Cold emailing, with an ROI of $38 for every $1 invested, is the best way to communicate with a list of prospects you don’t already know. It is an important marketing technique that has been quite effective. But it is also essential to send a GDPR compliant cold email every time.

Cold emailing is often considered spam and some people think that the General Data Protection Regulation (GDPR) does not allow cold emailing.

But that’s not true!

Cold emails are legal. It is just that you have to be a little careful. Let’s find out what GDPR means and how to stay compliant while sending cold emails.

Let’s get started.

What Is GDPR?

General Data Protection Regulation is a legal regulation issued by the European Union (EU) Council and The European Parliament in the year 2018. The primary purpose is to protect the personal data of EU citizens.

To comply with GDPR, companies need to be more aware of the method they handle and use personal data, which includes, among other things as:

i) Names
ii) Phone numbers
iii) Email addresses
iv) Mobile device IDs
v) IP addresses

So, I will tell you the best practices to be complaint to GDPR while sending emails. Do bear in mind that the content here is just a general guide that doesn’t precede the legal council’s advice.

Also, there’s another surprising fact about GDPR – Even after the enforcement of GDPR, 45% of EU citizens still have concerns about their data privacy. 

Principles of GDPR

Here are the principles of GDPR.

1. Lawfulness, fairness, and transparency

The processing of personal information must be conducted in a lawful, fair, and transparent manner, ensuring that individuals are aware of how their data is collected and utilized.

2. Purpose limitation

Personal information must be gathered for specific, clear, and legitimate objectives, and not further processed in ways that are incompatible with these objectives.

3. Data minimization

The collection of personal information should be restricted to the minimum required for the intended purposes of processing.

4. Accuracy

Personal information must be precise, current, and amended or removed when discovered to be inaccurate.

5. Limitation of storage

Personal information should be retained only as long as necessary for the processing purposes and removed when it is no longer required.

6. Integrity and confidentiality

The processing of personal information must be done in a way that guarantees its protection, including defending against unauthorized or unlawful processing, accidental loss, destruction, or impairment.

7. Accountability

Data controllers are required to exhibit compliance with GDPR principles, assume responsibility for their data processing activities, and adopt suitable measures to ensure adherence.

Can I send a cold email under GDPR?

GDPR doesn’t restrict sending cold emails. It is just that your emails have to meet certain requirements. 

The real reason for enforcing it was to put an end to unethical digital marketing practices and protect individuals’ privacy. As per the GDPR, anyone who violates the rules will have to pay heavy fines.

If you think you should avoid cold emailing just because you are scared of breaching any of the GDPR guidelines, you are wrong. Cold emailing is very much there in the B2B world. 

You should also note that cold emailing is entirely legal.

You simply need to follow certain principles. That means for your business, you can send cold emails if you do it the right way. You have to be more careful about the method you use to gather, manage, and store the data. 

If you are wondering :

‘How can I make my cold email GDPR compliant?’ You will find your answers here. 

When you send GDPR compliant emails, you are doing the best for your business. 

Stay GDPR Compliant While Sending Cold Emails

So, here we are giving you some best practices while sending cold emails to make your cold email GDPR compliant.

Infographic on the ways to stay GDPR complaint while sending cold emails

1. Make sure you have an appropriate reason and the prospect is targeted

It is one of the most important things to keep in mind in order to make your cold email GDPR compliant.

Under the GDPR, the personal data you gather should be adequate and significant to the purpose of its processing. Always collect and use the data that is needed as a data processor. It should be only what is strictly necessary for you.

If you are not planning to use any data, then don’t ask for it. Basically, if you are planning to email, don’t ask for their phone numbers or address.

Ensure that you are very specific in choosing who your ideal prospects are and who your segments are.

For example, if you find a group of people sharing their views on products or companies similar to yours, they are your possible prospects.

You must contact only those who are more likely to purchase your product or service. The rule is that if the prospect is surprised to receive an email from you, then the prospect is not relevant to you, and you might be breaching the GDPR.

You have to be very selective about the data that you collect and the prospects you choose. If you do this right, you can easily avoid getting penalized by the GDPR.

2. Should be able to explain how you acquired the prospect’s email

Ensure that the lists you buy and the emails you find are fully compliant with the new regulations. Keep a record of how and why you have collected and processed data. 

If the question arises, where did you get my email from? Then, you are supposed to explain from where you got an email address. 

Thus, to cover all GDPR bases, something should be kept in mind, like clarifying how you found their information and asking to delete their data, then you have to do it. Unsubscribe link is not enough; you have to delete the data. 

