DPO and Data Enrichment: Roles, Responsibilities, and What Your Team Must Do

Using a data enrichment tool to find a prospect’s email or phone number from their LinkedIn profile? You’re processing personal data — and GDPR applies in full.

The question isn’t whether B2B data enrichment is legally regulated. It is, no exceptions. The real question is who in your organization owns that compliance — and how you structure your practices to prospect effectively without putting the business at risk.

That’s exactly where the DPO (Data Protection Officer) comes in. Between sales teams pushing for enriched lists and GDPR’s legal requirements, the DPO sits at the intersection. But to make that relationship work, everyone needs to understand what the DPO’s role actually covers — and where their own responsibilities begin.

Enrich your B2B leads compliantly in Google Sheets

Derrick finds emails and phone numbers for your prospects directly inside Google Sheets — no messy CSV exports, no manual handling.

Try for free →

What Is a DPO — and Why Should Sales Teams Care?

The DPO (Data Protection Officer) is the designated person responsible for driving GDPR compliance within an organization. They advise teams, map data processing activities, and act as the primary point of contact between the company and its supervisory authority (the ICO in the UK, or equivalent in your jurisdiction).

Their job is not to block commercial initiatives. It’s to frame those initiatives so they hold up legally.

Why does this directly affect you as a Growth Manager, SDR, or Sales Ops? Because B2B data enrichment — finding a professional email, a direct phone number, or firmographic data from a name or a LinkedIn URL — constitutes personal data processing under GDPR. Even in a B2B context, there are real human beings behind those company records. The personal data involved in outbound prospecting typically includes: professional email addresses, phone numbers, and the identity of the individual representing the company.

In other words: the moment you enrich a prospect record with information that makes a specific individual identifiable, you’re in GDPR territory — and in the DPO’s area of responsibility.

When Is Appointing a DPO Mandatory?

Not every company is legally required to appoint a DPO. Designation is mandatory when one of three criteria is met: the organization is a public authority, its core activities involve large-scale, systematic monitoring of individuals, or its core activities involve large-scale processing of sensitive data categories.

For a B2B startup or SMB using an enrichment tool to fill a CRM pipeline, formal DPO designation may not be strictly required. But the ICO and equivalent authorities strongly recommend it — and several GDPR obligations apply regardless of whether a DPO has been formally appointed.

What’s mandatory for every company, regardless of size:

• Maintaining a Record of Processing Activities (Article 30 of GDPR)
• Identifying a valid legal basis for every type of personal data processing
• Informing contacts about how their data is used
• Enabling individuals to exercise their rights (access, rectification, objection, erasure)
• Formalizing contracts with vendors through a DPA (Data Processing Agreement)

If your organization processes data at scale — lead gen agencies, multi-client enrichment pipelines, or sales teams running high-volume outbound — appointing a DPO shifts from best practice to legal obligation.

Data Enrichment and GDPR: Understanding the Connection

B2B data enrichment processes personal data

When Mike, a Growth Manager at a SaaS scale-up, uses a tool like Derrick to find a decision-maker’s professional email from their LinkedIn profile, he’s technically processing personal data.

Why? Because mike.johnson@company.com is personal data: it directly identifies a real individual. GDPR applies — even when the intent is purely commercial and B2B.

The exception: generic company addresses like info@company.com or hello@company.com are not personal data under GDPR, because they don’t identify a specific individual. Those belong to the company as a legal entity.

The applicable legal basis: legitimate interest

In B2B prospecting, the legal basis is typically legitimate interest. This means you don’t need prior consent before reaching out to a business contact. But the conditions are clear: the message must be relevant to the person’s professional role, and you must inform them at the first point of contact that their data is being used, and how they can object.

Concretely, you can contact a prospect without prior consent, provided you:

• Ensure the outreach is relevant to their professional activity
• Identify your company clearly in every message
• Explain how you obtained their details
• Provide a simple, immediate way to opt out
• Honor that opt-out request immediately

The added layer: third-party enrichment

Data enrichment introduces an extra layer of complexity — the data doesn’t come directly from the prospect. It’s gathered through a third-party tool (LinkedIn scraping, professional databases, etc.).

