The Transformation of Outbound: Privacy Compliant. Value First.

Here’s How We Do it at Convert.

What picture does “outbound” conjure for you?

Is it a sense of accountability, proactivity, and ownership?

Or cold dread that your team may participate in the malpractice of hitting up random strangers who fit your nebulous “ICP” and badgering them into taking a trial or sitting through a gift card incentivized demo?

If it’s the latter… you are suffering from PLGD - Post Lead Gen Distress.

We empathize.

We’ve been there and done that. But we’ve also mended our ways.

What does that look like you ask?

💡 A harmonious and balanced approach where outbound isn’t cold. Outbound isn’t even “to close”. Outbound is a strategic touchpoint that does what every touchpoint should do - empower the prospect to better understand their problem, and embrace a viable solution.

Most importantly, it means an operation that is privacy compliant by its very design.

Number One icon

First Things First:
You’re Approaching Outbound (and Privacy) Wrong.

When GDPR hit, searches for “Is cold calling GDPR compliant?” surged in our Google Search Console.

With time though the GDPR conversation is no longer as “I’ll get fined” driven as it once was.

Other sweeping changes are evident.

Outbound as a stand-alone (frankly abused) channel has come under scrutiny.

The MQL hamster wheel is being dismantled.

But the C-suite has realized that outbound isn’t a reluctant partner in crime to marketing’s lead generation.

It can and should play nice with demand generation.

In fact, this sweet spot is where we discovered that privacy considerations aren’t a nuisance. They are a playbook to define the nature, intent, intensity, and quality of outbound touches as a part of piquing interest and reinforcing messaging.

Once you see the logic, you can’t unsee it.

What Demand Generation strategizes, Privacy quantifies.

See Convert’s LIA

The Anatomy of Privacy Compliant Outbound:

Identifying Legitimate Interest

1. Identifying Legitimate Interest.

What does “legitimate interest” mean in marketing parlance?

It means that the personal data of an individual, who hasn’t specifically shared it with you (the business) through explicit consent can still be processed (added to your outreach platform or your dialer) if it is of clear benefit to parties involved, has limited privacy impact on the individual - and a key factor - is expected by the individual.

This is the most flexible of the 6 lawful bases that marketers can fall back on. Yet it sets standards:

  • Clear Benefit. Yes, it is of benefit to you. But wouldn’t it be nice if the touch is also of benefit to the prospect? It is after all the principle of persuasion that gave birth to the lead gen era - RECIPROCITY. Reciprocity works. Before you fire away a 1000 “me too - our product is great” sort of cold emails, think about benefit. And the logical extension of benefit - delivering value.
  • Limited Privacy Impact. Well, don’t scrape details you shouldn’t know. Don’t auto-enrich in intrusive ways. There is a hidden signal here. Do proper customer research, in the 1:1 context. Look at what the folks you want to hit up are doing on LinkedIn. Use a tool like SparkToro to gauge their interests. How do they trigger word of mouth? When you step beyond hoarding information, just because it is possible, you think outside the box to genuinely understand who you are selling to.
  • Expected by the Individual. Maybe the legal perspective differs, but to anyone who has sold anything, the implication is clear. Expectation = brand recognition. Or at the very least - mindshare. This can be achieved in a few ways:
    1. The accounts you identify as the right fit are prepped with targeted content and events

      LinkedIn ABM ads facilitate this. Based on our experience, it is an 80% match on the uploaded accounts (company names only) list, which then has to be whittled down by position and seniority.

      'Here is an uncomfortable truth: Your list can either make or break your ABM campaign. Unless it contains accounts matching your actual ICP, you're doomed. Don’t just cast your net at random; there's no point in chasing low quality, low intent accounts.

      Once you have the lists, use LinkedIn's advanced targeting options to narrow down your audience even further by seniority, function, interests, etc., to ensure you reach the folks most likely to be interested in what you offer rather than wasting your time and money on anyone outside your target audience.

      Create ads that get people talking. With ABM, you are typically looking to increase mindshare and raise awareness of your solution. So you want people to talk about you even if they don't click your ads. In-feed content consumption can be just as valuable as clicks, so make sure that each ad catches the audience's attention, creates desire for your offering and establishes credibility. Demonstrate the value of what you’re offering in the ad itself.' - Carmen Apostu, Media Buying Expert.

      A ramp up time of at least 2-3 weeks before outreach begins is considered standard.
    2. You partner outbound with inbound. Where initial intent signals from your target audience dictate the follow-up. An excellent example of this is attendees who say “yes” to LinkedIn events.

