Iubenda logo
Start generating

Documentation

Table of Contents

Who does GDPR apply to: focus on B2B companies

The GDPR requires all businesses that handle personal data for EU citizens to follow guidelines on how they collect, use and store that information. It’s no surprise that B2B sales and marketing teams are one of the most affected groups by this regulation.

In this article we aim to take you through some of the ways GDPR has an impact on businesses and the steps you can take to have fully compliant marketing systems.

who does gdpr apply to b2b companies

Does GDPR apply to B2B data?

Yes. The GDPR applies wherever you are processing personal data. This means if you can identify an individual either directly or indirectly, the GDPR will apply. Personal data includes anything that makes someone identifiable, including (but not limited to) names, phone numbers, IP addresses and personal email addresses.

Does GDPR apply to B2B emails?

Yes. Before sending a cold email you’ll need to verify that you’re allowed to contact them under the GDPR. There are six ways to establish a lawful basis to process someone’s personal data: consent, contract, legal obligation, vital interests, public task and legitimate interest.

When sending cold emails to a business email address (e.g. john.doe@company.com), B2B companies should be able to rely on legitimate interest.

Under legitimate interest, data need to be used in a way people reasonably expect but also have a minimal privacy impact (in cases in which an individual’s right will be breached, their rights will override your legitimate interest). Simply put, you have to make sure you’re emailing the right people with a message they’ll be interested in hearing.

Alternatively, if you’ve gained verifiable consent via a signup form, you’re good to go.

Please note, however, that decisions regarding which legal basis applies can be tricky and, therefore, we strongly suggest consulting a lawyer in this regard.

Finally, keep in mind that if the email address isn’t tied to any one person (e.g. info@company.com), it may even fall outside the scope of “personal data”.

What else should B2B companies consider?

  • If you are relying on legitimate interest for direct marketing, you must stop processing when someone objects.
  • If you are relying on consent, the individual has the right to withdraw their consent at any time. You must stop the processing when they withdraw consent.
  • If your data processing activities are not occasional (or your company has more than 250 employees), you need to keep and maintain “full and extensive” up-to-date records of the particular data processing activities you’re carrying out.

How can B2B companies comply with the GDPR?

  • Apply the principle of data minimalization – the more types of data your process, the largest the risk. Strategize and plan with risk in mind.
  • Identify and/or review your legal basis for processing personal data, ideally with a legal professional.
  • Have a compliant privacy policy: under the GDPR privacy policies must be easy to read and understand, easy to access, must contain the right information and must be up-to-date.
  • Review your systems for honoring GDPR user rights.
  • Keep valid records of your data processing activities (including internal records of processing)
  • Manage consent in a compliant way and maintain valid records of consent.
More on GDPR compliance

Do you have these 15 things in place for being fully compliant with the GDPR? Check out our list here:

👉 GDPR cheat sheet: 15 things to know

What if we’re not GDPR compliant?

The consequences for non-compliance can include fines up to €20 million or 4% of the annual worldwide turnover (whichever is greater). Not all GDPR infringements lead to fines: sanctions may include official reprimands, periodic data protection audits (which can result in being barred from using data associated with the violation — including entire email lists) and liability damages.

Everything you need to know about
compliance in one course!

In our free Intro to Online Compliance email course you’ll learn:

  • Online Compliance basics
  • Which laws apply to you
  • How to comply

This easy-to-understand course is suitable
for all knowledge levels.

Sign up for the 7-part series below.

No strings attached. Unsubscribe anytime.
We won’t send you any emails other than the course, unless you later sign up for more.
For further details, review our Privacy Policy.

About us

iubenda

GDPR compliance for your site, app and organization

www.iubenda.com

See also