The GDPR Compliance Guide for B2B Organizations

The General Data Protection Regulation (GDPR) was created to improve data collection, processing, and usage for consumers who are too often bombarded with unwanted digital marketing and sales efforts. Any company conducting business in the European Union (EU) must comply with the rules and regulations laid out by GDPR or risk facing hefty fines. 

Responsible business leaders should have a comprehensive understanding of GDPR, including what it is, how it relates to them, the most commonly asked questions about GDPR and data usage, and how to remain GDPR compliant with B2B marketing and sales. 

What is GDPR?

In April 2016, all the countries in the EU adopted GDPR regulations and it officially went into effect on 25 May 2018. The GDPR established guidelines for greater transparency, confidentiality, and accountability for the collection and use of personal data in the EU. It predates privacy legislation in most other countries and often serves as a template for new laws on data privacy and security around the world.

The GDPR replaced the EU’s Data Protection Directive. A “directive” allows EU member countries to choose whether to enact similar laws that they can customize, whereas a “regulation” requires all member countries to enact the law in full. The DPD was replaced by the GDPR because: 

  1. The Data Protection Directive was enacted in the internet’s infancy and didn’t address everything it needed to
  2. There were benefits to enacting an EU-wide law instead of having different versions throughout the member countries. 
  3. The GDPR granted citizens more control over their personal data and was designed so that data controllers and processors were required to protect sensitive personal data. 

What is Considered Personal Data Under GDPR?

GDPR protects personal data including anything that could be used to identify an individual. This includes physical addresses, phone numbers, job information, and education status, as well as other factors like IP addresses and biometric data such as fingerprints or facial recognition data. Its official definition of personal data reads as follows:

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Who Does GDPR Impact? 

GDPR applies to any company, inside or outside the EU, that processes personal data for any EU individuals that relates to the offering of goods or services to those individuals This means that major companies across the globe that operate in the EU must have a solid plan for GDPR compliance or risk the penalties. 

It’s important to note that a financial transaction does not need to take place for GDPR regulations to apply. The processing of any personal data for citizens within the EU is protected. Even if a prospective customer never purchases a product or service from your organization, you are still required to adhere to GDPR requirements.

What is The Distinction Between Data Controller and Data Processor and Why is it Important? 

An important aspect of the GDPR is the difference between data controller and data processor. Under GDPR, a data controller holds most of the liability in the event of a data privacy breach. The data controller is responsible for making sure that any data processors they work with are GDPR compliant. 

Here’s the official definition of the two roles:

Data Controller: 

A natural person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.

The data controller controls and is responsible for collecting and using personal data. Being a data controller comes with serious legal responsibilities. It’s important that you understand whether these regulations apply to you as an individual or to your company as a whole. If you’re not sure, we recommend that you consult with a legal advisor familiar with the local laws. 

Data Processor: 

A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

This is a person or company who holds or processes personal data at the direction of and on behalf of the data controller. Examples of data processors include third-party vendors such as payroll companies or accountants.

Why Was GDPR Passed in the EU?

The GDPR stems from concerns over how users’ personal data is collected, stored, and used. Almost all modern businesses collect and analyze personal data. Think about how many web forms you’ve filled out in your lifetime with your information — first name, last name, email address, home address, employer, credit card information — the list goes on.

The amount of data created and collected each day is growing exponentially, and as technology advances, our digital footprints continue to grow.

As the internet has evolved, the need for more comprehensive privacy regulations quickly emerged. Decades-old legislation that protected names, addresses, and images was no longer enough to protect personal data. GDPR was introduced to bring regulations up to speed with the current state of technology. 

Note: The UK has its own framework known as UK GDPR. While GDPR stopped being “directly applicable” when the UK exited the EU in December 2020, the Data Protection Act of 2018 retained GDPR requirements in domestic UK law and supplements the UK GDPR by providing exceptions to the law.

Why Do B2B Organizations Care About GDPR?