This matters legally: using an enrichment data vendor does not transfer your compliance liability to them. As the data controller, your organization remains fully accountable for the lawfulness of the entire data chain — including what your vendors collect on your behalf.

It’s a point sales teams routinely underestimate: you own the compliance risk on enriched data, even when a third-party tool does the collecting.

The DPO’s Concrete Responsibilities Around B2B Enrichment

Here’s how Emma, DPO at an 80-person SaaS company, structures her involvement around the sales team’s data enrichment practices.

1. Map every processing activity linked to enrichment

The DPO’s first job is to document all processing activities involving personal data. In a B2B enrichment context, that means capturing:

• Which enrichment tools are in use (email finders, phone finders, LinkedIn scrapers)
• What data is collected (name, title, email, phone number, company)
• The purpose of processing (prospecting, lead qualification, CRM updates)
• How long enriched data is retained
• Who has access to it (internal teams, CRM, automation tools)

This mapping feeds into the Record of Processing Activities, a mandatory document under GDPR Article 30.

2. Validate the legal basis and document the Legitimate Interest Assessment

The DPO must confirm that the chosen legal basis — legitimate interest — genuinely applies, and that it’s been properly documented. This involves producing a Legitimate Interest Assessment (LIA) that weighs:

• The company’s legitimate business interest in prospecting
• The impact on the rights and freedoms of the individuals being contacted
• Whether those interests are balanced

This assessment needs to be on file and available if a supervisory authority asks for it.

3. Contract every enrichment vendor with a DPA

Every enrichment tool your team uses — email finder, LinkedIn scraper, professional database — is a data processor under GDPR. A Data Processing Agreement is mandatory whenever a vendor processes personal data on your behalf. Without it, the outsourcing arrangement is not GDPR-compliant.

The DPO must verify that each enrichment vendor has a DPA in place and that it properly covers:

• The nature and purpose of the processing
• Security measures and access controls
• Confidentiality obligations
• Data breach notification procedures
• Data deletion or return at end of contract

4. Set retention periods and deletion workflows

How long can you keep enriched data on a prospect who never converted? The typical GDPR guidance is 3 years from the last meaningful interaction. After that, data should be deleted or re-qualified.

Mark, a Sales Ops lead at a lead gen agency, set up a simple flagging system inside his Google Sheets: any enriched prospect record with no interaction in 36 months gets flagged for review and deletion. This is exactly the kind of operational process the DPO needs to validate and document.

For a deeper look at enriching your lead database while keeping records clean, our practical guide walks through the right workflow.

5. Train commercial teams

Compliance isn’t a policy document that lives in a drawer. It shows up — or doesn’t — in the daily habits of your sales and marketing teams: who they contact, on what basis, with what paper trail.

The DPO is responsible for that training. In practice, it means getting SDRs, growth marketers, and sales ops to understand:

• What they can and can’t do with enriched data
• How to disclose the data source in outreach messages
• How to handle an opt-out or data deletion request
• Which tools and workflows have been approved

6. Handle data subject requests and complaints

When a prospect replies to a cold email with “How did you get my details? Please remove me from your list” — that’s a formal data subject request under GDPR. Article 13 of GDPR requires you to disclose the identity of the data controller and, where applicable, the DPO’s contact details.

The DPO must have a clear process for handling these requests within the legal deadline (one month), in coordination with the commercial team.

What Sales Teams Need to Do Day-to-Day

The DPO sets the framework. But compliance plays out in the daily habits of anyone running outbound. Here’s what every person involved in B2B data enrichment needs to do in practice.

Disclose at first contact

Every prospecting email needs to include:

• Your company’s identity
• Why you’re reaching out (legitimate interest)
• How you obtained their contact details (e.g., LinkedIn public profile)
• A simple, one-click way to opt out

A single line at the bottom of your email covers this: “I found your details via your LinkedIn profile. If you’d prefer not to hear from us, [unsubscribe here].” Short, transparent, and compliant.

Collect only what you actually need

GDPR’s data minimization principle means collecting only the data strictly necessary for your purpose. If your goal is to send a cold email, you don’t need a personal mobile number, home address, or behavioral data unrelated to the person’s role.