      Convert runs Zoom open rooms where people can drop in to learn - without prior registration. Even though we can’t directly process their Zoom session login information (since we don’t have consent), we can evaluate ICP match and interest from their LinkedIn profile and their live attendance.

      In this case an outbound touchpoint is probably expected. And is certainly not outside the realm of possibility. Legitimate interest gives the green signal.
    3. You build a community. The best way to extend your retargeting beyond the typical 90-day window, build trust, and stay top of mind. Imagine this - you draw your target accounts into your community where they engage with your content and messaging. The follow-ups are never “cold”, even if people haven’t shared their PI with you.

💡 Don’t share or sell target audience information you’ve acquired. If you dissect the Legitimate Interest clause, you may find loopholes around 3rd party data sharing. But privacy considerations in general frown upon this practice. Don’t do anything that breaks trust before you’ve had a chance to even establish it. Another privacy mandate that is surprisingly marketing aligned.

The Necessity Test

2. The Necessity Test.

Legitimate Interest seems like the stuff of dreams, right? You could go back to pre-2018 processing with impunity?


Because once you’ve established that outbound contact with prospects who haven’t consented to being approached isn’t “unlawful” or “unexpected” - you have to take a conscience check.

This is the most flexible of the 6 lawful bases that marketers can fall back on. Yet it sets standards:

Should you do it, just because you can?

And should you do it this way? (The specific way you have in mind).

Ponder these questions:

  • Is processing personal data necessary to achieve the purpose? This one is probably a YES for most teams, unless you chance upon lots of people from your target account at in-person events.
  • Is processing proportionate to what you are trying to achieve? Don’t reach out to every person on the team that will use your product/service. Don’t do it, even if you feel that the “buying committee” is 5 to 7 people in B2B. Don’t try to go over the head of the user (who is more likely to expect a touch from you) to meet and greet the decision maker. It’s unflattering, sneaky, and definitely not privacy compliant.

    Let the contact who will benefit the most from your outreach introduce you to the team. This way you nurture a champion. To counter the detractors.
  • Can you process less data or not process data at all? Pretty self explanatory. Don’t hit the prospect up on LinkedIn, then leave a voice message, followed by an email - all in the span of 3 hours. Not unless you see an escalated intent signal - like a demo request or addition of a credit card in your self serve product. In which case you have a stronger basis for outreach anyway (consent).
  • Are there other, less intrusive methods, available that can help you achieve your purpose? This one is a gem. Flex your creative muscles. What can eliminate the need to engage in outbound outreach? In what way can you flip a potential outbound campaign to an inbound request? Here we go back to the two steps discussed under “Expected by the individual”.
Principles In Action: See Convert’s LIA
The Balancing Test

3. The Balancing Test

Even if the WHY behind your outreach is impeccable, you can still be denied access to your prospects by privacy watchdogs.

If what you have in mind “impinges on the fundamental rights and freedoms” of your ICP.

The scope of the discussion is broad. Every LIA lists out probing and thorough questions to address it.

These are the basic components of the Balancing Test:

  • Are you processing any type of sensitive personal data that falls under the special category of data (biometric data, health data, genetic data…)?
  • Are you processing personal data related to children and minors? Don’t! Just..Do.. Not.
  • How will processing affect individuals?
    We like to call this the value/payoff analysis. How much of your outreach is genuinely positioned to deliver value to your prospects? And how much of it is your personal payoff? Lean heavily towards delivering value.

    Here are some veteran industry voices who help you ace the value/payoff analysis:

    • Kristina Finseth. Her approach involves “earning the right” to have a conversation with your target accounts.
    • Josh Braun. His famous “Poke the bear” strategy is adopted by the biggest brands. You defuse objections by iterating and acknowledging that this is a cold touch, you get the consent to continue (if you are on call), you shed light on a genuine problem the prospect has (this is where the research conducted under “Limited Privacy Impact” comes handy) and then you leave the loop open - inviting the person to explore a version of reality where the problem does not exist.

  • Is your processing imposing a high-risk to individuals’ rights and freedoms?
    Don’t go back bothering your prospects if they have:
    • Unsubscribed from your painstakingly crafted emails.
    • Said they do not wish to buy your solution - repeatedly. You may try to understand why this is so, but don’t harass them.
    TL;DR: Your outreach can’t override their right to not talk to you! Reps.. are you listening?
PS: If you follow half of what has been discussed so far, social media platforms won’t have posts bashing sales calls/outreach/outbound. Principles In Action: See Convert’s LIA
Compensating Controls

4. Compensating Controls.

This is the simplest section to navigate.