B2B organizations care about GDPR because it impacts  all B2B activities that attempt to reach customers based on personally identifiable information. Companies that fail to comply with GDPR face complex administrative procedures and serious fines. Non-compliance penalties are categorized in a two-tiered system, with the more serious infractions leading to more serious consequences.

In tier one, the maximum fine is 4% of a company’s annual global turnover or €20 million, whichever is highest. The lower tier two of violations can result in a maximum of 2% of their annual global turnover or €10 million.

What Does it Mean for a B2B Organization to be GDPR Compliant?

For a company to be GDPR compliant it must abide by these principles:

  • Data must be processed lawfully, fairly, and in a transparent manner
  • Data can only be collected for specified, explicit, and legitimate purposes
  • The scope of the data must be adequate, relevant, and limited to what is necessary
  • Data must be accurate and kept up to date
  • Data can only be held for the absolute time necessary and no longer
  • Data must be processed in a manner that ensures appropriate security of the personal data

If your business falls under GDPR, we recommend that you explore compliance solutions, training, and legal expertise to gain the tools you need to protect yourself and your customers.

What Does GDPR Mean for Consumers?

EU consumers have eight fundamental rights under GDPR:

  1. The right to be informed Organizations must be completely transparent in how they use personal data.
  2. The right of access Individuals have the right to know exactly what information is held about them and how it is processed.
  3. The right of rectification Individuals are entitled to have personal data rectified if it’s inaccurate or incomplete.
  4. The right of erasure Also known as “the right to be forgotten,” this refers to an individual’s right to have their personal data deleted or removed without the need for a specific reason.
  5. The right to restrict processing Individuals have the right to block or suppress the processing of their personal data.
  6. The right to data portability Individuals have the right to receive their personal data in a commonly used format and transmit that personal data to another entity.
  7. The right to object In certain circumstances, individuals are entitled to object to their personal data being used. For example, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
  8. The rights of automated decision making and profiling GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them or is based on automated processing.

How Does GDPR Affect B2B Marketing Activities?

Marketing leverages data for almost every important decision. That’s why it’s critical for marketers to think about GDPR and how they will address data permission, data access, and the purpose of any personal data that will be used and stored. In a modern revenue organization, the close collaboration of marketers and IT professionals is essential for compliance with data privacy regulations. The majority of responsibility for GDPR compliance falls under these two departments. 

GDPR Considerations for Marketing Lists

In order to remain compliant under GDPR, revenue teams should vet all marketing lists before using them to reach out to companies or contacts. According to the Information Commissioner’s Office (ICO), businesses can still use purchased marketing lists as long as they compare the lists against both the TPS and their own “do not call” list of people who have previously objected to or opted out of marketing calls.

To create an in-house marketing list, start with your existing customers or prospects that have submitted their information via an inquiry or a form fill. Remember that not everyone is interested in receiving marketing communications. It’s important to include opt-in options on any form fill, otherwise contacts will not be automatically included in marketing outreach. The opt-in notice should explicitly outline how information collected may be used for marketing purposes so individuals can opt in or out depending on their preferences.

Organizations struggle with tech stacks that are filled with incorrect data, siloed data, and a lack of good business intelligence. This challenge has grown substantially with regulations, such as GDPR, which drastically reduce the amount of data organizations can collect and how that data can be used. APIs (application programming interfaces) are a great way for organizations to enrich existing company data, contact information, news, and more with automated, accurate, real-time B2B data.

GDPR Considerations for Direct Marketing 

Direct marketing is typically deployed to encourage a prospect or customer to take the next step, such as setting up a discovery call or purchasing a product or service. For direct marketing, the simplest way to ensure you are abiding by GDPR guidelines is to secure explicit consent from anyone who might receive direct marketing messages. 

