GDPR: B2B vs B2C – What you need to know

The most common questions we get asked by new and prospective clients are focused on GDPR. It’s no surprise as the regulations are poorly explained and little understood by many. So, we’ve noted down our most frequently asked questions in an attempt to clear the air.

What data can I hold in my database?

There is a major difference between business-to-business (B2B) and business-to-consumer (B2C) data. An organisation cannot hold B2C data which has been researched/listed from consumers without their “opt-in” permission, for example, signing up to a newsletter. This includes personal emails (Gmail, Outlook, Yahoo) and other personal information such as names and addresses.

Businesses can hold B2B data if it has been researched via open-source methods. The difference is that the data is built from a contact’s business profile including executive email addresses and organisation contact details. Again, this data must be researched via open-source if it is not an opt-in.

Can I email my contacts without opt-in?

sign up

If they are B2B contacts, then yes. Under GDPR’s “grounds of legitimate interest” clause you may contact a prospect via cold outreach should you be able to prove that your business offers products/services which can be of legitimate interest to their business interests.

Your contacts do not specifically have to have opted-in to your marketing for you to contact them, although most marketers would suggest running an onboarding campaign for these cold contacts with a call-to-action for them to opt-in to marketing content in order to convert.

Do I need to adhere to any other conditions?

When marketing to B2B data you need to ensure that an ‘unsubscribe’ option is clearly defined and adhered to for your prospects. It’s always recommended you retain these contacts in an unsubscribe exclusion list instead of deleting them to avoid the possibility of mistakenly adding the contact in the future.

What if I get a Subject Access Request (SAR)?

sending email

A contact has the right to issue a “Subject Access Request” (SAR), to receive a copy of their personal data information and the source it came from. You should respond to such a request within one month and disclose this in a secure manner. As mentioned, if you have proof that you have accessed data via open-source then this is within regulatory compliance.

If data comes from a bulk data list provider, this may be the subject of further questioning which might be a risk for your business. Normally the delivery of this information and assurance to unsubscribe these contacts from future marketing will resolve the issue.

For a free consultation on how to keep up to scratch with GDPR and data use, simply get in touch.