This applies directly to your enrichment workflows: only pull the attributes you’ll actually use. For email prospecting, the core set is typically: first name, last name, professional email, job title, company. For multichannel outreach that includes phone, you can add a direct number via a tool like Derrick Phone Finder — which retrieves numbers from LinkedIn profiles.

Segment before you enrich

Mass outreach with no targeting criteria is both a GDPR risk and a conversion killer. Your outreach must be relevant to the prospect’s professional activity — otherwise, the legitimate interest basis doesn’t hold, and you’re in the same territory as unsolicited consumer marketing, which requires explicit consent.

Segmentation is both a legal safeguard and a performance lever. A smaller, highly targeted list almost always outperforms a bloated, generic one.

Log where enriched data comes from

Every contact in your enrichment pipeline needs a documented source: LinkedIn, professional directory, trade event, inbound, etc. This traceability is non-negotiable — it’s what you produce when a prospect asks where you got their details, or when a supervisory authority runs a check.

In Google Sheets or your CRM, add a “Source” column and a “Date collected” column to every enriched record. It takes ten seconds per batch and saves hours of scrambling later.

DPO and Sales: How to Actually Work Together

The tension between GDPR compliance and prospecting goals is real. Sales wants speed, volume, and scale. The DPO wants documentation, justification, and defensibility.

The fix is not to treat these as opposing forces. The DPO defines the rules — legal bases, retention periods, opt-out processes. Sales and marketing translate those rules into operational habits: list qualification, CRM configuration, outreach templates. Team leads enforce those habits day-to-day.

Here’s how to make that collaboration work in practice:

1. Loop in the DPO before signing with a new enrichment vendor

Don’t evaluate a new email finder or LinkedIn scraper and then tell the DPO about it after. Bring them into the evaluation. They’ll check for a DPA, review the vendor’s data sourcing practices, and flag anything that creates risk — before it becomes a problem.

2. Build a shared GDPR reference document for prospecting

Define shared rules on the applicable legal basis, retention periods, opt-out handling, and the minimum required data fields for each contact. Get the DPO to validate it, then bake it into your CRM configuration and outreach templates.

This doesn’t need to be a 40-page policy. A single page covering: legal basis, allowed data types, retention limit, deletion process, and disclosure language for cold emails is enough to align the whole team.

3. Treat compliance as a performance asset

A clean, well-documented contact database avoids duplicates, mis-targeted outreach, and wasted sequences. Prospects respond better when they sense their data is handled transparently. And a GDPR-solid pipeline means legal or compliance teams can’t pause a campaign mid-quarter because of an unresolved documentation issue.

To build that kind of pipeline with verified, traceable data, check out the B2B lead generation workflows available with Derrick.

The Most Common Mistakes (and How to Fix Them)

Problem 1: Using an enrichment tool without a signed DPA

Symptom: Your team uses an email finder or LinkedIn scraper without a formal data processing contract with that vendor.

Impact: In a regulatory audit, you can’t demonstrate that your processor handles personal data in line with GDPR. As the data controller, you bear full liability for any gaps in their practices.

Solution: Make it a non-negotiable step before onboarding any enrichment tool — request the DPA. Serious vendors publish it in their documentation or offer it at signup. If a vendor can’t produce one, that’s a red flag that should disqualify them.

Problem 2: Not disclosing the data source in outreach messages

Symptom: Your cold emails don’t mention how you obtained the prospect’s contact details or how they can opt out.

Impact: Direct violation of GDPR Article 14 (information obligations when data is collected from third parties, not directly from the individual). Complaints to the ICO or equivalent can follow even without any malicious intent.

Solution: Add one line to every outreach template: “I found your details via your LinkedIn profile.” Follow it with a clear unsubscribe link. That covers the obligation in under 15 words.

Problem 3: Holding enriched data indefinitely

Symptom: Your CRM or Google Sheets contains thousands of enriched contacts from four, five, or six years ago — with no recent interaction to justify keeping them.

Impact: Violation of the storage limitation principle. If a prospect submits a data subject access request, you’ll have no lawful basis to justify retaining their information.

Solution: Set a clear retention policy (standard guidance: 3 years from last interaction) and schedule regular reviews. In Google Sheets, a simple “Last contacted” column with conditional formatting can flag records due for deletion or re-qualification.

