We should all be totally onboard with GDPR compliance by now, right?

Well, maybe. The regulation came into effect way back in May 2018, so we’ve certainly had plenty of time to get our heads around it.

Yet search activity about GDPR and email has actually been on a broadly upward trajectory since late 2020, demonstrating that plenty of emailers still aren’t sure what they can and can’t do.

GDPR search activity graph
Given that getting it wrong could cost you €20+ million in fines, it’s hardly surprising that lots of you still want to learn more about GDPR.

If you’re in that boat, you’re in the right place. In this article, we’ll cover all the basics — like what GDPR is and who it applies to — then explain the specific GDPR rules for sending cold emails. And we’ll even share our top best practices for GDPR-compliant outreach.

Let’s get into it…

What Is GDPR?

The General Data Protection Regulation (GDPR) is a regulation designed to protect the personal data of citizens in the 27 European Union (EU) member countries, plus the wider European Economic Area, which includes Iceland, Norway, and Liechtenstein. In practice, it also applies to the UK and Switzerland.

The EU describes GDPR as “the toughest privacy and security law in the world”, and the penalties for breaching it are severe.

Do you target audiences in any of those places? And do you want to avoid potentially paying millions of dollars in fines? Then you need to comply with GDPR when it comes to handling personal data, including (but not limited to)...

  • Names and email addresses

  • Location information

  • Ethnicity

  • Gender

  • Biometric data

  • Religious beliefs

  • Web cookies

  • Political opinions

What Are the GDPR Rules for Sending Cold Emails?

Even half a decade after GDPR was introduced, a lot of people still misinterpret it as a blanket ban on cold emails.

That just isn’t true.

Fact is, GDPR isn’t a law about cold emailing. It’s not specifically about any aspect of sales and marketing. Rather, it’s about protecting personal data.

So, to be clear, you’re absolutely allowed to target citizens covered by GDPR in your cold outreach campaigns — but you need to follow the principles of GDPR when you’re processing their data. In this context, “processing” refers to the following data operations:

  • Collection

  • Recording

  • Organization

  • Structuring

  • Storage

  • Adaptation or alteration

  • Retrieval

  • Consultation

  • Use

  • Disclosure by transmission

  • Dissemination or otherwise making available

  • Alignment or combination

  • Restriction

  • Erasure or destruction

If you’re sending cold emails to people in the EU, the UK, or any of those other countries we mentioned, you’re definitely doing some of those things. You might even be doing all of them.

So you definitely need to understand the principles of GDPR.

Read more: Why Is Your Email Outreach Not GDPR Compliant?

What Are the Principles of GDPR?

Okay, so we’ve established that there’s no way to do cold email without processing data.

To be GDPR-compliant, you need to do it in accordance with these seven principles:

PrincipleWhat it means
Lawfulness, fairness, and transparencyProcessing must be lawful, fair, and transparent to the data subject.
Purpose limitationOnly process data for legitimate purposes — and explain those purposes to the “data subject” when you collect their data in the first place.
Data minimizationOnly collect and process essential data required for those specified, legitimate purposes.
AccuracyYour personal data records must be kept accurate and up to date.
Storage limitationYou can only store someone’s data for as long as you need it for the specified purpose.
Integrity and confidentialityAll data must be processed in a way that ensures appropriate confidentiality, integrity, and security.
AccountabilityIt’s your job to demonstrate your compliance with all the above principles.

Read more: What Constitutes GDPR-Compliant Cold Emails?

At this point, you might be thinking: Some of that stuff sounds kinda complicated. What are the chances we’ll get caught? It’s probably fine to just ignore it, right?

That’s a dangerous attitude…

What Happens If I Breach GDPR?

The whole point of GDPR is to make it prohibitively expensive for organizations of any size to breach the regulations. There are two “grades” of punishment, based on the severity of the face, and both scale based on the size of your business:

  • Less severe infringements can result in a fine of up to €10 million or 2% of your global annual revenue from the previous year, whichever is greater.

  • More severe infringements — those that “go against the very principles of the right to privacy and the right to be forgotten” — can lead to fines of up to €20 million or 4% of the preceding year’s annual revenue, whichever is higher.

And those are just the administrative fines. Individuals are also allowed to seek compensation from organizations that cause them harm by infringing their rights under GDPR.

Think of all those names and email addresses in your CRM.

How many of them are from countries covered by GDPR? Hundreds? Thousands? Tens of thousands?

If each of those people was entitled to claim compensation from you for mishandling their data, you’d be in a world of financial pain.

Read more: 

Does GDPR Apply To Me?

In a word: probably.

While it’s a European Union regulation, GDPR covers the personal data of every EU citizen (plus citizens of the UK, Switzerland, Iceland, Norway, and Liechtenstein), anywhere in the world.

Even if your business isn’t based in the EU, the regulation still applies if you’re processing data of subjects within the EU with the intention of selling to them or monitoring their behavior — regardless of the subject’s citizenship.

If you’re absolutely positive that you never target prospects from, or in, any of the countries we’ve mentioned in this article, you can probably relax. Sounds like GDPR doesn’t apply to you.

(Although there are lots of other GDPR-influenced regulations that may apply, including laws in Argentina, Brazil, Chile, Japan, Kenya, South Korea, and South Africa.)

As far as we can tell, it’s almost impossible to guarantee that you’ll never process the data of someone covered by GDPR.

So you’re better off complying with the regulation, just to be on the safe side.

