First off, I am sure you have seen a few definitions of what the GDPR is and what it means so I will keep this brief. The General Data Protection Regulation is a legal regulation issued by the Council of the European Union and The European Parliament. Its main purpose is to protect the personal data of EU citizens. The GDPR is not about cold emailing. It is not about businesses. It is about personal data protection. However, sending business emails does mean processing personal data so there are some key things you need to keep in mind when emailing in a post-GDPR environment.

It is your responsibility to ensure any lists you buy are fully compliant under the new regulations. As a supplier of email lists and leads for countries across Europe Webphlox Media has taken steps to ensure total compliance.

How do we do this? We build and verify lists for ourselves and for our clients from scratch according to very specific targeting criteria, from publicly available sources. Building the lists ourselves with target criteria in mind means we can ensure the adequacy and relevance of the data collected, and that we can keep detailed records of our lead generation process.

Legitimate interest is one of the 6 lawful bases of processing data under the GDPR and covers business interests. The ICO describe it as the most appropriate basis when “the processing is not required by law but is of a clear benefit to you or others”.

However, the legitimate interest basis is NOT a catchall excuse you can use to cover anything in the realm of business. A process needs to be followed to ensure you remain compliant with the GDPR. Using legitimate interest as a lawful reason for processing data is only legal if your interest outweighs an individual’s right to privacy.

As Article 6, Clause 1 in the GDPR Legislative Acts states, legitimate interest is only legal if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

• Look up the company’s LinkedIn profile or website and check to see if your offering would support their goals
• Check for recent investment or funding if your offering supports growth
• Check to see if any of our past clients are in a similar industry or have a similar offering
• Look for referrals or inside information from our network
• Check to see if the company is expanding into a relevant area for your service, or expanding generally if your offering supports growth
• Check to see if the contact has asked for any information or has begun a search for a service or product your provide

There are a few ways to do this. Woodpecker in their excellent guide to GDPR preparation suggests including a disclaimer that informs the recipient of your email their data has been processed. This should include three key pieces of information:

A statement informing the recipient how you keep their data confidential

A short explanation of why are you contacting them; Instructions the recipient can follow to change the data you process or request removal of their data from your list.