We get lots of questions from Woodpecker users about GDPR (General Data Protection Regulation) and how it affects cold email outreach. It’s still a new topic but very important to anyone using things like automation software, a crm database and other tools for direct marketing purposes or reaching out to prospective clients.
That’s why we’ve put together a GDPR FAQ – a list of frequently asked questions about the regulations along with our answers. We hope you’ll find some useful information and practical tips about processing data and managing your email campaigns according to the GDPR principles.
After all, sending GDPR-compliant cold emails is a must if you want to stay on the right side of the law.
If you want some background on the basics of GDPR first, take a look at this post:
Disclaimer: You should treat this post as a guide that will help you understand GDPR, not as legal advice. If you are unsure about how to organize your marketing activities in accordance with GDPR, contact a lawyer to get definitive answers to your questions and help you stay GDPR compliant.
Q1: I’m based in the US, do I have to be GDPR compliant?
It depends. GDPR is designed to protect EU citizens, so it’s not really a matter of your company’s location. It’s about whose personal data you process. If your company is based in the US but some of your clients, partners, subscribers or prospects are EU citizens, you should process their data in a way that is compliant with the provisions of GDPR. This is your obligation as a data administrator.
If you have a company that offers a piece of software, and this software allows other data administrators to process data, it would be reasonable to assume that at least a part of this processed data will belong to EU citizens. GDPR defines some obligations not only for data administrators but also for data processors.
So in short, if there’s a chance your US-based company is an administrator of processed personal data, or a processor of personal data of EU citizens, you should be GDPR compliant.
Q2:I send numerous email campaigns a year. Should I stop doing that when GDPR becomes legally binding?
Not at all. First of all, GDPR has not been designed to kill email marketing or cold emails. It’s not even a regulation about emails, or marketing, or cold calling, or business. It’s about protecting personal data.
You have to remember, though, that in the course of sending your email campaigns and running a business you probably process personal data. If at any point you process the personal data of EU citizens, make sure you follow the rules. Processing personal data should be GDPR compliant – that is, you must follow certain principles. Read more about the GDPR principles here.
So no, you don’t have to stop your email marketing campaigns, or your cold email campaigns when GDPR becomes binding. You should make sure the data used in those campaigns are being processed according to the rules of GDPR.
Q3: Can I send cold emails to people under GDPR?
Yes, you can send cold emails to people at companies under GDPR. Again, the point of GDR is not to limit cold email marketing or make it contacting prospects difficult. It’s all about protecting the legitimate interest of EU citizens when it comes to the handling and use of their personal data in the digital world.
Back to cold emails. You need to target your prospects very carefully. You need to have a compelling reason to claim that the company the person works for can benefit from what your company offers in the email. Moreover, your business activity should be logically connected with the business activity of your prospect. That will be the legal basis to send someone an email without their previous consent to process their data.
In other words, both parties have business interests and your aim is to help both sides benefit.Secondly, in each of your email messages, you need to inform your cold email recipients about exactly what personal data you are processing, for what purpose, and how they can remove their data from your mailing list, or change the data. That’s how you fulfill the information duty described in GDPR.
Thirdly, you should not process your cold email recipients’ personal data for longer than necessary to complete the task of the purpose for which you are using it. GDPR does not specify any particular period of time. We advise removing from your lists the data of prospects who have not replied within 30 days from sending a cold email campaign to them. This will keep you in compliance with the data storage limitation principle while sending cold emails.
In summary, GDPR allows cold email outreach, just there has to be some real, legitimate reason why you pick a particular recipient for your cold email campaign.
Q4: Is follow-up email a violation of GDPR?
Sending follow-ups does not violate GDPR as long as it meets the three requirements described in the answer above.
Processing data in case of sending a follow-up is not much different from processing the same data to send the first message. The only thing that changes is the time you have for sending follow-ups to non-responsive prospects in the EU. Again, GDPR does not define a time span for that, but we advise removing from your lists the data of prospects who have not replied within 30 days from the first email you sent them.
Q5: Do I always need to have consent before emailing anybody?