Despite best efforts, mistakes happen.

Legitimate Interest Assessment wants businesses processing data - however good intentioned - to have a plan B.

What do you do in case of a data breach?

What do you do in case you blast an email off to someone you can’t use any of the 6 lawful bases to contact?

This is more of a contingency blueprint (which frankly every marketing & sales team should have), covering measures like:

  • Data minimization
  • Technical & Organizational Measures
  • Privacy by Design
  • Additional Transparency
  • Additional Encryption
  • Multi Factor Authentication
  • Hashing
  • Salting
  • Retention
Principles In Action: See Convert’s LIA

Compliant Outreach is Effective Outreach:

We hope you get the beauty and relevance we hinted at.

Privacy isn’t a nuisance that you comply with, begrudgingly.

Privacy is the bedrock of good marketing and sales. It is the conscience check that businesses have been missing.

💡 Through privacy, ethics have been reintroduced into marketing. And brands have seen the real potential of outbound - as a valuable touchpoint on the road to Won Deals from demand gen.

Convert’s Legitimate Interest Assessment (LIA) Responses:

Identifying Legitimate Interest

1. Identifying Legitimate Interest.

Question Answer
What is the purpose of the processing operation?
Business Development and Networking
Is the processing necessary to meet one or more specific organizational objectives?
Is the processing necessary to meet one or more specific objectives of any Third Party?
The objectives are set by Convert Insights Inc. and not any other Third Party.
Does the GDPR, ePrivacy Regulation or other national legislation specifically identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome?
Recitals 47 to 50 in the GDPR give some examples of when a Controller may have a Legitimate Interest which would need to be confirmed by a LIA. For Convert Experiences, two of the six generic examples in the GDPR of where a Controller may have a legitimate interest are of a particular note. RELEVANT & APPROPRIATE RELATIONSHIP - where there is a relevant and appropriate relationship between the individual and the Controller in situations where the individual is a client or in the service of the organization. REASONABLE EXPECTATIONS - the fact that individuals have a reasonable expectation that the Controller will process their Personal Data.
The Necessity Test

2. The Necessity Test.

Question Answer
Why is the processing activity important to the Controller?
To reach out to businesses and individuals who have expressed either an interest in our product or a clear interest in exploring the option of better A/B testing tools in the market and are the most likely to value supporting information to make a better decision.
Why is the processing activity important to other parties the data may be disclosed to, if applicable?
No other parties are involved
Is there another way of achieving the objective?
The Balancing Test

3. The Balancing Test

Question Answer
Would the individual expect the processing activity to take place?
Since our targeting is accurate, no prospect should ever wonder why we have emailed. It is obvious based on what we do and what they do.
Does the processing add value to a product or service that the individual uses?

A/B Testing is the process of offering multiple options, for a web page, landing page, or design, to different portions of your audience and tracking each portion’s reaction.

For instance, you could create two separate landing pages, each with a different design, and allow 50% of visitors to see one and the other 50% to see the other. Then you can track each group’s reaction and engagement with the page they received. When one page gets significantly more engagement, you know that it’s of more value to your customer base.

The idea that everything you do as a company and brand should create value for your customer base ties directly to the value of A/B testing; not only does A/B testing allow you to see, in the short term, how successful a campaign or strategy or design can be with your audience, it also allows you to gather long-term and highly valuable information about how to create value for your customers.

A/B testing provides you with quantifiable, statistical information about what your customer base and online audience finds valuable.

Is the processing likely to negatively impact the individual’s rights? No
Is the processing likely to result in unwarranted harm or distress to the Individual? No – the data we use can’t result in a harmful breach.
Would unwarranted harm or distress to the individual occur if the processing did not take place? No
Would there be a prejudice to Data Controller if processing does not happen? Financial Harm
Would there be a prejudice to the Third Party if processing does not happen? N/A
Is the processing in the interests of the individual whose personal data it relates to? Yes
Are the legitimate interests of the individual aligned with the party looking to rely on their legitimate interests for the processing?
What is the connection between the individual and the organisation?
  • Existing customer
  • Lapsed/cancelled customer
  • Prospect (never purchased goods or services)
What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?

