Skip to content

What Is GDPR? (+How It Affects Your Sales Team)

April 30, 2019

In 2019, it’s no secret that data security is a buzz-worthy topic.

By now, you’re probably aware that just about everything you do online leaves a trail. Companies often use your personal data to improve customer experience and tailor ads to your preferences. However, this also means that your information is vulnerable to data breaches and other unethical use cases.

As news of these kinds of cybersecurity attacks becomes more frequent, it’s clear that the issue of internet privacy is one that needs to be addressed more seriously. In 2018, the European Union did exactly that when they chose to modernize its old data protection laws and pass GDPR. 

It’s important to note that GDPR affects any organization that processes personal information of EU citizens, including companies outside of Europe. Within your own company, it’s likely that these changes have had a big impact on your day-to-day, especially if your job title is one that frequently deals with people’s data, such as sales.

Although your company has likely already made changes to comply with GDPR policies, it’s important for salespeople to understand the effects this regulation has on your daily activities. Failure to do so could result in substantial consequences for your organization.

Instead of going through all 99 legislative articles that make up the regulation, we’ll summarize everything you need to know about GDPR compliance that directly relates to sales teams – complete with minimal legal jargon.

GDPR compliance and sales

As previously mentioned, GDPR affects any company that processes personal data belonging to citizens of the European Union. This means that your company doesn’t have to be based in Europe to be bound by these regulations.

When it comes to sales, data plays a big role in every stage of the funnel. For this reason, GDPR has had a major effect on the way sales reps handle customer and prospect information throughout the sales process.

How does GDPR affect prospecting activities?

For sales reps, the activity that is most affected by GDPR is prospecting. This includes any outbound sales outreach, where a salesperson is contacting prospects that did not voluntarily give out their information.

The GDPR outlines six different “legal bases” in which it is lawful to process, or use, personal data. In other words, the data controller (i.e. the sales rep) needs to meet at least one of the following conditions in order to store or use prospect information.

six lawful bases for processing data under GDPR

As it relates to sales activities, we’ll mainly be looking at two of these conditions: consent and legitimate interest.


Getting explicit consent from the prospect is ideal, but not always possible. An example of this is if a prospective buyer fills out a form to request a product demonstration. Before GDPR, it was safe to assume that a person who provides their contact information is willing to be contacted by a salesperson. Post-GDPR, it’s not that simple. It’s no longer safe to assume that a buyer is giving consent just by providing their contact information, they must tick all the boxes in order to deliberately opt-in.

In order for consent to be valid by GDPR standards, the following conditions need to be met:

  • Consent must be freely given
  • Consent needs to be specific
  • Consent needs to be informed; the person must know what they’re consenting to
  • Consent is unambiguous
  • Consent needs to be given by a clear affirmative action or statement

For the most part, the details related to consent will mainly affect marketers as they are the ones responsible for generating leads and creating lead capture forms. However, salespeople need to be familiar with all aspects of the sales funnel where GDPR plays a role.

DID YOU KNOW? The average cost of a data breach is 3.86m. Avoid the risk and ensure your software is GDPR compliant using G2 Track. Your account is free and sign-up takes just two minutes.

Manage my software compliance →

Legitimate interest

If the prospective buyer did not explicitly give consent, then the data controller must show a legitimate interest in order to lawfully process their personal data. In other words, a salesperson needs to explain why they are reaching out and most importantly, why is it relevant or beneficial to the person on the other end. Handling someone’s personal data under this condition implies that you are doing so within reason.

The legitimate interest legal basis brings up a bit of a grey area since it’s quite subjective and can be argued for or against. To be safe, always consider if what you’re reaching out about is of value to the person on the other end, or if your actions are infringing on someone’s rights or freedoms. If you choose to rely on this basis, make sure you document your prospecting activities and are able to answer to them. We’ll touch more on this later.

What are the consequences of failing to adhere to GDPR standards?

It’s important to note that the purpose of this regulation is to protect the data privacy of EU citizens, not hand out careless penalties to companies that are genuinely doing their best to adhere to these policies.

That being said, the worst offenders could face hefty fines. Companies can be fined up to four percent of their annual global turnover or 20 million euros – whichever is greater. Ouch.

But it’s important to remember that not all compliance errors will lead to harsh fines. The scope of the infringement will determine the severity of the consequence. Less-severe violations can result in administrative fines such as warnings or reprimands. Either way, it’s enough to know that the EU isn’t messing around when it comes to compliance – might be time to hire a chief compliance officer.

Best practices for GDPR-compliant prospecting

At the end of the day, you’d rather be safe than sorry when it comes to ensuring your prospecting activities are GDPR-compliant. Whether you’re sending a cold email or making a cold call, there are several best practices to remember.

Keep a record of your prospecting activities

Most modern sales teams use a CRM software as their primary database. It’s important to keep a record of your prospecting activities as they relate to any European contacts and keep track of how the contact data landed in your CRM to begin with.

View the Easiest-to-Use CRM Software →

Give an opt-out

Your outreach should always provide the receiver with the option to opt-out of being contacted. On email, include a link to your company’s privacy policy and an obvious button that allows the person on the other end to unsubscribe from your emails. For phone calls, mark “Do Not Call” in your database if the person on the line requests not to be contacted.

TIP: When it comes to GDPR, it’s best to err on the side of caution. Don’t store any data that you don’t need, especially if the contact has opted out of communication with your company in the past.

Be clear and honest

When reaching out to a prospect, always be clear about your intentions for contacting them. If they ask how you got their data, be honest. If they ask you to delete their information from your database, honor their request. Additionally, always be prepared to answer GDPR-related questions in your outreach. You want the person on the other end to know that you and your company value their privacy and security.

Bottom line

Internet privacy is important, and increased security risks require that governments start to take more drastic measures to protect their citizens. We’ve covered the basics of GDPR for sales, but you should reach out to internal resources within your organization if you’re looking for more specific legal information.

For most salespeople, as long as you have a general understanding of GDPR compliance and approach sales prospecting with it in mind, then you should be in the clear. Happy (compliant) hunting!

Never miss a post.

Subscribe to keep your fingers on the tech pulse.

By submitting this form, you are agreeing to receive marketing communications from G2.