We Converted 50% More Leads with Cold Calling After GDPR [Case Study]


Nightmare, you’re thinking, right? You wouldn’t be alone in this assumption - we’re getting more and more people ask us for help, and we’ve seen hundreds of thousands scour the web for GDPR related information like how to stay compliant, establishing a GDPR legitimate interest and how the legislation affects cold calling.

Still thinking nightmare? You probably are, and that’s fair enough.

But, we are here to help - we’ve compiled some of our thoughts, advice and how to’s on establishing a GDPR legitimate interest, cold calling while staying legal and background info on the new regulations.

Let’s jump right in!

So, as I’m sure you know, GDPR has been on the tip of the tongue for all businesses regardless of size in the past year, with hundreds of GDPR consultants, advisors, software solutions and GDPR auditors starting up all around Europe. All of which aim to provide a solution to achieve GDPR compliance with the regulations implemented on the 25th May 2018. Let’s take a look at what GDPR actually is, the associated fines for non compliance and how it is impacting the worldwide business environment, including GDPR’s influence on cold calls and establishing a GDPR legitimate interest for outbound marketing and sales.

So What is GDPR?

The General Data Protection Regulation 2016/679, commonly abbreviated as GDPR, is a set of rules and regulations that stipulate the collecting, handling and processing of personally identifiable information (PII) such as names and addresses, IP addresses, banking information and any other data type that can be used to identify a living individual. Not only this, it provides EU residents more control over the data companies store on them, offering more power to view and request the removal of that data should they decide they want to be forgotten.

The GDPR is designed to replace the antiquated Data Protection Act and other European country equivalents, GDPR acts as a blanket regulatory system governing businesses located inside the European Union, but also requires compliance by companies situated outside of Europe that collect and process the PII of citizens in Europe. Safe to say, it’s not something that can be easily avoided.

The regulation set had been in the design process for a long time, with the aim of encompassing all potential scenarios that businesses might face in order to avoid ambiguity or grey area exploitation (although, many argue the GDPR’s regulations are widely open to interpretation).

Additionally, the purpose of the new GDPR implementation is to take a much tougher stance on how companies and businesses handle the PII of individuals, with the intent to place restrictions and minimise mass marketing, automated cold calling and spam to individuals and businesses unless there is a GDPR legitimate interest for these efforts.

Additionally, data protection legislation throughout Europe had been previously broad and differing from member state to member state, resulting in a confusing process for compliance auditing internally and by external compliance processors. GDPR is designed to harmonise data protection legislation across all EU countries, resulting theoretically in a much more sustainable and straight forward road to compliance and protection of EU citizens’ data.

Meanwhile, the potential fines for non-compliance, which were previously viewed as a speeding ticket for major corporations such as Facebook, Google or other large entities, have now been greatly increased in order to displace incentives for these large corporates to abuse the rules, with the potential to take into account the company’s revenue to ensure the fine is proportional to the their wealth.

How big are the fines?

The newly enforced levels of fines has garnered a lot of media attention and will likely worry the big Fortune 500 companies - no longer can they get away with gross data protection breaches with a cheap get-out-of-jail-free card. With a maximum GDPR fine for non-compliance running at potentially 20 million Euros, or 4% of the company’s annual turnover (whichever is greater), it will be a significant loss for falling foul of the GDPR requirements.

These are of course proportional to the level of non-compliance and the GDPR governing body allows supervisory committees in EU member states to make a judgement call and enforce less severe actions such as reprimands, warnings, or smaller fines. Still, most companies should and are endeavouring to ensure compliance. On the smaller scale, fines can be 10m Euros, or 2% of a company’s annual turnover, for less critical or large scale breaches, but which still should have been prevented.

How is it affecting the world of business and cold calling?

There has been much controversy and questions about how the GDPR will affect traditional sales and marketing efforts, such as cold calling. Now, if you found this article to discover how it will affect you, please be reassured - cold calling is not dead and the GDPR will not affect B2B efforts in the extreme case you are imagining. There are however, some suggested methods of GDPR cold calling you may not have previously employed which will only help you stay on the right side of the law, and we’ll investigate those below. Just a heads up - we are a GDPR documentation, auditing and service provider and selling to privacy professionals is no mean feat, so if we can’t stay compliant then how will anyone?

When cold calling with the intention to stay GDPR compliant, there are a few things to note. You need to have established that the business you are reaching out to has a legitimate interest in the business services you are offering. A legitimate business interest will allow for full compliance and will not be considered a spam or unsolicited marketing effort under GDPR, but you must really consider whether it is legitimately of value to your prospect (i.e. you can’t just say it is when you and everyone else knows it’s irrelevant, which is bad sales technique anyway). With B2C scenarios, we suggest to avoid cold calling altogether as usually these fall foul of GDPR cold calling regulations. It’s pretty much the same thing with cold email outreach.