You can send B2B cold emails without the previous consent of your addressees to process their personal data only if the emails meet the three requirements described in detail in the answer to Q3 above:
- a legal basis for data processing
- fulfillment of information duty
- compliance with data storage limitation
Q6: What about my current list of email subscribers? Should I remind them why they are on my list and ask them again for permission to continue sending them the emails?
If you asked their permission at the very beginning and they granted you their consent to process their data for specified purposes, you don’t need to ask them for permission again.
However, if the purpose of data processing has changed, or you plan to change it soon, you should inform them about the change and give them an easy way to decide if they agree to the new purpose of processing their data.
Or, at the moment of their sign-up to your newsletter, if they were informed that their data will be processed for a specified period of time but the period has already ended, you should also ask if they agree to further data processing for specific purposes.
Q7: Should all outbound emails (or emails in general) have an unsubscribe link included as mandatory under GDPR now?
Absolutely. The GDPR unsubscribe rule states that all emails should specify clearly the way in which the recipient can remove his or her data from your list, or change it. GDPR does not specify the way, so it does not say “You should use an ‘Unsubscribe’ link”. It only says it should be an easy way, understandable for each person.
In practice, however, this does mean using an “Unsubscribe” link.
As part of email good practices, the ‘Unsubscribe’ link is common in email marketing messages, we add them to all of our marketing messages. There are, however, other ways you can provide a way to opt out to your cold email recipients. You can read more about them here:
Q8: What if I outsource list building. I have nothing to do with personal data gathering. Does it mean I have to be concerned with GDPR?
Yes, if you’re going to use the personal data that someone else gathered for you and if the data owners are EU citizens, then GDPR still applies. Remember that GDPR is not just about gathering or storing data. It’s about processing (using) and storing personal data. According to the regulation:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Remember that if you make decisions about the data subject and the purpose of the data collection and use, you are the data administrator. And as the data administrator, you definitely should be concerned with GDPR. You should also make sure that the company you outsource list building to, should collect the data in a legal, fair and transparent way. In other words, you should know exactly how they obtain the data and be able to explain to the data owners how and why you got their data and for what purpose you’re using it.
Data consent is based on being able to meet this standard.
Q9: What does “privacy by design” mean?
Privacy by design means developing every part of your solution in a way that it ensures data access controls the highest level of data privacy at every stage. In other words, you have to think of protecting the privacy of your users/subscribers/customers all the time while planning the processing of their personal data.
Q10: I don’t want to hire a GDPR specialist. Does that mean I won’t have a chance to comply?
You don’t have to hire any new people to specifically to keep your cold email GDPR compliant. You can appoint a current employee to take the role of Data Protection Specialist, or you can become one yourself.
Note that Data Protection Specialist and Data Protection Officer are two separate roles with different sets of competencies. If you run a small or medium business, and you don’t process any sensitive data and there are no high risks when processing and collecting personal data at your company, you don’t need a qualified Data Protection Officer. You can appoint a Data Protection Specialist, who will analyze the data processing and who will advocate solutions that will protect against data breaches that compromise contact details.
Q11: Where can I get a GDPR certificate?
There is no such thing as official GDPR certification, at least not yet. Various data security and certifications, like ISO, also aim at better data organization, processing, and security. Getting them will definitely be a step towards GDPR compliance. But you are not obliged to get any kind of official certification to prove that you are GDPR compliant. You can simply follow the principles described in the regulations themselves.
If you’re still working on our GDPR compliance, download GDPR compliance checklist >>
Q12: I got a cold email from someone and I feel it’s illegal under GDPR, how can I inform them that I don’t want to receive emails from them?
In a case like this, you can reply in writing and request the deletion of your data from their mailing lists. If they still don’t respect your request, you can try to verify what service they use to send the emails and contact this company as the processor of your personal data. As a data processor, they will also be obliged to help you get your data removed from a list you don’t want to be on.
Remember that anyone who claims that you asked for the emails you say that you don’t want has to show that you provided opt-in consent.
Q13: How does Woodpecker prepare for GDPR?
We have a separate section on our website that describes what Woodpecker does in order to be GDPR compliant. You can find it here:
After hosting our second webinar related to handling email outreach and email marketing under GDPR, we wanted to add a couple more questions.
Q14: Can you send a B2B cold email to a personal email address (such as Gmail) if the email is used for someone’s job position?
If you’re certain that it is their work email or they expressed their consent they want to receive the message from you on that email, then yes, you can.
As with any type of communication under GDPR, the electronic history of your communications must be transparent. You need to be able to trace back how you got the email address and prove that your message is relevant to that person.
Let the person know why you’re contacting them and give them a clear way of opting out of your emails. Doing this via an unsubscribe link is not your only option. They can simply write that they don’t wish to receive any further messages from you. Once they do so, respect it and delete their email address.
The crucial thing when it comes to B2B cold emailing is to make sure that you’re contacting the right person at the right position who represents companies and fits your ICP. Untargeted emails may get you in trouble.
Q15: Is keeping a list of contacts in Woodpecker making me the owner/processor of the personal data?
When you upload a list of prospects into Woodpecker, the prospect whose personal data you process is the owner. You are, in that case, a data administrator. You decide whose and what kind of data personal data you want to process.
Moreover, you’re responsible for following the storage limitation principle that was introduced by GDPR. It means that you cannot process the data longer than is necessary for the purpose of processing it.
Additionally, what comes from that is that you need to respect the personal data owner’s wish to be deleted from your prospect list if they ask for it and not contact them again. You will face penalties if you abuse the storage limitation principle or any other GDPR principle.
Woodpecker, on the other hand, becomes a data administrator when it processes your personal data as a user of the app or a newsletter subscriber. It should treat your data with appropriate care and comply with with all the provisions of GDPR.
Q16: How can I compile a base of contacts in a legal way?
GDPR says that you should have a strong reason to contact your prospects. Make sure both sides are likely to benefit from such a potential business relationship and that the offer you put in your cold email should be logically connected with their business area.
Also, you should obtain any personal data for your prospects’ lists in a legal and transparent way, and be ready to explain how the data was collected and why you decided to process personal data of specific EU citizens.
It matters that GDPR introduces a new principle of data storage limitation, which does not allow you to process personal data for longer than necessary. The exact amount of time is not specified in the document. We recommend removing the data of non-responsive cold email addresses 30 days from your first contact.
In the case of opt-in lists, you can process the data in clearly specified ways the data owner has agreed to, for as long as they granted you their consent, or until they express their wish to withdraw it.
Any kind of data you ask for should be justified by the purpose for which you want to process it. Don’t ask for a phone number if you want to send someone an ebook. And if you do want to collect their phone number, tell them straight that you may want to call them.
Again, it’s all about transparency.
Give your cold email recipients as well as your opt-in list subscribers a clear way to opt-out from further correspondence if that’s what they want, and instructions on how to change their personal data, or completely remove it from your list. The ‘unsubscribe’ link mechanism is a popular one, but it’s not the only one you can use for that.
If you wish to know more about GDPR, read this blog post:
And if you prepare for GDPR, download our GDPR Compliance Checklist >> that will help you do it.
What Did We Talk About in our Webinar about GDPR Basics?
Not so long ago, I shared with you how our outbound sales team searches for prospects on Quora and what they write in an email. Today, I'd like to present you one of our webinars, and at the same time, teach you more about GDPR.
Should I Give My Cold Email Addressee a Way to Opt Out?
Some would immediately say Yes! to putting an unsubscribe link. Some would say No… The answer to this is more complex than it may seem, so whatever your first answer was, you may want to check this article for a non-radical but rather a common-sense approach to an opt-out in cold email.
Quick Legal Guide to Email Outreach: 6 Rules to Follow
As with any form of business communication, there are a couple of rules you need to follow to make your email outreach professional. I took some time to research the requirements for a proper email outreach in countries, such as Canada, China, Australia, New Zealand, not to mention the United States (with recently updated California law), Norway, Germany, Switzerland, and of course, the rest of the countries that are a part of the European Union (read about GDPR here).