GDPR Advice
Antonio Angel Muñoz avatar
Written by Antonio Angel Muñoz
Updated over a week ago

First of all, what is GDPR?
GDPR means "Protection and regulation of general data". It is a new European Union law aimed at protecting the privacy of personal data and giving EU stakeholders more control over their own personal information. To do business with anyone in the European Union, whether you are part of the EU / EEA or not, companies must follow strict guidelines on how to collect, use and retain data about their customers.

Is your company based in Europe or has business in it? Then you should pay attention to this new law that has been described as "the most important change in the regulation of data privacy in 20 years." It will affect any business that has clients or customers in Europe. "

GDPR and B2B

GDPR is a very broad law, that affects a lot of digital relations between companies and users. To sum up, it protects consumers by establishing strict rules on how companies can collect, process and protect their personal data. The GDPR covers all communications with data (B2C and B2B), however, there are still other regulations in force in each country.We’ll focus on B2B effects.

Think about the pieces of information that are most crucial to your B2B campaigns. They include email addresses, details about decision-makers in the companies to which they are directed, and more. Some of the details you will use in a B2B campaign do not qualify as personal data. However, the company's email addresses are still technically "personal information" under GDPR.

Note that there are two important GDPR requirements that B2B companies should know about.

First, you can not send emails to prospects without consent that are "freely delivered, specific, informed and [a] unequivocal indication of the person's wishes". In other words, you can not send unwanted emails to potential customers that you do not want. You must get your permission before you can start launching your products or services.

Right to be forgotten
Second, you must respect the "right to be forgotten". Suppose you communicate with a contact who has no interest in your company or in what you offer. This person wants you to delete their email address, along with any other information you may have about them. To comply with GDPR, you must respect these wishes and delete the information of the person from your B2B database.

Is this the end of cold emails?

Obviously, there is great concern among companies that the new GDPR requirements could be the end of B2B marketing as we know it. Based on the section of the regulation cited above, GDPR essentially prohibits cold calling emails. Apparently, this requirement puts B2B marketing specialists in a difficult position. Of course, it is not impossible to get potential customers to give their consent to their emails before sending them. A typical example of this type of consent could be a trade fair or exhibition, where we encourage potential customers to subscribe to their email list. Whenever prospects know what they are subscribing to, this type of scenario would qualify as consent under the GDPR regulation.

The problem is that many companies do not conduct their B2B marketing activities in this way, at least not for each contact. It is much more common for marketers to conduct online research, identify potential customers, find contact information for decision makers, and communicate with key personnel. This strategy allows you to grow your list of contacts consistently. It also means that you can contact companies that you have not found at trade shows, or that you have not visited your website through inbound marketing.

Fortunately, the answer is "Not necessarily." Article 6.1 of the General Data Protection Regulation includes six legal bases for the processing and use of personal data.

The reason is the following: acceptance consent: the client allows you to communicate with them, or invites you to do so. Contractual requirement: the company (for example, you) must process the customer's personal data (your email address / contact information) to fulfill a contract. Legal compliance: the company must process customer data for reasons of legal compliance. Higher interest: the company must process customer data to protect the best interests of the interested party (or the best interests of another person). Public interest: data processing is essential in the interest of the public. Legitimate interest: there is a direct quote in the GDPR regulation that says: "The processing of personal data for direct marketing purposes can be considered as being carried out by a legitimate interest." Some of these points are confusing.

Fortunately, B2B marketing specialists need only worry about two of them. The first is the acceptance consent requirement, which we have already discussed. If a potential client voluntarily enrolls to receive emails from your company, that person has met the acceptance consent criteria. The second point of interest is the last one: legitimate interest. B2B marketing specialists can use this argument to justify most communications with potential clients. Legitimate interest: how does it work? Is it a lagoon? What exactly is the legitimate interest, can you ask? Unfortunately, there is still some debate on this issue, since it is not 100% clear what qualifies as "legitimate interest".

However, since the GDPR specifically mentions direct marketing in Article 47 as potentially viable under legitimate interest (for example, email marketing) it seems that commercial interests on the part of the sender (you) with relevant communications for the recipient (your potential client) can qualify.

