The B2B Guide to GDPR: Common Questions and Expert Answers

If your organization plans to conduct any kind of digital marketing or sales tactics targeting potential customers in the EU, it must follow the rules outlined in The General Data Protection Regulation — one of the more stringent privacy, and security laws in the world. 

Complying with GDPR is paramount for any business operating in the EU. So, what does this really mean for you, your business, and your customers? Here, we answer the most frequently asked questions about GDPR and what it means for your B2B activities. 

Visit our interactive map with a breakdown of GDPR privacy and data policies by country.

What is GDPR?

The goal of GDPR is to give EU citizens more control over their personal data. 

The GDPR replaced the EU’s ‘Data Protection Directive’ enacted in 1995. A Directive allows EU member countries to choose whether or not to enact similar laws that they can customize, whereas a Regulation requires all member countries to enact the law in full. 

The Directive was replaced by the GDPR because: 

  1. The Directive was enacted in the internet’s infancy and didn’t address everything it needed to.
  2. There were benefits to enacting an EU-wide law instead of having different versions throughout the EU. 

In April 2016, all the countries in the EU adopted GDPR regulations, and are still upheld in the UK post-Brexit. 

The GDPR established how lawfulness, fairness, transparency, purpose, minimization, accuracy, storage, integrity, confidentiality, and accountability should be handled with regard to personal data. The GDPR pre-dates privacy legislation in many other countries and often serves as a template for new laws regarding privacy and security around the world

When did GDPR officially go into effect?

GDPR officially went into effect on 25 May 2018. Any company that does not provide consumers with its required level of data protection could be subject to serious fines.

What is considered personal data under GDPR?

The GDPR protects personal data including IP addresses, genetic information, and biometric data (fingerprints, facial recognition data, etc.). Its official definition of personal data reads as follows:

“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Who does GDPR impact? 

GDPR applies to any company, inside or outside the EU, that processes personal data of EU individuals and where the processing relates to either the offering of goods or services to those individuals or the monitoring of those individuals’ behavior within the EU. This means that major companies across the globe must have a solid plan for GDPR compliance or risk the penalties. 

It’s important to note that a financial transaction does not need to take place for GDPR regulations to apply.

Another important aspect is the concept of data controller vs. data processor. Here’s the difference between the two:

Data Controller: A natural person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.*

This is an individual who controls and is responsible for collecting and using personal data. Being a data controller comes with serious legal responsibilities. It’s important that you understand whether these regulations apply to you as an individual or to your company as a whole. If you’re not sure, we recommend that you consult with a legal advisor familiar with the local laws. 

Data Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.*

This is a person or company who holds or processes personal data at the direction of and on behalf of the data controller. Examples of data processors include third-party vendors such as payroll companies or accountants.

This distinction is important for a few reasons: Under GDPR, a data controller holds most of the liability should their organization experience a breach. The data controller is responsible for making sure that any data processors they work with are GDPR compliant. 

*For more information about data processors and data controllers, check out the official GDPR website.

Why was GDPR passed in the EU?

The important thing to understand about the GDPR rules and regulations is that they stemmed from concerns over how users’ data is collected, stored, and used. 

Almost all modern businesses collect and analyze personal data. Think about how many web forms you’ve filled out in your lifetime — first name, last name, email address, home address, employer, credit card information, etc.

The amount of data created and collected each day is growing exponentially. In fact, there are 40 times more bytes in the digital universe than there are stars in the observable universe. As technology advances and our digital footprints grow, these numbers will undoubtedly expand.

As the internet evolved, the need for more comprehensive regulations emerged. Decades-old legislation protecting names, addresses, and images was no longer enough to protect personal data. GDPR seeks to bring regulations up to speed with the current state of technology. 

Is GDPR applicable in the UK after Brexit?

The UK has its own framework known as UK GDPR. While GDPR stopped being ‘directly applicable’ when the UK exited the EU in December 2020, the Data Protection Act of 2018 retained GDPR requirements in domestic UK law and supplements the UK GDPR by providing exceptions to the law.

What does it mean for a B2B organization to be GDPR compliant?