Under the GDPR, the personal data we collect should be adequate and relevant to the purpose of its processing (Principle c: Data Minimisation). That means we had to consider two key things: the adequacy of our data collection (how much data do we really need for what we are going to achieve) and the relevancy of our data collection (is the data we are collecting the right data for our purposes).

Ensuring Adequacy: Collect Only What We Need We only collect data that is strictly necessary to us.

Ensuring Relevance: Collect Only What Is Relevant We ensure we are extremely precise in choosing who our ideal prospects are and who our segments are, and tailor our campaigns to those prospects and their pain points.

We help set the target criteria for our prospecting activities routinely.

  • Geographical location: where are the prospects we want to speak to? Where will our service or product be most relevant?
  • Target industries: who do we already work with? Which of our clients are most profitable/find our service most useful? Who have we spoken to who has a use for our service?
  • Company size: are the companies we are approaching large enough or small enough to require our service? How many employees do they have? What is their annual revenue?
  • Titles: are we contacting the right person from your chose company? Are they senior enough to make a decision? Are they in a department with a use for our product or service?

We build and verify lists for ourselves from scratch according to very specific targeting criteria (mentioned above), from publicly available sources.

Building the lists ourselves with target criteria in mind means we can ensure the adequacy and relevance of the data collected, and that we can keep detailed records of our lead generation process.

Is there a two-way relationship in place between the organisation and the individual whose personal information is going to be processed? If so how close is that relationship?
Would the processing limit or undermine the rights of individuals?
Has the personal information been obtained directly from the individual, or obtained indirectly?
We obtained the business information from public directories where businesses are published or agencies and expert directory for example. The personal information is then collected by finding the person responsible for web analytics. Marketing or conversion optimization
Is there any imbalance in who holds the power between the organisation and the individual?
No, given the individual can opt out of even the limited data usage we rely on. The individual holds the greater power.
Is it likely that the individual may expect their information to be used for this purpose?
Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?
The data is well protected with limited access, not shared with other controllers and retained only as long as strictly necessary.
Is a fair processing notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?
Yes, in the cold emails we include three key pieces of information:
  • a statement informing the recipient how we have processed their data;
  • a short explanation of why are we processing it;
  • Instructions the recipient can follow to change the data we process or request removal of their data from our list Based on the above it is sufficiently clear what are the purposes of this processing.
Can the individual, whose data is being processed, control the processing activity or object to it easily?

An ‘unsubscribe link’ at the bottom of our email is the easiest way to automate that process and ensure compliance across our lists.

That means that as soon as someone has asked us to unsubscribe, we delete their data. We keep a list (a suppression list) of all the companies and individuals who have asked to be removed from our database, then ensure that we do not contact them again.

Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?
As stated above, there are no privacy risks or harms.
Compensating Controls

4. Safeguards And Compensating Controls.

Safeguards include a range of compensating controls or measures which may be put in place to protect the individual, or to reduce any risks or potentially negative impacts of processing. These are likely to have been identified via a Privacy Impact Assessment conducted in relation to the proposed activity. For example: data minimisation, de-identification, technical and organisational measures, privacy by design, adding extra transparency, additional layers of encryption, multi-factor authentication, retention, restricted access, opt-out options. , hashing, salting, and other technical security methods used to protect data.
Please include a description of any compensating controls that will be put in place or are already in place to preserve the rights of the individual.
  • We will not transfer or sell any user’s personal data to any other company.
  • We will retain the personal data in accessible form only for as long as necessary
  • Data is encrypted using Transport Layer Security (TLS) technology to encrypt all data transmissions
  • We follow Privacy by Design and by Default
  • We offer an opt-out option
  • All of Convert’s servers are located in Europe, so we don’t have to worry about data flow outside of the EU.
Reaching a Decision And Documenting The Outcome

5. Reaching a Decision And Documenting The Outcome

Using the responses above now document if you believe you are able to rely on Legitimate Interests for the processing operation. Please explain, perhaps using bullet points, why you are, or are not, able to rely on this legal basis. You should draw on the answers you have provided in this LIA.
Outcome of Assessment: We meet the definitions and requirement of the GDPR in our justification to use Legitimate Interests. Based on our processes, we do not believe that our processing will have a detrimental or harmful impact on the data subject. Data subjects may contact us at to request removal or suppression from any data that we hold or to demand any other rights details within the GDPR.
Signed by: Dionysia Kontotasiou
Role: Privacy and Security Officer
Dated: 9th March 2022
Always working to improve outcomes.
© 2024, Convert Insights Inc. All rights reserved Terms of use Privacy Notice

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!