GDPR 1 year further: Can we still make cold calls and do email marketing?

On 25 May 2018 GDPR became enforceable, impacting companies globally in terms of how they capture, process and store personal information.

Since there is no fixed handbook with set guidelines, where you tick a few boxes to ensure you are GDPR compliant, it’s up to each company to make sure they have understood what is required and to have the right processes in place to ensure compliance with the data and privacy protection standards under GDPR.

This article is to share some of our own experiences with GDPR and to recap what is / what is not allowed under GDPR, when reaching out to clients as part of (tele)sales and email marketing activities.

The idea of GDPR is to give control to individuals over their personal data and to simplify the regulatory environment. You should know what happens with your personal data that is stored, or what it is used for.

Although GDPR is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA), we’ve seen plenty of companies who are active in either the US or Asia, adopt the same standards for all their data and privacy policies globally. Reason for a global adoption of GPPR compliance is partly because the rest of the world will sooner or later catch up with the GDPR regulation, but also, companies wish to adapt the more stringent privacy standards to all their operations to mitigate the risk of having to adapt different sets of regulations for their organization. So you might as well adopt the strictest regulation and make that the new standard.

Cold calling

Cold calling is one of the most effective ways to build new relationships with potential customers.

But, is cold calling still allowed under GDPR?

The good news is that B2B cold calling doesn’t come under the same regulation as the GDPR and is therefore still allowed.

As long as you have “legitimate” business interests — you’re selling a product or service to an appropriate prospect — you’re allowed to cold call, as long as your right to promote your product isn’t overridden by your prospect’s desire not to be contacted. Unless the contact opts out, direct marketing can be considered a legitimate interest, and they can be reached out to by ways of cold calling.


With GDPR, you cannot send automated sales emails to prospects without getting their permission first. This includes product demo, quick catch up and “just reaching out” emails, or any other form of communication that your prospects didn’t ask to receive.

If you’ve never had contact with a prospect before, you should demonstrate in the sales outreach email that you have tried to contact them by phone prior to emailing them.

If no attempt has been made to reach out by phone it falls directly under direct marketing communication and should not happen according to GDPR.

Companies can continue to use marketing data for the purposes of B2B engagement as long as appropriate steps are taken to ensure the data is aligned to a specific objective or campaign. One phrase that is now being used is “Correct Marketing to the Correct Person“.

Social Networking

The good news is that GDPR doesn’t prevent you from finding and connecting with potential customers on social media networks. Whether you connect with customers online and ask for recommendations or if you decide to reach out to new prospects directly, you can continue to use social media as part of your overall sales strategy.

Purchased lead lists

Purchased leads lists can often be a great way to fill up the sales pipeline – either when there’s a drought or to compliment your existing prospecting work.

But, since GDPR, this has changed. If you acquire leads that contain personal data from third-party ‘lead generators’, you will still be required to get specific consent to use the email addresses on the list – unless they have given their consent to be approached by associated partners. (i.e. said “yes” to their data being transferred to third parties). In this case, you can contact them.

However, you must document proof of their consent from the third party you purchased the list from, and you will also need to allow people to unsubscribe from your email campaigns.

This GDPR-related change affects existing purchased leads, too. If you already have purchased leads in your mailing list – but you haven’t contacted them yet – then you will need to document their consent from the third-party vendor before you send marketing messages.


One of the most successful ways to find new customers is to ask your contacts for referrals or recommendations to people they know who might be interested in your product or service. Today, you can simply pick up the phone and give new prospects referred to you by existing customers a call or send them an email.

Under GDPR, you can continue to call and email prospects based on recommendations from existing contacts.


This article draws on our own experience in dealing with GDPR, as well as from several articles and blogs found online about the topic. It does not serve as a legal advice or a legal framework for anyone dealing with questions around GDPR policies and internal processes. All companies will have to develop their own understanding and processes to ensure they are GDPR compliant.

  • Sources used to write this article: