There has been a considerable amount of discussion within the B2B sales community about whether cold calling is legally permissible under the General Data Protection Regulation (GDPR). This comprehensive guide will provide an in-depth look at how GDPR affects B2B cold calling, and how sales teams can ensure they are conducting their outreach in a GDPR-compliant way.

Understanding GDPR

The General Data Protection Regulation (GDPR) is a set of guidelines designed to empower individuals to have more control over their personal data. This regulation is binding throughout the European Union (EU) and the European Economic Area (EEA). It seeks to set clear boundaries for organizations on how to appropriately use and process personal data.

Several nations have adopted their version of the GDPR, modifying some regulations while retaining the overall objective of preventing unsolicited communication or misuse of personal data. A notable example outside Europe is the California Consumer Privacy Act (CCPA) in the United States.

GDPR and Cold Calling

The GDPR grants individuals more control over their data, which includes understanding where the data originates, the option to withdraw consent, and the right to refuse to be contacted without prior consent. Non-compliance could result in penalties up to €20 million or 4% of global turnover, whichever is higher.

GDPR-Compliant Cold Calling: Key Considerations

1. Validity of Consent

Under GDPR, organizations can only use someone's personal data for sales and marketing activities if they can demonstrate they have the lawful right to do so. This right is often referred to as 'legitimate interest'.

A legitimate interest implies that the prospect is being contacted about a product or a service that is genuinely suitable for them. It's important to note that a prospect's desire not to be contacted can override the salesperson's legitimate interest.

2. The 'Do Not Call' List

GDPR compliance also involves ensuring that the prospect isn't on a 'Do Not Call' list. It's crucial to note that such lists are country-specific, meaning they must be checked on a nation-by-nation basis.

3. Cold Calling Practices

For sales professionals to follow GDPR guidelines, they have to adopt a customer-centric approach. They should always introduce themselves at the beginning of the call, explain why they are calling, and respect the prospect's decision if they do not wish to talk.

Also Read: Best Cold Calling Opening Lines

Best Practices for GDPR-Compliant Cold Calling

  • Screening Phone Numbers: Before making any calls, ensure that all the phone numbers you plan to dial have been checked against the relevant 'Do Not Call' lists. This step is crucial in ensuring the numbers are safe for cold calling.
  • Understanding Data Acquisition: Ensure you understand where every phone number in your CRM comes from. You must be able to prove that you obtained them legitimately.
  • Simplifying the Opt-Out Process: Make it easy for prospects to opt out of future contact, including deleting their data.
  • Privacy Policies: Ensure that your privacy policies inform your prospect of their rights under the GDPR.
  • Use of Technology: Leverage technology to manage your calls, including keeping track of your call history and the number of times you call a specific number.
  • Protecting Personal Data: Keep your prospects' personal data secure at all times.
  • Staff Training: Ensure that your salespeople are trained on data protection, GDPR, and conducting cold calls in a compliant way.

What should sales reps do on their cold calls to stay GDPR compliant?

Opting out and following the rules around legitimate interest aren't difficult.

Introduce yourself and explain why you're calling the prospect at the beginning of the conversation and there are two possibilities:  

  • Do not call a prospect again if they do not want to speak with you. Thank them politely and put the phone down if they do not wish to speak to you.
  • Keep the hard sell to a minimum if you're allowed to continue.

Aiding GDPR Compliance: Role of B2B Data Providers

B2B data providers like SMARTe can play a significant role in ensuring GDPR compliance. They can help by conducting regular screenings of phone numbers against global Do Not Call lists, maintaining compliance certification, having in-house GDPR data regulation, and offering data subjects the chance to opt out of their database at any time.

Cold Call Strategy Development Under GDPR

Under GDPR, both cold calling and cold email outreach are considered unsolicited communications. This definition necessitates a customer-focused approach from sales teams. Marketers can aid sales teams in gaining permission through lead generation tools or insights on web forms.

When making calls to existing clients for upselling or promotions, it's safe to assume that they have given consent for contact and that there's a valid reason for your call.

Cold Calling to Leads or Potential Clients

GDPR's Article 6 outlines six legitimate reasons for organizations to use personal data. Sales teams should focus primarily on obtaining explicit consent and using data to pursue legitimate interests.

Explaining Legitimate Interest During Cold Calls

If a company's website displays contact information for its personnel, it implies that it's acceptable to contact them regarding sales-related matters. However, if someone questions the source of a phone number and expresses discomfort with being contacted, it may indicate that the intended recipient has not been reached.

Working with GDPR-Compliant Data

B2B data providers must go an extra mile to validate and sort out business and private numbers to provide their clients with GDPR-compliant data. To be compliant, the data controller and data processors need to have a notification process in place.

ePrivacy Directive and Sales Practices

The Privacy and Electronic Communications Directive (ePrivacy Directive) governs unsolicited communications for direct marketing purposes, such as consent (opt-in or opt-out) required for sending cold emails or making cold calls. The rules vary slightly between each country.

Legal Cold Calls and Emails in the UK

In the UK, you can make live calls without consent to a number if it is not listed on the TPS (UK’s Do Not Call register) AND if that person hasn’t objected to your calls in the past. Your calls must be fair, which means you must not make any calls that the person would not reasonably expect, or which would cause them unjustified harm.

When it comes to emails, you can send them to any company, partnership, or government body at their corporate email address. If you are emailing employees who have personal corporate email addresses, you need to give them the right to opt out of marketing.


While GDPR has imposed certain restrictions on B2B cold calling, it hasn't banned the practice entirely. By understanding the rules and regulations and implementing the best practices outlined in this guide, sales teams can continue to leverage cold calling as an effective sales strategy while remaining GDPR-compliant.

How SMARTe maintains GDPR compliance

SMARTe provides SOC2, GDPR and CCPA-compliant data. We maintain compliance with the GDPR in the following ways:

  • We send out notification to ensure that the contacts in our database are aware that we hold their data.
  • All the mobile numbers in our database are cross-checked against global DNC lists.
  • We have been SOC2 Type 2 compliant for the past two years.

Remove the compliance burden from your sales operation today - request a demo.

Nitesh Sharma

Nitesh is SMARTe’s Head of Growth Marketing. He writes on topics within B2B marketing and sales, providing readers with real life, actionable tactics.

Prospect on any site or LinkedIn using SMARTe

chrome extensionBook a demosmarte icon

All your questions, answered.

Does GDPR Allow Cold Calling Under Its Regulations?

GDPR, the General Data Protection Regulation, imposes strict rules on the processing of personal data, including for marketing purposes such as cold calling. While GDPR does not explicitly prohibit cold calling, it requires businesses to obtain explicit consent from individuals before contacting them for marketing or sales purposes. This means that cold calling is allowed under GDPR regulations only if businesses have obtained valid consent from individuals to receive such communications.

What Are the Restrictions on Cold Calling Under GDPR Regulations?

GDPR applies to phone calls made for marketing or sales purposes, including cold calling. Businesses must comply with GDPR requirements when processing personal data obtained from individuals during cold calling activities. This includes obtaining explicit consent, providing clear information about the purpose of the call, respecting individuals' rights to opt-out of further communications, and maintaining records of consent and preferences.

How Does GDPR Affect Customers in Relation to Cold Calling?

GDPR offers significant protections for customers in relation to cold calling and other marketing activities. It grants individuals greater control over their personal data by requiring businesses to obtain explicit consent before contacting them for marketing or sales purposes, including cold calling. GDPR also gives customers the right to opt-out of receiving further communications at any time and provides mechanisms for individuals to access, rectify, and delete their personal data held by businesses.

FAQ image

Related Blogs