Articles on: GDPR

Information on the LOPD/GDPR/RGPD

First of all, what is GDPR?

GDPR stands for "General Data Protection and Regulation". It is a new European Union law that aims to protect personal data privacy and give EU stakeholders more control over their own personal information. To do business with anyone in the European Union, whether they are part of the EU/EEA or not, companies must follow strict guidelines on how they collect, use and retain data about their customers.

Is your company based or doing business in Europe? Then you should pay attention to this new law which has been described as "the most significant change in data privacy regulation in 20 years". It will affect any business that has customers or clients in Europe. "

GDPR and B2B

GDPR is a very broad law, which greatly affects digital relationships between businesses and users. In short, it protects consumers by setting strict rules on how companies can collect, process and protect their personal data. The GDPR covers all data communications (B2C and B2B), however, there are still other regulations in place in each country. We will focus on the B2B effects.

Think about the pieces of information that are most important for your B2B campaigns. They include email addresses, details about the decision-makers in the companies you are targeting and more. Some of the details you will use in a B2B campaign do not qualify as personal data. However, company email addresses are still technically 'personal information' under the GDPR.

Note that there are two important GDPR requirements that B2B companies need to be aware of.

First, you cannot send emails to potential customers without their consent that are "freely given, specific, informed and [an] unambiguous indication of the person's wishes". In other words, you cannot send unsolicited emails to prospects that you do not want. You must get their permission before you can start marketing your products or services.

Right to be forgotten
Secondly, you must respect the "right to be forgotten". Suppose you communicate with a contact who has no interest in your company or what you offer. This person wants you to delete their email address, along with any other information you may have about them. To comply with GDPR, you must respect these wishes and remove the person's information from your B2B database.

Is this the end of cold emails?

Obviously, there is a great deal of concern among businesses that the new GDPR requirements could be the end of B2B marketing as we know it. According to the section of the regulation quoted above, GDPR essentially bans cold calling emails. Apparently, this requirement puts B2B marketers in a difficult position. Of course, it is not impossible to get potential customers to consent to your emails before sending them. A typical example of this type of consent might be a trade show or exhibition, where you encourage prospects to subscribe to your email list. As long as prospects know what they are subscribing to, this type of scenario would qualify as consent under GDPR regulation.

The problem is that many companies do not conduct their B2B marketing activities in this way, at least not for every contact. It is much more common for marketers to conduct online research, identify leads, find contact information for decision-makers and communicate with key personnel. This strategy allows you to grow your contact list steadily. It also means you can contact companies you haven't met at trade shows or visited your website through inbound marketing.

Fortunately, the answer is "Not necessarily". Article 6.1 of the General Data Protection Regulation includes six legal bases for the processing and use of personal data.

The reason is as follows: Acceptance consent: the customer allows you to communicate with him, or invites you to do so. Contractual requirement: the company (e.g. you) must process the customer's personal data (your email address / contact information) to fulfil a contract. Legal compliance: the company must process the customer's data for legal compliance reasons. Best interests: the company must process the customer's data to protect the best interests of the data subject (or the best interests of another person). Public interest: processing data is fundamentally in the public interest. Legitimate interest: there is a direct quote in the GDPR regulation that says: "Processing personal data for direct marketing purposes may be considered to be carried out for a legitimate interest". Some of these points are confusing.

Fortunately, B2B marketers need only worry about two of them. The first is the opt-in consent requirement, which we have already discussed. If a potential customer voluntarily signs up to receive emails from your company, that person has met the opt-in consent criteria. The second point of interest is the last one: legitimate interest. B2B marketers can use this argument to justify most communications with prospects. Legitimate interest: how does it work, is it a loophole, what exactly is legitimate interest, you may ask? Unfortunately, there is still some debate on this topic, as it is not 100% clear what qualifies as "legitimate interest".

However, given that the GDPR specifically mentions direct marketing in Article 47 as potentially viable under a legitimate interest (e.g. email marketing), it seems that commercial interests on the part of the sender (you) with communications relevant to the recipient (your potential customer) may qualify.

