious about personal data. While it’s appropriate to collect a prospect’s full name, email, position in the company, and phone number (especially when social selling on a site like LinkedIn), you shouldn’t be collecting or tracking their emails or links for your marketing and sales purposes. This ensures you’ll be complying with the data minimization aspect of GDPR. It is also forbidden to say anything racist or insulting about someone you are targeting within the database, and you will be controlled by supervising authorities if you choose to do so, so think before you speak.

You also need to be careful with the tools you use to collect data. Here at Surfe (ex-Leadjet), we don’t store our users’ business data. We merely act as a bridge between two external systems. In other words, we are unaware of who our clients have talked to or been prospected by on LinkedIn. We also don’t record or store anything that’s going on in their CRM.

Surfe (ex-Leadjet) acts as a data processor, assisting our users (the data controllers), to transfer information automatically from LinkedIn to their CRM. This process itself respects GDPR guidelines, as it’s essentially equivalent to writing down this information manually on an Excel sheet/CRM from a LinkedIn profile that is publicly available.

9. Location matters

First off, remember that GDPR is related to European law. So if you’re located in other parts of the world, do you still have to respect this law?

The answer is yes, you still do. For example, if you are a company based in the US or Asia and you want to sell to a European customer, then you would have to respect GDPR rules. And as more countries, states, and territories are adopting similar privacy policies (for example, the California data protection law), it’s even more essential to comply. Individuals are more aware of how precious their data is, and won’t stand for companies doing whatever they want with it.

When GDPR policies were first implemented, it was very sudden for European companies and halted their workflow significantly. So, even if you’re not located in Europe it’s better to be prepared and anticipate any possible data regulation changes.

Even within the EU, policy standards can differ. Depending on what country a prospect is located in, they may have to either opt-in or opt-out to receive your communications. Stay tuned for the third and final post in our GDPR playbook to find out which countries require which style of message, as well as example templates to use when contacting prospects.

10. Surfe (ex-Leadjet) is fully GDPR compliant: Sign your team up today!

Take a look to our Security page and get to know everything about the topic!

Sign up for your free, 14-day trial to begin prospecting without the added stress of GDPR violations.

prospecting in the GDPR era

Surfe (ex-Leadjet) is:

✅ Here to make prospecting easy, legal, and hassle-free.

✅ Ready to connect your LinkedIn prospect’s data to your CRM in one simple click.

✅ Fully GDPR compliant.

Surfe (ex-Leadjet) is not:

❌ A mass automation tool.

❌ A robotic tool.

❌ Going against any LinkedIn or GDPR guidelines/policies.

Bottom line

If you’re stressed about complying with GDPR, don’t be.

The data privacy rules actually benefit salespeople and organizations as well as individuals and prospects, ensuring that the right people are being contacted and receiving information. When you can focus and emphasize your efforts on a market that’s really apt for your business, it’s more likely prospects will want to engage, making it easier for you to turn prospects into customers and increase that ROI.


H‍ave you enjoyed reading this article? We think you might also like the ones related to…


Also, if you have not done it yet, do not hesitate to take a look to our CRM-related pages: