At, one of our core company tenets—and our commitment to our customers—is to protect our customers’ data and the privacy of their users and employees. With the rise of strict data privacy rules across the globe such as the GDPR in the European Union, CCPA in California, LGPD in Brazil, NDB in Australia, CASL in Canada, and many others coming—oh, how we love the acronyms—I find myself responding with increasing frequency to prospects, customers, and even the media, on how to be a responsible corporate citizen, stay compliant with this plethora of regulations, all while still driving new opportunities in regulated markets.

A lengthy discussion in a prominent sales operations industry group was recently wrestling with finding a prospecting tool, that is GDPR-compliant for UK-based sales reps. In most businesses, sales are responsible for driving a significant portion of the pipeline through outbound prospecting. The challenge for today’s sales teams is how to generate new pipeline, opening up new accounts, and closing more deals in a GDPR and privacy-compliant way. The question comes down to how to reach prospects by email, in light of needing explicit consent or legitimate interest in processing prospect data (GDPR Article 6), if you don’t have explicit consent (GDPR Article 7) to contact them through a trackable acknowledgment. Imagine that: sales teams do not have permission to generate new ‘cold’ opportunities. If you look at most large Enterprises and imagine removing the pipeline added by sales teams prospecting, the impact on global companies sales and marketing teams is staggering.

The industry group has been looking for ways its reps could prospect at scale, but legal departments at many companies (members of the group) have blocked cold marketing and sales prospecting activity, concerned with increased liability exposure when they evaluate different vendor solutions (fines of 4% of your total global revenue are no joke! Just ask British Airways). The industry group was looking for opinions on tools or prospecting approaches that offer GDPR-compliance.

While nobody can give bulletproof answers when it comes to the GDPR—there’s not enough case law out there, yet—there are ways to continue productive prospecting without increasing your legal risk. has invested significant effort over the past three years to make sure that, at the core of our product, we offer customers a solid way to address GDPR concerns. Here’s my take*:

Only Two Legit Ways to Prospect in EEA

Under the GDPR, two approaches exist as the only way a business may lawfully process personal data:

  1. Legitimate interest (Article 6)
  2. Explicit consent (Article 6, with the conditions defined in Article 7)


Let’s start with consent, the easier one to define, but the harder one to get. Article 6(1)(a) allows for the lawful processing of data if you get consent from the data subject. How then, is consent obtained as defined in Article 7.

A data subject—any individual you are contacting—must have directly given your consent. Consent can take a number of forms and be required in multiple situations but not all consent is created equal. For example, when someone visits your website, you may have to get affirmative consent (that notice on the bottom of the screen that notifies you about cookies) to place cookies. This is generally required if a cookie can be used to identify a data subject but this isn’t the same as required to then email subjects. Another example is when a data subject wants to download content from your site, which you have ‘gated’ with a form. Even if the person has entered his or her name, email, or other personal data, which might appear to be consent, you have to require a checkbox—not pre-populated!—to ensure the person has given you affirmative consent to collect, process and use the personal data. This is often called ‘opt-in.’

Because consent requires affirmative action by the data subject, it is often harder to get for a marketer or a salesperson. It is harder because often times you will get information directly from an email or calendar invitation, which doesn’t have the same procedure to ask the user for explicit consent to process it. Fortunately, the GDPR takes this into account by allowing you to lawfully process data if you have a legitimate purpose in so doing (e.g., you are actively exchanging emails).

Legitimate interest

Showing legitimate interest, under Article 6(1)(f), is trickier to address. It boils down to whether the data subject would be surprised by what you are doing with the data.

Basically, EU lawyers will look at the cold email you send to the prospect (i.e., the data subject) and ask themselves a question: “On what basis did this company decide that this data subject (person) would benefit from their solution?” A lawyer would ask, “would a reasonable person expect you to be doing what you are doing with their email?”

From what counsel at a number of our clients (major EU corporations) have told us, even perfect segmentation/targeting, with strong buyer persona modeling, will not survive this test.