GDPR Cold Calling

How We Cold Call, Establish a Legitimate Business Interest and Stay GDPR Compliant

Any kind of outbound sales efforts come with their own set of challenges when it comes to GDPR and data protection legislation, whether that is for companies governed by GDPR or other regulations like those found in the USA such as SPAM. As a company that specialises in GDPR compliance, we must always comply, usually more so than most other regular businesses, but we need to also prospect and push our sales efforts in order to survive. So, let’s take a look at some of the main pointers in how we carry out sales efforts, establish a legitimate business interest and stay GDPR compliant. Daniela Duda, one of our experts, explains legitimate interest.

What is legitimate interest?

This is how we prospected and conducted cold calls, while also staying compliant with GDPR:

  1. First, we prospected using LinkedIn and Xing in order to make use of the mass of highly targetable data they offer. We set our sights on Data Protection Agencies, who usually only have around 1-10 employees so reaching a decision making unit was likely.
  2. We did not store any personal information on our prospects. Company name and business telephone number was sufficient for us to carry out our GDPR cold calling activities.
  3. This one is interesting. Instead of directly calling an individual at the business, we called the generic line and asked the operator/switchboard to connect us with the relevant person who makes strategic decisions regarding partnerships. Although this is an extra step, it just strengthened our ability to stay compliant.
  4. Although our sole intention was to increase sales (as with any sales call), the way we pitched and structured the call was focused on establishing a mutually beneficial partnership between and their agency.
  5. Again, as they are an agency focused on data protection compliance, and provides GDPR Compliance Software Solution, there was a clear and indisputable legitimate business interest for them to receive our sales call and for us to reach out to them, thus preventing any GDPR related issues. We also used them as an indirect channel partner, where they could potentially promote the product to their clients or partners, meanwhile selling a license to them as well, so it was a win-win for us.
  6. We also understood their problems very well and crafted a sales pitch that they wanted to hear by addressing their problems directly. Data Protection Officers (DPOs) in Germany have many clients because the law says any company that has more than 10 employees need to have a DPO. Therefore, this role is mostly outsourced. Hence, the pitch to the problem was very targeted. External DPOs want to save time, manage multiple clients and look professional. That’s what we pitched them.
  7. Finally, and this is very important, we respected their right to refuse the call. If they were not interested, we did not follow up or continually call them to convince them, we just moved on.

What Was Our Success Rate?

Good question. We, luckily for you, gathered our metrics for our GDPR cold calling campaign here at, and have some interesting results for you, have a peak below:


  • We successfully reached 29% of prospects we reached out to. This was pretty good taking into account how people usually ignore sales calls. Generally, if you’re reach rate (directly reaching the prospect you need) is below 15%, we suggest you change your approach to cold calling so as not to waste time.
  • Of those that we reached, we were able to qualify 69% of them, meaning they were a good fit for our product and we knew we solved their problem. Similarly, if your qualification rate is below 30%, you need a new list of more relevant leads (don’t go buying generic leads, please!)
  • We were then able to convert 51.7% of those that were qualified, which we were pretty happy with. Again, if your conversion rate is below 50%, you need to work on your pitch. Conversion means either demo or sign up by the prospect.

These metrics were taken from Steli Efti's Blog.

Overall, we were pretty happy with these results. We have a little improvement on our pitching side to get that conversion rate up a little, bit so far it was a successful campaign and we’ll continue to invest time into GDPR cold calls - and you should too!

And finally, we’ve mentioned it a lot. What is a legitimate business interest, and how do I establish one in B2B sales?

Establishing a legitimate business interest is crucial for B2B sales and marketing efforts when you do not have prior opt-in consent. Although somewhat of a grey area, a legitimate business interest can be thought of similar to how a B2C organisation might think when marketing to a customer who has already purchased from them. For example, the business prospect should operate in the same niche or market as you, and you can therefore have good reason to believe that the party is interested in your services, thus giving you some ground to cold call.

Additionally, companies often list contact information for certain personnel publicly on their website in order to receive valuable business propositions (it’s hard to operate a business in complete isolation). This gives you a fairly strong indication that it’s okay to call the relevant company to discuss a legitimately business proposal without fear of repercussions. However, before doing any cold call, we do suggest doing your legitimate interest assessment. Here's the resource for the legitimate interest assessment.


As you can see, it’s not as scary as you first thought right? You don’t have to close down shop or look elsewhere for work - you can still carry out your sales processes and cold calling as long as you have that all important GDPR legitimate interest. Really, all it boils down to is respecting other’s privacy, not being irresponsible when it comes to personal data and making efforts to stay compliant. That way, you’ll avoid those fines!

Want to hear more from us? Give us your details, we will only use your email address to send the data protection and privacy news, updates and content. By giving your details, you are agreeing to our privacy policy.

Disclaimer: This article is not legal advice so please seek professional legal advice to discuss your specific circumstances.

ECOMPLY is a GDPR compliance management software that assists in building and maintaining compliance documentation. Check out our website or contact us for more information.

Hauke Holtkamp, CEO ECOMPLY GmbH