The crucial aspect here is that, although it is not 100% clear, the GDPR does indicate it when using it as its legal basis to process Personal Data, you must be sure that the individual rights and freedoms of that person are not adversely affected and said impacts nullify their legitimate reason for processing their data. The "legitimate interest" rule is not a loophole that gives your business carte blanche to ignore GDPR. While this point seems to provide additional room for maneuver for direct sellers, it is worth noting that there should be interest on both sides of the equation. It is obvious that your company has a "legitimate interest" in turning a potential client into a paying customer. However, if the prospect has a "legitimate interest" in receiving communications from your company, it is another completely different matter. To avoid encountering GDPR compliance problems with their direct marketing strategies, companies must follow three key rules. First, make sure you are practicing permission-based marketing.
The permission can be granted with the acceptance consent from the beginning, but it can also be obtained with time. If you do not have the consent, you do not have "permission" to send an email unexpectedly and sell a sale. Instead, you want to establish a relationship and earn the right to launch a sale later. If you follow this strategy, you should avoid a situation in which the people with whom you relate feel blackmailed or inclined to report you for GDPR infractions. Second, remember that you still want consent consent.

Obtaining that consent should be a natural part of the permitting process. You want to build enough trust with your potential customer so you can ask permission to launch. If you get the consent, you are in the clear regardless of how the European Council decides to interpret the "legitimate interest" rule in the future. You should also keep track of when you obtained the consent, who gave it and other details of the exchange. Having this information registered will help you protect yourself in the unlikely event that someone files a complaint related to your business related to GDPR.
Third, you must, without exception, respect requests for voluntary exclusion. If someone says they no longer want to receive their emails, or suggest that it is bothering them, they should go back immediately. If you do not recognize the signs that your communications are not welcome, you could put you at risk for a GDPR compliance violation. It does not want to take that risk, given that companies can face maximum fines of € 20 million or 4% of their "annual global rotation" (another term for global revenues). What to do with your databases Knowing the legitimate interest should put your fears about the requirements of GDPR to rest. Regulation should not kill email marketing as we know it. Instead, it will only encourage companies to be smarter and more respectful of direct marketing strategies, which is not bad for anyone. However, even with the legitimate interest argument in your back pocket, you should search your email database and follow the steps to make it ready for GDPR. There are some preparations you can do;

First, and with the utmost urgency, you must obtain consent now for your existing clients. Yes, it is assumed that existing customers and contacts also accept, even if they have been buying your product or service for years. Of course, if you have an existing relationship with someone, the acceptance consent is little more than a formality. It is likely that a long-standing customer will not turn around and report a violation of the GDPR if he does not take this step. However, it is preferable to have proof of consent for all of your clients. Then, whenever you add new leads to your email database, do your homework. Be sure to contact potential customers whose interests are relevant to your product or service. Otherwise, you will have difficulty making a "legitimate interest" defense. If you tend to buy your email lists from data providers, get in the habit of buying only from companies that allow you to make an advanced selection of profiles. This strategy will help you avoid irrelevant contacts, something you should want to do anyway. Finally, make sure your databases are secure. The email contact lists include personal data and are subject to the privacy and data protection requirements of GDPR.

You should consult the General Data Protection Regulations to know your obligations, not only for email lists, but also for customer data that you retain. But what happens if I'm not in the EU? One of the big mistakes of GDPR is that it will not matter to any company that has its headquarters outside the European Union. Even if your company does not have its geographical base in the EU, you should still follow GDPR if you do business with EU companies. Say that your business is based in the United States, but that you are expanding abroad and want to target your ads to companies in countries such as France or Germany. Before participating in any B2B (or B2C) activity in any EU country, you must ensure that you comply with GDPR. It can still face the same punishments as the real companies of the EU, even if it is not based in the EU.


Disclaimer: This is not a Legal advise, therefore no liability can be derived from the article. This document only contains some guidance about what is the GDPR and how may affect our customers in terms of how create new professional relationships. Please, contact specialised Data Privacy lawyers in order to get proper legal recommendations that cover your specific requirements.

Thanks to Leadiro for the clarification, check the source here

Did this answer your question?