The crucial aspect here is that, although it is not 100% clear, the GDPR does indicate that by using it as your lawful basis for processing Personal Data, you must ensure that that person's individual rights and freedoms are not adversely affected and such impacts override your legitimate ground for processing their data. The "legitimate interest" rule is not a loophole that gives your company carte blanche to ignore the GDPR. While this point seems to provide additional leeway for direct marketers, it is worth noting that there should be interest on both sides of the equation. It is obvious that your company has a "legitimate interest" in converting a lead into a paying customer. However, whether the potential customer has a "legitimate interest" in receiving communications from your company is another matter entirely. To avoid encountering GDPR compliance issues with their direct marketing strategies, businesses should follow three key rules. First, be sure to practice permission-based marketing.

Permission can be granted with opt-in consent at the outset, but it can also be obtained over time. If you don't have consent, you don't have "permission" to send an email unexpectedly and sell a sale. Instead, you want to establish a relationship and earn the right to pitch a sale later. If you follow this strategy, you should avoid a situation where the people you engage with feel blackmailed or inclined to report you for GDPR violations. Second, remember that you still want to obtain consent.

Obtaining that consent should be a natural part of the permissions process. You want to build enough trust with your potential customer that you can ask for permission to launch. If you obtain consent, you are in the clear regardless of how the European Council decides to interpret the "legitimate interest" rule in the future. You should also keep track of when you obtained consent, who gave it, and other details of the exchange. Having this information on record will help protect you in the unlikely event that someone files a GDPR-related complaint about your business.

Third, you must, without exception, honor opt-out requests. If someone says they no longer want to receive your emails, or suggests that they are bothering you, you should get back to them immediately. If you fail to recognize the signs that your communications are unwelcome, it could put you at risk of a GDPR compliance breach. You don't want to take that risk, given that companies can face maximum fines of €20 million or 4% of their "annual global turnover" (another term for global revenue). What to do with your databases Knowing legitimate interest should allay your fears about GDPR requirements. The regulation should not end email marketing as we know it. Instead, it will only encourage companies to be smarter and more respectful of direct marketing strategies, which is not a bad thing for anyone. However, even with the legitimate interest argument in your back pocket, you should still look into your email database and follow the steps to prepare it for GDPR. There are a few preparations you can make;

First, and most urgently, you must obtain consent now for your existing customers. Yes, existing customers and contacts are assumed to consent as well, even if they have been buying your product or service for years. Of course, if you have an existing relationship with someone, consent to accept is little more than a formality. A long-standing customer is unlikely to turn around and report a GDPR breach if you don't take this step. However, it is preferable to have proof of consent from all your customers. Then, every time you add new leads to your email database, do your homework. Make sure you contact potential customers whose interests are relevant to your product or service. Otherwise, you will have difficulty making a "legitimate interest" defense. If you tend to buy your email lists from data providers, make a habit of buying only from companies that allow you to do advanced profiling. This strategy will help you avoid irrelevant contacts, something you should want to do anyway. Finally, make sure your databases are secure. Email contact lists include personal data and are subject to GDPR privacy and data protection requirements.

You should consult the General Data Protection Regulation to know your obligations, not only for email lists, but also for the customer data you keep. But what if I'm not in the EU? One of the big misconceptions of the GDPR is that it won't matter to any company that is based outside the European Union. Even if your company is not geographically based in the EU, you must still follow the GDPR if you do business with EU companies. Let's say your company is based in the United States, but you are expanding overseas and want to target your ads to companies in countries such as France or Germany. Before engaging in any B2B (or B2C) activity in any EU country, you need to make sure you comply with GDPR. You can still face the same penalties as real EU companies, even if you are not based in the EU.


Disclaimer: This is not a legal notice, therefore, no liability can be derived from the article. This document only contains some guidance on what GDPR is and how it may affect our clients in terms of how to create new professional relationships. Please contact data privacy lawyers for appropriate legal recommendations covering your specific requirements.

Thanks to Leadiro for the clarification, see source here.

Updated on: 15/12/2023

Was this article helpful?

Share your feedback


Thank you!