Does GDPR apply to b2b data?

If you processing personal data for “b2b” or business to business purposes, does GDPR apply?

There is often some confusion over this issue but in most cases yes, the GDPR still applies.

So in this article we’ll look at some examples of b2b processing and explore what you may need to consider in order to stay compliant. 

What do we mean by B2B data?

For the purposes of this article we are defining b2b data as personal data which has been collected within a b2b context. For example you have collected the name, email address and company name (employer) of a person that you are attempting to sell your product or service to. 

How does GDPR apply to b2b data?

GDPR applies because the scope of personal data under GDPR is broad. It covers any data which related to a living person which can identify that person directly or indirectly. The GDPR does not make any exceptions for data that is collected under the context of a b2b transaction or interaction.

So we are clear that the data is covered but what about the data processing activities? Well the scope of data processing under GDPR is also broad. 

The legal text defines personal data and data processing as follows:

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Source: Article 4 – GDPR

In short, it does not exempt any personal data processing activity just because it is completed under a business to business context from the GDPR rules. You must apply the rules the same as you would with personal data from consumers.

What about business email addresses?

Let’s explore an example. We collect the details of potential prospect from a company website and add them to our CRM, such as SalesForce.

Example data: (this data is fabricated)

Name:
Jane Bloggs
Email:
[email protected]
Job title:
Head of Customer Experience

We also add a record into our CRM for the sales team of the company.

Email:
[email protected] (this email is not active and is for demonstration purposes only)

The GDPR applies fully to the first data item collected. Even though “Jane Bloggs” is an employee of the company. Their data is still personal and therefore must be afforded protections under GDPR.

The GDPR does not apply to the second item of data. The email “salesteam” does not identify a living person directly or indirectly and therefore GDPR does not apply.

In practice this means that if you store the first data item in your CRM then you must comply full with GDPR, including giving notice to that person of your privacy information. And fulfilling all of their rights under GDPR if they request them.

Quite a burden. So you might want to think twice before buying in lists or filling that CRM up with random prospects.

How does GDPR apply to personal data collected for the purposes of b2b marketing?

The ICO make it clear that just because data is collected for marketing purposes it does not exempt it from GDPR. The same rules apply. However there are some exemptions which you can apply under PECR (ePrivacy) which will allow you to further process the data you collect for marketing purposes without consent in some situations. For example in the situation that the contact is from a Ltd Company and resides within the UK/EEA. Please be aware that this exemption is applied with some limitations so you should consult with some professional PECR training or legal advice before applying it. 

What about data collected from publicly available sources?

GDPR still applies to this information. Just because you collected it from a public source such as a directory or social media profile it does not mean that it is exempt from GDPR.

What action to comply with GDPR should a company processing personal data for b2b purposes take?

Companies processing personal data for b2b purposes should take the same actions that companies processing data for b2c purposes do. This includes but is not limited to, putting a data privacy compliance programme in place, creating and maintaining documentation, running audits and giving all staff regular GDPR and data privacy training.