You must also give a reason for reaching out to a prospect. The GDPR lets you process data under six circumstances:

a) Consent: When the prospect allows you to process his data.

b) Contract: When there is a contract that lets you process the data of the prospect.

c) Legal obligation: When the law gives you the instruction to process the data of a prospect. 

d) To protect vital interest: There is a vital mutual interest to protect and requires data processing.

e) Public interest: When there is a need for data processing for the public interest. 

f) Legitimate interest: When both parties will gain benefit from the data processing. 

So whatever may be the reason for contacting prospects and processing their data, you have to mention it in your cold emails. It is vital in order to send GDPR compliant cold emails.

Under the GDPR, legal interest is one of the six lawful processing databases, as already mentioned above. 

While it is easy to understand other reasons mentioned in the previous point, the one that needs an explanation is ‘legitimate interest’. 

The ICO (Information Commissioner’s Office) is responsible for enforcing the data protection legislation in the United Kingdom and describes GDPR as the correct basis when the processing is not compulsory by law but is of precise assistance to you or others. 

To prove that there is a legitimate interest in contacting the prospect, you need to have some reasons, and they are:

a. Your product or service will help in supporting the goals of the prospects.

b. The prospect has invested recently in growth, and your product or service will support it.

c. Your previous clients are from the same industry.

d. You got to know about the prospect from your network.

e. Your prospect is up for expansion in an area that is relevant to your product or service.

f. Your prospect asked for information or searched for details related to your product and service. 

Using legal interest for processing data is only legal if your interest balances a person’s right to privacy. You cannot hold the personal information of an individual longer than needed. 

Many marketers like to send a cold email after the preliminary engagement. When you collect personal data like an email address, you need to inform the individual you have stored it. 

To make sure what you’re offering would support their goals, look up the LinkedIn profile or website of the prospect’s company. 

To include Legitimate Interest in your email copy, there should be:

1. A statement informing the addressee how you have processed their information or data.

2. A brief account of why you are processing it.

3. Instructions the receiver can follow to change the data you process or exclude their data from your list.

So, add these three points in the disclaimer copy of your cold email.

4. Unsubscribing process should be easy and quick

If you send cold emails, you need to notify your recipients on how to use their right to removal. Recipients need to get an easy and quick way to unsubscribe. 

An ‘unsubscribe link’ is essential to be added at the bottom of your email and ensure compliance across your records. 

An automated unsubscribe link is the most important as well as a fundamental element of the cold email. It is a direct and quick way to help prospects opt-out. 

The best way for the recipients to opt-out is using the “unsubscribe link”. 

Moreover, you can also write in the email footer that “our campaigns are free to reply and if you are not interested then reply ‘not interested’, we will remove you from the mailing list and database”. 

Hence, if the receiver asks you to delete their data, then it should be deleted.

Regardless of which opt-out strategy you use, you must ensure the following:

1. There is clarity 

2. Unsubscribing is easy for the prospect and does not have more than two steps

3. You delete a prospect’s data immediately after receiving a deletion request. 

5. Maintain Your Database regularly

GDPR also means that you should not hold onto leads for a long time or incorrect contact information. This is one of the core components to make your cold emails GDPR compliant.

CRM database must cleanse regularly inactive or unresponsive leads. The contact records must be up-to-date. Tag your data to trace how you have collected and processed personal data.

So, remove the leads you no longer require and replace them with active contacts with correct contact details.

Sometimes, you may need to team up on a piece of content with a different company. In this case, you need to notify the subscribers about your intention to share the subscription list with your collaborator.

You must also safeguard your database by taking the necessary measures. The use of physical access controls, data access controls, system access controls, input controls, transmission control, along with data segregation and backups, will go a long way in securing prospective data.

6. Data Security must be practised

GDPR’s central aspect is Data Security and focuses on storing personal data.

Following are some points to keep in mind while making your cold email GDPR compliant:

1. Keep records of levels of authorization. By this method, you have documents to present if questioned.

2. Keep the data of information as long as you require it.

3. Always make sure that the systems and software you are using have taken steps to become completely GDPR compliant. SalesBlink is a best automated cold outreach tool that is GDPR compliant. So, you needn’t worry about getting penalized when you go for it.

4. Make certain any data you’ve stored is protected while you process it.

5. Also, encrypt and anonymize data where possible.

It is natural for people to be sensitive about their data, and when you email prospects, they can question you in many different ways.

Nobody likes intrusion into their personal space. They can ask where you got their details from and what other information you have. Be ready to answer such questions from prospects.