In basic terms, absolutely cold email, no matter how well targeted, will be subject to scrutiny from GDPR regulations. You may have a case to have the subject’s data in your CRM to use for retargeting, but cold emails need more strict qualifying and can be very dangerous.

So what now?

Use the Data You DO Have for Compliant Prospecting (and you have more than you think!)

There is a partial solution to this problem – using the data you already have, as proof of legitimate interest to supercharge any prospecting tool. Simply put, you can use your own inbound communication (e.g., email, calendar meeting, phone call) FROM your prospect (data subject) as a starting point.

A prospect that emails, calls, or meets you would reasonably expect you to use that contact information to contact them again. There are some caveats. For example, you need to prove the inbound email is not a simple ‘out of the office’ response, doesn’t say “never email me again!” or something similar.

With that in mind, you will probably be safe to communicate with any prospect whom you’ve received a true inbound communication from and you have a clear record of. 

Automate Historic Contact Creation to Capture ALL Inbound Contacts & Activities

The next question is: How do you know which prospect you’ve gotten an inbound communication from? There are two options:

1. Have your reps go through their mailboxes and create a contact for every prospect they’ve ever communicated with and log, in Salesforce, every inbound email/meeting/call you’ve received from those contacts. Have you talked to any reps recently? They are not going to do that.

2. Use a system that will go through all of your historical data and do the following:

  • Scan all your emails, calls, conference calls, and calendar invites as far back as your data goes across all your current reps/employees AND all your past reps/employees’ mailboxes (if you have their mailboxes & calendars in your IT archive).
  • Extract every email and phone number from every inbound communication (these are contact IDs that you potentially have proof of legitimate interest from).
  • Precisely match email and phone numbers to the RIGHT account and opportunity in your CRM (including historical ones), thus establishing verified proof of legitimate interest (i.e. you had inbound communications from these contacts as a part of a business process like a sale). Intelligent matching is key for managing compliance, to ensure a clear legitimate interest has been established for the contact and their engagement for each account and opportunity. 
  • Enrich these contacts with the correct, up to date information (e.g., First, Last, Company, Title, and the all-important, COUNTRY), helping satisfy GDPR’s accuracy and Data Subject location principles.
  • Sync these contacts with all the fields into your CRM, like Salesforce.
  • Attach original activities (emails, calendar appointments, phone calls) from which you harvested these contacts to those contacts in Salesforce to have evidence of Article 6 Legitimate Interest compliance if you get a GDPR request.
  • Do this for all mailboxes of your current or ex-employees across all GTM functions as an extra bonus, to uncover massive amounts of value.

We’ve seen some major enterprise companies recover millions of contacts that had been deleted during GDPR cleanup and also make a majority of their current databases GDPR-safe using this methodology. 

Just imagine the number of contacts your reps had not entered in your CRM from all of the email CCs, meeting invites, and conference calls over the past 3 years! You’d be surprised by the fact that you already have most of the data/contacts covering the majority of your markets with GDPR-compliant evidence sitting in your email server, today. 

This also helps to fully automate contact creation and activity capture from your reps’ emails/calendars into your Salesforce as a general business practice.

So What Now? Your Options for Getting This Done

We’ve seen companies use e-discovery vendors (the ones that search through your exchange server in case of a lawsuit), or have your engineers write a script to parse your email system, and then use list vendors to enrich contact information. Country data will be around 40–50% accurate, so you will take on more risk. 

There’s a better way.

We’re helping companies like New Relic and Red Hat use’s Historical Contact Creation to uncover tens of thousands of contacts from their system which were never added to their CRM. The system fully automates this process, providing sales reps their targets to prospect legally and quickly. 

Regulations like GDPR are here to protect all of us and our data. But there’s also a massive opportunity for you to create differentiation and enable reps to hunt for new deals. 

That’s why we were here. 

If you are ready to learn how you can work within the guidelines of the growing list of data privacy rules and regulations, contact us.

* does not provide legal advice. Consult your legal department to ensure all actions your organization takes fully comply with GDPR.*