Skip to main content

How to ensure your sales pipeline is GDPR compliant

(Image credit: Pixabay)

For every business to survive, it needs to sell its goods and services – that’s obvious. But, according to 30-50 per cent of all sales are won by the first company to respond to a prospect just goes to show how important it is to have an organised and fluent sales pipeline.

In this blog, we are going to outline precisely how GDPR should impact the way you prospect and sell to potential customers.

Sales & GDPR

No matter whether you pick up the phone to cold call prospects, meet with potential customers while networking at events, or undertake other strategies that turn strangers into friends, everyone is looking for a competitive edge.

Sales is a scientific game; there are four steps in the customer journey:

  • Awareness
  • Interest
  • Desire
  • Action

The journey of the sale is also split into four stages:

  • Prospecting
  • Qualifying
  • Aligning Proposition
  • Proposal and Close

Once you master the science behind the sale, you can use a multitude of techniques to hit your sales quota.

But things have changed in recent years.

The way you handle prospects has been updated and ratified under EU law as the General Data Protection Regulation, otherwise known as GDPR – which came into effect in May 2018.

Failure to adhere to GDPR guidelines can land your company with fines of up to €20 million or 4 per cent of your global turnover – whichever figure is higher.

For instance, British Airways were hit by a £183,000 fine, the biggest GDPR fine to date, when a third party extracted 500,000 customer records with malicious intent.

The hotel chain Marriot was also fined after acquiring a rival hotel chain who had unknowingly been hacked, exposing over 5 million unencrypted passwords and the details of 8 million credit card records between 2014 and 2018.

The European Union’s most prominent privacy update in more than twenty years in now firmly in effect, and with a reported 59,000 data breaches since GDPR was implemented, it’s time to access whether your sales pipeline really is GDPR compliant.

How does GDPR impact your sales team?

You may assume that GDPR doesn’t impact you, but for many sales professionals, GDPR has created a significant shift in how they are able to acquire and action prospect data.

Ask yourself:

  • Is your sales pipeline still reliant on purchased data?
  • Do you automatically add a business card and customer data to your mailing list?
  • Are you asking existing customers for referrals?

If your answer to any of the above was “yes”, then GDPR is impacting you and your business activities.

There have been misconceptions from companies overseas, that GDPR only refers to businesses in Europe, and this is certainly not the case.

Your business could be based in Timbuctoo, but if you have any information on any EU citizen, then you must be GDPR compliant.

How does GDPR impact individual prospect data?

GDPR basically offers residents of the EU a greater opportunity to control their personal data and reassures them that their information is securely held.

In terms of prospecting, this personal data is at the very core of how a sales team operates when searching for new business, but GDPR has changed how you can collect, process, store and how long you hold the information.

An individual’s personal data can come in a wide selection of guises, including obvious things like names and addresses through to more arbitrary things such a person’s interests and preferences. In terms of your sales team, this would basically be anything they deem worthy of storing in a CRM system.

On a corporate level, personal data is far more intrusive and can include things like IP addresses, national security numbers, banking details and even your medical information, which is why it’s so essential for businesses to handle data appropriately and, in the cases of BA and Marriot, why they’ve been handed such gargantuan fines for failing to do so.

Storing data

On any typical day, you’d collect data, then store data, and then, of course, you’d cleanse the data.

What’s changed is the fact that GDPR requires a company to actively seek permission to collect, store and use this personal data.

You’ve probably already seen examples of web forms and emails containing links to privacy statements, which outline precisely what data is obtained, why you collect it, and how you intend to use it.

That’s not all though; individuals must be told about the purposes of processing their information and for how long you intend to store the data.

This means that if you haven’t been permitted to collect their data, you must inform them – within thirty days of obtaining it – that you have their information and then explain why you feel it’s necessary to hold it within your system.

If you send an email, and you receive a reply asking that you delete a person’s data, you must adhere to this request and remove them from your database. Or, at the very least, remove information that means this person can no longer be contacted.

In some cases, though, this is not possible.

You may be legally bound to store someone’s data, even if you are asked to remove it. If this eventuality does come to pass, then your designated Data Protection Officer will need to inform the individual that you are legally obliged to keep the data and the reasons for doing so.

If you don’t hear back after making obvious and reasonable attempts to reach out to them, then it’s generally assumed that storing this data isn’t a problem, so long as you have a legitimate reason for doing so.

It’s absolutely imperative, however, that you do not send any marketing materials to them unless they have explicitly stated they’d like to hear from you and keep a record of the consent to ensure total GDPR compliance.


Processing data

Once you’re definitely sure you’re able to store the data you have on your prospects, the next phase is to use it to create new sales. However, once again, you must tread very carefully, because GDPR hampers the way you process and use your data.

Pre-GDPR when information is collected on a prospect, they would automatically opt into a range of marketing and sales literature.

This could include:

  • When someone buys a product, they are automatically added to follow up sales and product emails
  • Phone call communications registering an interest in a product sees details added to a lead generation nurturing list
  • Free trial customers receiving further onboarding communication

However, before you even begin to think about storing and processing any personal data, you will need to find it first, here are seven of the best ways in which you can continue to prospect under the watchful eye of GDPR.

If your company is still engaging in these activities, it needs to stop and quickly.

When collating personal data such as phone numbers or email addresses, you cannot simply assume that you have permission to send them marketing emails, they must ‘opt-in’ to receive them.

One easy way to deal with this problem is to allow the prospect themselves to manage what kind of emails they’ll receive from you with a subscription management tool.


