GDPR terrifies small business owners. Many have simply stopped doing outreach because they’re scared of breaking the law.
Here’s the truth: GDPR doesn’t ban sales outreach. It just requires you to do it responsibly.
What GDPR Actually Says (In Plain English)
GDPR (and the UK’s Data Protection Act 2018) says you need a lawful basis to process someone’s personal data. For sales, the two relevant bases are:
- Consent — They’ve given you permission
- Legitimate interests — You have a genuine business reason and it doesn’t override their rights
For B2B sales outreach, legitimate interests is usually your lawful basis. You don’t need explicit consent to call a business prospect.
What You CAN Do
Phone Calls (B2B)
- Call businesses to offer your services
- Call named contacts at businesses
- Leave voicemails
- Follow up multiple times
Just remember: Check the CTPS register first, identify yourself clearly, and respect opt-outs.
Emails (B2B)
Under PECR (the email-specific regulation): - You can email named individuals at businesses if it’s relevant to their role - Include your company details and an unsubscribe option - The email should relate to their professional responsibilities
- LinkedIn messages are governed by LinkedIn’s terms, not GDPR directly
- Connection requests and InMails are standard business practice
- Don’t scrape profiles for email addresses without a lawful basis
What You CANNOT Do
- Buy consumer email lists and blast marketing emails without consent
- Ignore opt-out requests — if someone asks you to stop, you must stop
- Collect data you don’t need — only gather what’s relevant (name, business email, phone)
- Keep data forever — have a retention policy and delete old data
- Hide who you are — always be transparent about your identity and purpose
Practical GDPR Compliance for Sales
1. Know Where Your Data Comes From
For every prospect in your system, you should be able to answer: “Where did I get their details?”
Good sources: - Their company website (publicly available) - LinkedIn (professional networking platform) - Business directories - Trade shows and events (where they gave you a card) - Referrals from existing contacts
Bad sources: - Purchased consumer lists with no consent trail - Scraped personal email addresses - Data from unknown origins
2. Keep Records
Maintain a simple log: - When you obtained the contact’s data - Where from - What you’re using it for - When you last contacted them
3. Honour Subject Access Requests
If someone asks “what data do you hold on me?”, you must respond within 30 days. Keep your CRM organised so you can do this easily.
4. Have a Privacy Policy
Your website should have a privacy policy explaining how you handle personal data. It doesn’t need to be written by a lawyer — it just needs to be clear and honest.
5. Delete When Asked
If someone says “delete my data,” do it. Remove them from your CRM, spreadsheet, or wherever you track contacts. Document that you’ve done it.
The Biggest Myth
“GDPR means I can’t cold call or email prospects.”
False. GDPR means you need to be transparent, respectful, and responsible. It doesn’t mean you can’t do business development.
Thousands of UK businesses do compliant outreach every day. The ones who get in trouble are the ones sending mass unsolicited emails to purchased consumer lists — not the ones making professional B2B phone calls.
A Simple Compliance Checklist
Before contacting a prospect, ask yourself:
- Do I have a legitimate business reason for contacting them?
- Did I obtain their details from a reasonable source?
- Am I contacting them in their professional capacity?
- Will I respect their wishes if they ask me to stop?
- Can I explain what data I hold and why?
If the answer to all five is yes, you’re almost certainly compliant. Go make the call.