GDPR-friendly outreach without killing reply rates

GDPR allows B2B cold email under the legitimate interest basis if three conditions are met: you have a legitimate business reason to contact the person, your message is relevant to their professional role, and the prospect's rights aren't unduly impacted.

Translated: you can email a B2B prospect about something their job actually involves, as long as you respect their right to opt out and to know what data you hold.

Reaching a CTO about a technical infrastructure offer is relevant. Reaching that same CTO about a yoga retreat is not. For domain outreach, this means: contact the people whose role would include making naming and brand decisions. Founders, marketing leads, head of brand, sometimes legal. Don't blast every employee on the company.

Only store what you need. Name, role, company and business email is enough. Don't collect personal phone numbers, home addresses, or sensitive demographic data. Document your sources. Delete prospects who opt out within 30 days.

Identify yourself and your company clearly in every message. Provide a one-click unsubscribe (a reply is fine — you're a human). Tell the prospect how you found them in the first email if it isn't obvious. Don't disguise the commercial nature of the message.

All of this also makes for better outbound. Transparent emails outperform manipulative ones in our data.

If a prospect asks what data you hold, you have one month to respond with a copy. Set up an internal process for this now, before you need it. It's a 30-minute task that can become a fire drill if ignored.

Two things you do not need under GDPR for B2B cold email: prior consent (legitimate interest is a separate basis), and a double opt-in (that's a marketing-list pattern, not an outbound one). What you do need: a clear opt-out, transparency, and good record-keeping.