For a company to be GDPR compliant it must abide by these principles:

  • Data must be processed lawfully, fairly, and in a transparent manner
  • Data can only be collected for specified, explicit, and legitimate purposes
  • The scope of the data must be adequate, relevant, and limited to what is necessary
  • Data must be accurate and kept up to date
  • Data can only be held for the absolute time necessary and no longer
  • Data must be processed in a manner that ensures appropriate security of the personal data

If your business falls under GDPR, we recommend that you invest in compliance solutions, training, and legal expertise. This should provide you with the tools you need to protect yourself and your customers.

What happens if I’m not GDPR compliant?

Companies that fail to comply with GDPR face complex administrative procedures and serious fines. Non-compliance penalties are categorized in a two-tiered system — the more serious the infraction, the more serious the consequence.

In tier one, the maximum fine is 4% of a company’s annual global turnover or €20 million euros, whichever is highest. The lower tier of violations can result in a maximum of 2% of their annual global turnover or €10 million euros.

How does GDPR apply to B2B activities?

The implications of GDPR extend to any and all B2B activities that attempt to reach out to customers based on personally identifiable information. With regard to data, this includes but is not limited to names, phone numbers, work, personal email addresses, and IP addresses.

For example, when conducting cold email outreach to consumers, B2B organizations must ensure that they rely on lawful bases. There are a total of six lawful bases of which the two most commonly relied on are:

1. Legitimate Interest

Legitimate interest essentially means that collected data can be used for a legitimate purpose so long as that purpose is not outweighed by individuals’ privacy rights and freedoms. It requires the application of a three-part test:

  • Purpose: What is the purpose of using the data?
  • Necessity: Is the data necessary for pursuing that purpose?
  • Balancing: Do the individual’s privacy interests outweigh the purpose?

This means that you’re emailing people who have signed up using a form on your website. Essentially, it’s a concise agreement that your organization can use the recipient’s data for a particular activity with informed, given consent. A crucial part of getting explicit consent is offering an opt-in or opt-out option for personal data use. This varies from country to country.

The four additional lawful bases are as follows:

3. Performance of a contract with the data subject

5. Protecting the vital interests of an individual

6. Performance of a task carried out in the public interest

What does GDPR mean for my customers?

Your EU customers have eight fundamental rights under GDPR regulations. These are as follows:

The right to be informed

Organizations must be completely transparent in how they use personal data.

The right of access

Individuals will have the right to know exactly what information is held about them and how it is processed.

The right of rectification

Individuals will be entitled to have personal data rectified if it’s inaccurate or incomplete.

The right of erasure

Also known as “the right to be forgotten,” this refers to an individual’s right to have their personal data deleted or removed without the need for a specific reason.

The right to restrict processing

Individuals have the right to block or suppress the processing of their personal data.

The right to data portability

Individuals have the right to receive their personal data in a commonly used format and transmit that personal data to another entity.

The right to object

In certain circumstances, individuals are entitled to object to their personal data being used. This includes if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.

The rights of automated decision making and profiling

The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them or is based on automated processing.

How does ZoomInfo source B2B data in a GDPR compliant way?

ZoomInfo’s data collection practices take GDPR requirements into account. ZoomInfo builds ‘Public Profiles’ for businesses and people by aggregating information from several sources including: 

  • A vast contributory network that adds new contacts, as well as helps validate new and existing data. 
  • Proprietary machine learning that constantly views publicly available information, such as corporate websites, press releases, news articles, Security and Exchange Commission filings, job postings, industry data, locations, revenue, and other company attributes. 
  • Human research and verification through a team of in-house researchers who cross-check important data. 
  • Third-party expert partners that supplement the database with aggregated data. 

Is ZoomInfo GDPR compliant, and how are ZoomInfo customers supported?

ZoomInfo is GDPR compliant. This means our B2B contact database satisfies personal data privacy requirements put in place by GDPR. Similarly, ZoomInfo contractually requires that customers and partners who use, control, or process the personal data of persons within the EU and other European countries be GDPR compliant.

To make it easier for our customers and partners to comply with the GDPR, ZoomInfo offers the option to filter contacts and companies by location — including the exclusion of individuals identified as EU residents. This functionality presents ZoomInfo users with the ability to remain compliant while using our products. 

ZoomInfo is committed to ensuring that our data is GDPR compliant. Our commitment to security is central to all data collection, storage, and dissipation.