9 Tips for GDPR-Compliant Email Outreach

Decided to get compliant? Smart move! Make it happen with these best practices:

Never Hit “Send” Without Having a Clear, Legitimate Purpose

As we’ve already noted, complying with GDPR doesn’t mean parking your cold outreach campaigns. But it does mean you need to have a clear, legitimate purpose for collecting and using a prospect’s data.

That word “legitimate” is important here.

Simply put, wanting someone to buy your product or service doesn’t count as a legitimate reason. Instead, you must be able to demonstrate that your outreach is built around the recipient’s individual circumstances, and that your message offers them some kind of benefit.

Potential legitimate reasons for contacting a prospect could (but might not) include:

  • A mutual connection suggested your product or service could help a prospect and recommended reaching out to them.

  • Your product or service has helped other, similar prospects to achieve their goals.

  • The prospect used to work with one of your other clients and has moved to a different organization that could benefit from your product or service.

For instance, a sales rep at Asana might reach out to a project manager to demonstrate how the SaaS platform helps users collaborate more efficiently and hit more deadlines. That’d probably count as a clear, legitimate purpose — but we’re not lawyers!

Be Totally Transparent About Your Identity

The recipient should never be in any doubt about who you are and which organization you’re speaking on behalf of.

That doesn’t mean you have to share your life story every time you send an email. However, your email address should be clearly relevant to you and your business, and you might want to add information like your organization’s name, location, and social channels.

How QuickMail helps you stay GDPR-compliant: We make it easy to add clear signatures to your emails, including your professional contact details and address.

adding signature guide

Make It Easy for People To Opt Out

It should be simple for prospects to remove themselves from your campaigns — and if they opt out, you need to make sure they're never contacted again.

How QuickMail helps you stay GDPR-compliant: With QuickMail, you can add an “unsubscribe” link in the email header, your signature, or within the email copy. Our AI-assisted unsubscribe feature helps you stay compliant by automatically detecting opt-out requests and setting the prospect’s status to “do not contact”.

Quickmail unsubscribe feature sample email

Process Data Safely and Securely

To comply with GDPR, you must take all reasonable steps to keep your prospects’ personal data safe through measures like encryption and access controls.

How QuickMail helps you stay GDPR-compliant: QuickMail is GDPR-compliant, so you can rest assured that we always process personal data in line with the regulation.

Keep Your Email List Spotless

Another key step to GDPR compliance is keeping your list clean by regularly checking for:

  • Soft bounces

  • Hard bounces

  • Out-of-office replies

  • Opted-out prospects

How QuickMail helps you stay GDPR-compliant: This process can be time-consuming (not to mention boring), but QuickMail makes it quicker and less painless by automatically marking email addresses that bounce as "do not contact". At any time, you can filter your prospects for anyone “DNC” to clean out their data.

do not contact sample

Sunset Disengaged Accounts

In the context of cold outreaching, “sunsetting” is about purging your email list of prospects who haven’t engaged with your messaging for a given period — typically a few months.

Fact is, there’s no point keeping in touch with accounts that ignore every email you send. Their lack of interest is hurting your engagement rate, which could end up damaging your deliverability.

Far better to say “goodbye”.

How QuickMail helps you stay GDPR-compliant: Use our advanced filters to hone in on prospects who haven't engaged with your campaigns, then remove them. Easy!

Retain Proof Showing How You Captured the Prospect’s Data

Every name and email address in your database came from somewhere.

Did you find it on the company’s website? Maybe they handed their business card to one of your reps at a trade show? Or perhaps you purchased it from a reputable data provider like Experian or UpLead?

Whatever the case, under GDPR, it’s in your best interests to record how you got hold of it in the first place.

How QuickMail helps you stay GDPR-compliant: For each prospect, you can set a note or custom attribute setting out the data source.

Quickmail custom attribute sample

Answer Prospects’ Data Security Queries

Unsurprisingly, prospects sometimes want to know how you got hold of their information, how you’re storing it, and how you plan to use it going forward. Data transparency is an essential element of GDPR compliance, so you’d better be prepared to respond openly and honestly to those questions.

How QuickMail helps you stay GDPR-compliant: QuickMail acts as a central hub for all messages you send and replies you receive. That way, if a prospect asks a data-related query, you can view all their notes, assign the conversation to the relevant team member, or escalate their question to a team leader to ensure potential compliance issues are safely navigated.

Choose a Reputable Email Provider

This one’s pretty self-explanatory: if you use a reliable email service provider (ESP), you’re less likely to inadvertently fall foul of GDPR.

The easiest way to find out if an ESP is GDPR-compliant is to ask them. Reach out to their support team and get them to spell out their:

  • Compliance tools

  • Data-handling policies

  • Security measures

If you’re in any doubt, consider checking out the EU’s list of GDPR-compliant services for businesses.

Send GDPR-Compliant Emails With QuickMail

Like any regulation, researching your GDPR requirements inevitably ends up with you wading through a bunch of impenetrable legalese, which can make the whole issue feel pretty intimidating.

But it’s important to remember that many of the principles of GDPR compliance are no different from the general best practices for running effective cold outreach campaigns. QuickMail can help you with a lot of that stuff, like:

  • Cleaning your email list

  • Removing disengaged accounts

  • Making it simple for people to opt out of your campaigns

  • Clearly communicating who you are (and who you work for)

  • Recording how you captured a prospect’s data

Sign up for your free QuickMail trial today!