GDPR & sales contact

As we now know, you can’t send sales emails to your prospects without express permission. This includes anything like products demos, catch-ups or touching base emails; basically, any sales related contact that your prospects didn’t actually ask for.

If you’ve never spoken to the person before, you should indicate in your sales email that you’ve attempted to contact them via phone before any emails were sent out.

In email example below, there’s no clear indication that any attempt has been made to reach out to the recipient beforehand; therefore, this would count as marketing communication and as such would violate GDPR restrictions.

However, the good news is, that you can still continue to send cold sales emails to your prospects, if the email is sent to an individual and not to a group of recipients, as long as you’ve included a link to your privacy statement, which explains your intention for contacting them.

GDPR & social media

Social selling is now a well-established form of sales for many professionals, yet a whopping 93 per cent of sales professionals have never had any formal training in social selling.

Yet for those who do use it effectively, it can actually be an incredibly powerful way to prospect.

GDPR doesn’t stop you from searching, finding and connecting with potential customers on social media platforms. Whether you connect with customers online and ask for referrals or reach out to prospective customers directly, social media can still be a bit part of your overarching sales strategy.

Once your friend or connection request is accepted, you can drop them a message to secure consent so as to nurture them as a lead and eventually sell to them.

Do bear in mind though, that the idea of social media is to provide value, so sending out spammy messages, will not achieve any better results than spamming on any other channel.

If you’ve nurtured your conversations and they’ve moved outside the walls of social media, you will need to establish beyond doubt whether there is a legitimate interest before you contact them by email or phone.

However, just because you’ve received consent to contact them to further your conversations, it does not mean they have permitted you to add them to your marketing mailing lists.

GDPR & referrals

One of the most effective options when looking for new customers is by asking your current customers for referrals from people who may be interested in your products and services.

Under GDPR guidelines, you can still call, and email prospects based on existing customer recommendations. 

GDPR & purchased leads

Traditionally, purchased leads were a simple way to fill up your sales pipeline – either to complement existing sales campaigns or to make up for lack of naturally generated leads.

However, by now, as you’ve probably guessed; things have changed.

If you obtain leads that contain personal data from third-party lead providers, then not only do they require consent to share that information with you, but you also need to gain permission to process the contact details you receive – unless they’ve consented to be approached by associated third-party partners.

If this is the case, then you are able to contact them.

That said, you must have proof of their willingness to be contacted from your lead provider, and you must allow them to opt-out of your marketing email campaigns.

This change will also impact your existing purchased leads as well. If you have paid leads in your mailing lists, then you will also need to obtain proof of their consent too.

GDPR & cold calls

Cold calling has always been a useful tool in the salesperson's armoury for building new relationships with potential customers.

But is cold calling allowed under GDPR?

Fortunately, cold calling isn’t covered under the same regulations as GDPR. Again, you will still need to get their permission before adding them to your database before sending them marketing literature though.

So, while on a call with a potential customer, ask them quite clearly if they’d like to receive further promotional or marketing communications. If they agree, you can feel free to send them a link to a ‘manage my subscriptions’ page, as we mentioned previously, where they could choose for themselves what they would and wouldn’t like to see.

Of course, short of recording the call (which can come with some legislative difficulties of its own), it can be quite hard to prove you’ve been given consent. To sidestep this, you could follow up the call with an email that summarises everything you’ve covered:

  • The reason you called
  • What was discussed and agreed upon during the call
  • Why you are following by with an email

Every time you send an email like this, it’s crucial to ensure that you store it within your database. If the prospect you’ve gathered this information on, asks to have their details removed from the database in the future, you must comply.

GDPR & website leads

Your website should be one of the first ports of call when capturing new leads.

If you’re using web forms to catch contact information, then it’s high time that you review the kinds of information that you collect as GDPR needs you to legally validate the personal data you are capturing.

This means that you can only request the information you need, rather than the information you want. Asking questions such as date of birth, personal income or interests will give you more to go on when trying to identify with your prospect, but you will need to be able to explain why you requested it.

If you have no reasonable recourse for asking for this additional information, it’s best to concentrate on looking for the name, company and business email address.

As with every other form of prospecting, you must be clear and transparent about how you intend to use this data as well as giving them a chance to opt-in or opt-out accordingly.

GDPR & networking

Mingling at events, conferences and conventions is a fantastic way to meet new people who may be interested in what you have to offer.

Exchanging business cards is a time-honoured ritual, and in days gone by, it would mean that you could input the business card information into your system.

While you are still well within your rights to continue to exchange cards and store their information, you cannot under any circumstances send them marketing emails, again, unless you’ve received their consent.

But, there’s no need to give up networking just yet.

You are still able to send one-to-one emails and follow up with the prospects that have handed you their card as reasonable interest between the two parties has been established.

Since the 25th of May 2018, sales prospecting has changed and therefore how you utilise and manage your sales funnel has changed too.

It’s imperative to remember that GDPR is not about constricting the way you prospect and generate new business. In actual fact, by adhering to GDPR guidelines, your sales funnel will meet KPIs faster and produce higher quality leads, which gives a sales team a list of interested prospects where the chances of conversion are higher.

Rather than attempting to seal the deal with prospects who aren’t in the market looking to make a purchase, GDPR gives you no other option but to focus your time on creating and nurturing relationships who are actively engaged in what you have to say.

GDPR focuses on quality over quantity, so in the long run, it will produce a healthier and more productive sales funnel.

Richard LeCount, managing director,

Richard LeCount is a cybersecurity, GDPR and data security expert and the managing director of, a company specialising in top of the line USBs and power banks.