GDPR and Cold Outreach in Ireland: What B2B Sales Teams Get Wrong

PA
Paul Allen
·5 min read·1,146 words
EmailB2B Sales
GDPR and Cold Outreach in Ireland: What B2B Sales Teams Get Wrong

There are two types of Irish B2B sales teams when it comes to GDPR. The first type ignores it entirely and cold emails with the same abandon they did in 2017. The second type has read one LinkedIn post about DPC fines and decided cold outreach is basically illegal now.

Both are wrong. And both are leaving money on the table.

Here's what GDPR actually says about cold outreach, and how to run compliant campaigns that still generate pipeline.

The One Thing Most Teams Get Confused

GDPR doesn't ban cold outreach. It never did. What it bans is cold outreach without a lawful basis for processing personal data.

There are two lawful bases relevant to B2B sales: consent and legitimate interest. Consent is what everyone thinks of, someone fills in a form, ticks a box, subscribes to your list. That's the cleanest basis, but it's also the most restrictive, because you can only contact people who've actively opted in.

Legitimate interest is where B2B cold outreach actually lives. It allows you to contact someone without prior consent, provided three things are true: you have a genuine business reason to contact them, the contact is relevant to their professional role, and your interest doesn't override their right to privacy.

A SaaS company contacting the Head of Finance at a mid-sized Irish firm about expense management software? Legitimate interest. A random email blast to 10,000 scraped addresses about something tangentially related to their industry? Not legitimate interest, that's just spam with a GDPR excuse attached.

What "Legitimate Interest" Actually Requires

The DPC doesn't just take your word for it. Legitimate interest requires a Legitimate Interest Assessment (LIA), a documented balancing test that shows:

  • What your business interest is in making contact
  • Why that interest is relevant to this specific person's professional role
  • That you've considered their right to privacy and your interest outweighs it
Nobody is asking you to file this with the DPC before every email send. But you need to be able to produce it if asked. "We were selling payroll software and we emailed payroll managers" is a defensible LIA. "We bought a list and emailed everyone" is not.

The practical upshot: targeted, role-relevant outreach is fine. Spray-and-pray blasting is what gets you in trouble.

The Rules for Cold Email Specifically

If you're emailing under legitimate interest, here's what GDPR requires:

Tell them how you got their data. Not a legal paragraph, one sentence. "I found your details on LinkedIn" or "we sourced this contact from [database]" is enough. It demonstrates transparency, which is a core GDPR principle, and it reads as honest rather than eerie. Give them an easy opt-out. Every cold email needs an unsubscribe mechanism. This doesn't have to be a fancy footer with a one-click link, though that's cleanest. It can be as simple as "reply with 'remove' and I'll take you off my list." What you can't do is make people jump through hoops to opt out, or ignore opt-out requests. Honour opt-outs immediately. This one people fall down on. If someone opts out, they come off the list. Not next week. Not after the current sequence finishes. Immediately. The DPC has issued guidance on this explicitly. Only collect and store what you need. Don't build sprawling databases of personal data you're not actively using. Name, email, job title, company, that's all you need for outreach. You don't need date of birth, personal social media, or anything else. Data minimisation is a GDPR requirement, not a suggestion.

Cold Calling Under GDPR

Same principles apply, with one additional layer: the national opt-out register. Ireland doesn't have a direct marketing opt-out register for B2B the way the UK has the TPS for consumers, but businesses with individual contact numbers registered on the National Directory Database opt-out list are protected.

For direct dials to business lines, legitimate interest covers most standard B2B cold calling. For mobile numbers, which are increasingly how you reach senior decision-makers, you're on shakier ground unless you can demonstrate strong legitimate interest. A cold call to someone's direct mobile because you scraped it from a conference attendee list is a different risk profile to calling a published business number.

Practically: document your calling list sources, note where numbers came from, and train your team to log opt-out requests the moment they happen.

The DPC and What It Actually Pursues

The DPC can fine up to €20 million or 4% of global annual turnover, and those numbers get quoted in every GDPR article ever written to create a sense of existential dread.

Here's the reality: the DPC pursues systemic violations and large-scale data breaches at scale. The WhatsApp fine (€225 million), Meta's repeated enforcement actions, the investigations into multinationals with Irish EU headquarters, that's what the DPC spends its time on.

An Irish SME running targeted, documented, legitimate-interest B2B outreach to a clean list isn't the DPC's priority. What would attract scrutiny is: a verifiable data breach, a flood of complaints from recipients, or evidence of systematic ignoring of opt-out requests.

That said, the rules exist, they're enforceable, and the cost of compliance is low. There's no reason not to do this properly.

The Practical Checklist

Before you send your next cold sequence:

List hygiene: Where did these contacts come from? Can you articulate why each person's role makes them relevant to what you're selling? If you can't, the list needs work. LIA documented: Even a one-paragraph internal note counts. State your legitimate interest, note it's role-relevant, confirm it doesn't override privacy rights. Transparency line in email: One sentence explaining how you found them. Opt-out mechanism: Unsubscribe link or clear reply instruction. Your CRM should be removing opt-outs immediately. Data retention policy: How long do you keep contact data? What happens to people who opt out, are they deleted or just suppressed? You need a clear answer. Tools: HubSpot, Salesforce, and Lemlist all have GDPR compliance features built in. Use them. Tracking consent status and automating opt-out removal isn't optional admin, it's what protects you.

What This Means for Irish B2B Teams in 2026

The March 2026 algorithm updates and the general direction of search are pushing towards genuine expertise and original insight. That matters for GDPR content too, but it also reflects a broader truth about B2B sales in Ireland right now.

Buyers are harder to reach and more protective of their time. The compliance-averse spray-and-pray approach produces worse results and more legal risk. Targeted, well-researched outreach to the right people with a clear legitimate interest produces better results and keeps you on the right side of the DPC.

GDPR isn't the enemy of good cold outreach. It's an argument for doing it properly.

Need help structuring compliant B2B outreach sequences for the Irish market? The GDPR email consent examples guide covers specific template language and opt-in mechanics.