Do try to follow all the above cold email rules.

Example Of GDPR Complaint Cold Email

Here is a sample template of how an GDPR compliant cold email informing prospects about you holding their information should be like:


We wanted to bring to your knowledge that your contact details are stored in our database.

The details include name, email address, phone number, information about the company and your position. Our firm does this to serve you better in the future. The data is safe and secure and compliant with the current laws.

In case you have any questions, do let us know by replying to this email or getting in touch with our customer support team.

Please read our privacy policy here (insert link).

Best regards,




Here are answers to some frequently asked questions related to GDPR. These would surely come in handy when you are trying your best to ensure sending GDPR compliant cold email.

1. I am based in the US. Should I be GDPR compliant?

GDPR essentially aims at protecting EU citizens. Even if you are US-based, you will have to comply with the guidelines if you administer or process the data of those living in the EU. So, no matter which part of the world your company is based in, you must be GDPR compliant if your customers, prospects, partners and subscribers are citizens of the EU.

2. Should I stop running multiple email campaigns due to GDPR?

No, you can go on with your email marketing and cold emailing activities as GDPR is not against them. Read more about the difference between cold email and email marketing. It is a regulation to help protect the privacy of EU citizens. So, if you are processing their data through your campaigns, it has to comply with the guidelines of GDPR. That doesn’t mean that you have to stop your email campaigns. 

3. Does sending follow-up emails violate the guidelines of GDPR?

As long as your follow-up emails don’t violate GDPR guidelines, it is perfectly alright to send follow-up emails. Here’s a recap of the three requirements,

The first point is that you have to send cold emails to targeted prospects and show that the recipients can benefit from what you have to offer in the email. There also must be a logical connection between what your business does with the prospect’s business activity. That is a legal way to cold email a person without prior consent to get their data processed. 

The second requirement is to inform the email recipients of the personal data you will process and its purpose. Also, tell them how they can remove their data from the mailing list or make changes to it. 

The third requirement is not to process the recipient’s personal data for longer than required. It is best to remove the data of prospects who have not replied within 30 days of receiving the first email from your side. 

4. If I outsource the list building task, should I be concerned about GDPR?

You have to follow the requirements of GDPR if you are processing the data of EU citizens. So, whether you outsource list building or not, you have to comply with the law’s guidelines. Also, make sure that the company collecting data for you is doing it legally. Ask the company how they get prospect data to explain the same to prospects when they ask you about it. 

5. Can I comply with GDPR without hiring a specialist?

Yes, you can. There is no need to hire a new person. You can either become a data protection specialist yourself or give the task to someone else in your team. You won’t need a data protection officer if you have a small or medium business that doesn’t process sensitive data. A data protection specialist is enough to manage data processing and develop solutions to protect personal data to the highest degree. 

6. Is there a GDPR certificate?

No, there is nothing called a GDPR Certificate. You don’t need an official certificate to comply with GDPR guidelines.

Follow The GDPR Rules For Cold Emailing

There are changes in cold email outreach since May 2018 because of GDPR. It has become more effective post the application of GDPR. Now the scammers, spammers and phishers have to pay a heavy penalty for their deeds. 

The GDPR has its focus on protecting the personal data of individuals from any misuse. So, you have to stay GDPR compliant while sending cold emails.

It may seem as though creating a GDPR compliant cold email campaign is tricky. But the fact is that by adding more adequacy, accuracy and relevance, you are simply tweaking your current emailing process. Doing so will ensure that you are following the norms set by the GDPR. 

The GDPR forces you to focus on building genuine connections with people that want to hear from you. You cannot go about sending emails to just about anyone. 

It is not about limiting the way you prospect and generate new business. In fact, with GDPR compliant cold email, you will reach more customers at the right time and generate better leads too.

It will eventually help you close more deals faster because now you have a list of prospects who will find your product or services relevant and will be more likely to make a purchase. Just like emailing, following the guidelines of GDPR for B2B cold calling is also important.


1. What is GDPR?

General Data Protection Regulation is a legal regulation issued by the European Union (EU) Council and The European Parliament in the year 2018. The primary purpose is to protect the personal data of EU citizens.

2. Should I stop running multiple email campaigns due to GDPR?

No, you can go on with your cold email marketing and cold emailing activities as GDPR is not against them. It is a regulation to help protect the privacy of EU citizens.

3. Can I comply with GDPR without hiring a specialist?

Yes, you can do so. There is no need to hire a new person. You can either become a data protection specialist yourself or give the task to someone else in your team.