The good news is, if you’re already following cold email best practices – that is, you aren’t “spraying and praying” or spamming people with irrelevant messages – you’re half way there already.
You don’t need a data process administrator to do this (quite frankly, most companies don’t have the money to do this anyways). Instead, check out this practical, step-by-step guide to staying GDPR compliant as an individual or a small sales team.
As a note, this guide only focuses on sending cold emails. There are plenty of other requirements you’ll need to get comfortable with when it comes to sending marketing emails to those who opt-in to hearing from you or using cookies on your website.
And of course, we’re not lawyers. If you have any specific concerns about your GDPR status or its requirements, consult with a lawyer who’s familiar with the regulation.
fdabc2cfaaba1602873733-icon_top-left.png
Automate your email outreach
Mass Personalization. Automatic follow-ups via email, social, and phone. Try Mailshake today.
See How Mailshake Works
A Quick GDPR Refresher
In case you somehow missed it, the EU adopted the General Data Protection Regulation (GDPR) in 2016, replacing the 1995 Data Protection Directive (which was put in place during the internet’s earliest days).
EU member states were given two years – until May 2018 – to become compliant with the new regulation, which, according to Digital Guardian’s Juliana De Groot, “mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.”
Basically, to comply with the GDPR, companies need to be more conscious of the way they handle and use personal data, which includes, among other things:
Names
Phone numbers
Email addresses
IP addresses
Mobile device IDs
Even encrypted data can fall under this category. Close.com’s Jory MacKay writes, “Basically, if the information you have can be used to identify a person in any way, it’s covered under GDPR.” Failing to protect information appropriately according to the regulation can lead to fines.
5 GDPR Best Practices for Cold Emails
So, if you’re following along as someone who sends cold email, that probably sounds pretty intimidating. Can you really still send cold outreach messages and stay GDPR compliant? Yes, but it may look different than what you’ve done in the past.
1. Only reach out out to people who can benefit from your product
According to Dan Vanrenen, Managing Director of Taskeater, “Under the GDPR, the personal data you collect should be adequate and relevant to the purpose of its processing (Principle c: Data Minimisation). That means you have to consider two key things: the adequacy of your data collection (how much data do you really need for what you are going to achieve) and the relevancy of your data collection (is the data you are collecting the right data for your purposes).”
Breaking that down, any offer you send via cold email should be UAE Phone Number clearly connected to the specifics of your prospects’ business.
For example, reaching out to a company you’ve discovered is using your competitors’ SaaS product because they left a review of it on Product Hunt in order to pitch your solution as a replacement is related to their business activity.
Spamming every address you can find with your CRM sales pitch because “every company needs a CRM” is not.
To get to this level of specificity, you’re going to need to segment your lists and closely personalize your cold emails based on your prospects’ business needs. Email personalization tools like Mailshake can help.
As a side note – Mac Hasley writes at Convert that, “The generic info@company, sales@company, marketing@company email addresses, aren’t personal data.” Since GDPR applies to individuals, generic email addresses such as these may not be affected.
They aren’t ideal from a marketing standpoint, but may be an option if you aren’t able to meet the specificity of purpose guidelines described above.
2. Be able to explain exactly how you got someone’s email address
Since the GDPR’s big push is to ensure that businesses handle personal data appropriately, it’s important that you only collect the data you actually need for your campaign – and that you explain why you’re emailing and how recipients can remove their data from your list.
For example, use a message like this:
“I’m reaching out because I found your name and email address on LinkedIn, and it looks like your company might benefit from our [product/service]. If you’d rather not hear from me, just let me know and I’ll delete your information.”
As you can see, you don’t have to use a cold unsubscribe link. In fact, you need more than that to cover all your GDPR bases. Two things to keep in mind:
You have to be clear about how you found their information (no lawyer-speak here)
You have to actually delete their data immediately if they ask you to
Don’t just mark them as unsubscribed in your email management system. Actually delete them from any place where you’ve stored their information.
3. Understand the limits of data consent
Sending a valid, justified cold email is one thing. What you do after that is just as affected by GDPR.
Most marketers like to throw cold email contacts into a nurture sequence after the initial engagement. Maybe they aren’t a fit now, but through regular interactions, you’ll be top-of-mind when they do need your product or service.
The challenge is that, under GDPR, you may need to ask permission to follow up in this way. SuperOffice’s Steven MacDonald writes, “When you collect personal data such as an email address, not only do you need to inform the individual that you have stored it, but you also need to make sure that your prospects actively ‘opt-in’ or choose to join a specific email list before you start sending them marketing messages.”
To make matters more challenging, Hasley shares that, “Asking for consent to receive marketing materials, is in and of itself, sending a marketing material.”
So, what options remain? Follow-up emails may be ok as long as they follow the same criteria as initial cold outreach messages, in that you must:
Have a legal basis (aka, a specific, targeted reason) for sending the message
Clearly specify what personal information you’re using, why you’re using it and how you’re storing it
Not hold personal information longer than necessary
Under these restrictions, sending personalized follow-up messages that cover these three elements may be ok. Plunking every email you encounter into a generic nurture sequence may not (unless you’re able to incentivize recipients to clearly and explicitly opt into receiving marketing messages).
4. Practice good data security