How does GDPR affect B2B

Yes. The GDPR applies wherever you are processing personal data. This means if you can identify an individual either directly or indirectly, the GDPR will apply. Personal data includes anything that makes someone identifiable, including (but not limited to) names, phone numbers, IP addresses and personal email addresses.

Yes. Before sending a cold email you’ll need to verify that you’re allowed to contact them under the GDPR. There are six ways to establish a lawful basis to process someone’s personal data: consent, contract, legal obligation, vital interests, public task and legitimate interest.

When sending cold emails to a business email address (e.g. john.doe@company.com), B2B companies should be able to rely on legitimate interest.

Under legitimate interest, data need to be used in a way people reasonably expect but also have a minimal privacy impact (in cases in which an individual’s right will be breached, their rights will override your legitimate interest). Simply put, you have to make sure you’re emailing the right people with a message they’ll be interested in hearing.

Alternatively, if you’ve gained verifiable consent via a signup form, you’re good to go.

Please note, however, that decisions regarding which legal basis applies can be tricky and, therefore, we strongly suggest consulting a lawyer in this regard.

Finally, keep in mind that if the email address isn’t tied to any one person (e.g. info@company.com), it may even fall outside the scope of “personal data”.

• If you are relying on legitimate interest for direct marketing, you must stop processing when someone objects.
• If you are relying on consent, the individual has the right to withdraw their consent at any time. You must stop the processing when they withdraw consent.
• If your data processing activities are not occasional (or your company has more than 250 employees), you need to keep and maintain “full and extensive” up-to-date records of the particular data processing activities you’re carrying out.

• Apply the principle of data minimalization – the more types of data your process, the largest the risk. Strategize and plan with risk in mind.
• Identify and/or review your legal basis for processing personal data, ideally with a legal professional.
• Have a compliant privacy policy: under the GDPR privacy policies must be easy to read and understand, easy to access, must contain the right information and must be up-to-date.
• Review your systems for honoring GDPR user rights.
• Keep valid records of your data processing activities (including internal records of processing)
• Manage consent in a compliant way and maintain valid records of consent.

The consequences for non-compliance can include fines up to €20 million or 4% of the annual worldwide turnover (whichever is greater). Not all GDPR infringements lead to fines: sanctions may include official reprimands, periodic data protection audits (which can result in being barred from using data associated with the violation — including entire email lists) and liability damages.