Problem 4: Treating opt-out requests as optional

Symptom: A prospect replies asking to be removed. The unsubscribe takes days, isn’t logged, or the contact later receives messages from a different sequence.

Impact: Violation of the right to object under GDPR Article 21. This is one of the most common sources of regulatory complaints in B2B prospecting.

Solution: Every opt-out must be processed immediately and pushed across all tools — email sequencer, CRM, spreadsheets. Maintain a centralized suppression list and cross-reference it against every new batch of enriched contacts before sending.

Problem 5: Assuming “professional data” isn’t personal data

Symptom: Your team treats LinkedIn-sourced or directory-sourced data as “company data” and assumes GDPR doesn’t apply.

Impact: Incorrect legal analysis. Any data that makes a specific individual identifiable — name, email, LinkedIn profile URL — is personal data, regardless of the professional context.

Solution: Apply one test: “Does this data allow me to identify a specific person?” If yes → personal data → GDPR applies. The only real exceptions are purely company-level identifiers: generic email addresses, main switchboard numbers, registered office addresses.

Key Takeaways

• The DPO owns GDPR compliance across all data processing activities, including email enrichment and phone enrichment used in outbound prospecting.
• The applicable legal basis in B2B prospecting is legitimate interest — not consent — provided the outreach is relevant to the contact’s professional role.
• Every enrichment tool is a data processor: a signed DPA is mandatory before use, no exceptions.
• Traceability matters — source, collection date, retention period — because it’s what you produce when you need to justify your practices.
• GDPR doesn’t block B2B prospecting. A clean, well-documented pipeline converts better and creates fewer legal headaches.

Conclusion: The DPO as a Sales Enablement Partner

GDPR isn’t the enemy of outbound. It’s a framework that, when properly integrated, improves data quality, reduces legal exposure, and builds trust with the prospects you’re reaching out to.

The DPO’s value in that equation isn’t to veto campaigns — it’s to make them defensible. Bring them in early on tooling decisions, co-build a shared compliance reference with the sales team, and start treating data governance as part of your go-to-market strategy rather than an afterthought.

For teams enriching data directly in Google Sheets, tools like Derrick centralize the enrichment workflow — emails, phone numbers, LinkedIn data — while keeping sourcing and handling transparent and traceable.

Build a clean, enriched lead pipeline in Google Sheets

Derrick enriches your contacts with verified emails and phone numbers, right in your spreadsheet — for prospecting that's both effective and traceable.

Try for free →

FAQ

Can a DPO block a sales team from using a data enrichment tool?

The DPO can’t formally prohibit a processing activity, but they can issue a documented adverse opinion. If the business proceeds anyway, legal responsibility falls on the company’s senior leadership — not the DPO. In practice, a good DPO looks for compliant alternatives rather than outright blocks: for example, approving a tool conditional on a signed DPA or limiting its use to specific data types.

Does my company need a DPO if we use B2B data enrichment tools?

Not necessarily. DPO designation is mandatory for public bodies, organizations systematically monitoring individuals at large scale, or those processing sensitive data categories at scale. For most B2B startups and SMBs with moderate enrichment usage, it’s strongly recommended but not always legally required. However, the Record of Processing Activities, DPAs with vendors, and contact information obligations apply regardless.

What’s the difference between data controller and data processor in an enrichment context?

Your company (the one doing the prospecting) is the data controller: you decide the purpose and means of processing. The enrichment tool you use is the data processor: it handles data on your behalf. This distinction matters because it determines who carries primary legal responsibility — and why a DPA with every vendor is non-negotiable.

How long can I keep enriched data on a prospect who never replied?

Standard guidance is 3 years from the last meaningful interaction. After that, records should be deleted or re-qualified by obtaining a fresh signal of interest. This applies to enriched data just as it does to directly collected contact data.

What do I need to include in a prospecting email to stay GDPR-compliant?

You need to include: your company’s name, why you’re reaching out (legitimate interest), how you obtained their contact details, and a simple way to opt out. A one-click unsubscribe link and a line like “I found your details on LinkedIn” covers the Article 14 disclosure obligation in most cases — no lengthy legal boilerplate required.