However, there are three conditions that exempt the need for explicit consent:

  • If the contact details were collected in the context of a sale
  • If the data that was collected can only be used in the direct marketing of your products and services
  • If the individual is given the option to opt-out of communications at any time

GDPR Considerations for Email Marketing 

Under GDPR, email marketers need to collect informed consent from data subjects in order to obtain their contact information. The three main things that email marketers need to worry about with GDPR are:

  • Developing consumer opt-in permission rules.
  • Being able to show and store proof of consent.
  • Establishing clear methods through which data subjects can ask for their information to be removed from your database.

How Does GDPR Affect B2B Sales Activities? 

B2B sales teams should be especially mindful of GDPR considering the entire process of prospecting is centered around personal data and determining who would be a “best fit” based on that data. 

GDPR Considerations for B2B Cold Calling

For outbound sales, GDPR requires that salespeople get consent from prospects in order to contact them. This changes the cold-calling and emailing game immensely. But no need to panic. Cold calling is still allowed under GDPR, but there are two important points that sales teams need to consider:

  • Cold calls can only be made when there is legitimate interest from the prospect. 
  • Even when there is interest, the rights and freedoms of the individual are still protected. 

GDPR Considerations for B2B Cold Emailing

Cold emailing is another common step in a prospecting cycle. To meet GDPR compliance, sales people cannot send emails to individuals unless:

  • They have explicitly consented to receiving electronic emails from your organization.
  • They are an existing customer who bought a similar product or service from your organization in the past, and they have already had opt-out opportunities since being a customer.

As with other forms of cold outreach, it’s imperative that your organization provides simple ways for individuals to opt-out of sales or marketing communications at any point in time.

How Does GDPR Affect B2B Recruitment Efforts? 

Recruiters rely heavily on collecting candidate’s personal information. Just like sales and marketing teams, recruiters will need to obtain candidate consent to process sensitive data, and allow for that consent to be withdrawn at any time. Under GDPR, recruiters can only source candidate data when they are solely collecting job-related information, and they intend to contact sourced candidates within 30 days. 

GDPR Considerations for CV Personal Data

Under the GDPR, information included in a candidate CV is personal in nature. Any information included in a CV must be processed securely and only in the intended manner for which it was originally collected. Similar to sales and marketing communications, a job candidate can request to have their personal data removed from a recruitment database at any time. Ensuring that an opt-out capability is available for job candidates satisfies the requirement for individuals to have control over their personal data.

GDPR Considerations for Candidate Outreach

A large part of a recruiter’s day-to-day activities include reaching out to individual candidates to recommend open roles or gauge interest in new employment opportunities. Under the GDPR, there are a few considerations to keep in mind when it comes to client and candidate communications:

  • If the relationship between a recruiter and candidate is specific to a particular advertised role, then all communications from the recruiter must relate to that particular role.
  • A recruiter can’t send unsolicited CV’s to a client without the candidate’s specific consent.
  • Make sure to receive written consent, not just verbal consent. Relying on verbal consent can create potential problems in the future if a candidate or client does not recall previously giving consent to communications.

Is ZoomInfo GDPR compliant? 

ZoomInfo is GDPR compliant. Our B2B contact database satisfies all personal data privacy requirements put in place by GDPR. Also, ZoomInfo contractually requires that our customers and partners who use, control, or process the personal data of persons within the EU and other European countries be GDPR compliant.

ZoomInfo builds “Public Profiles” for businesses and people by aggregating information from several sources including: 

  • A vast contributory network that adds new contacts, as well as helps validate new and existing data. 
  • Proprietary machine learning that constantly views publicly available information, such as corporate websites, press releases, news articles, SEC filings, job postings, industry data, locations, revenue, and other company attributes. 
  • Human research and verification by a team of in-house researchers who cross-check important data. 
  • Third-party expert partners that supplement the database with aggregated data. 

How Does ZoomInfo Support its Customers in Being GDPR Compliant?

ZoomInfo is committed to ensuring that our data is GDPR compliant. Our commitment to security is central to all data collection, storage, and dissemination. To make it easier for our customers and partners to comply with GDPR requirements, ZoomInfo offers the option to filter contacts and companies by location, including the exclusion of individuals identified as EU residents. This functionality enables ZoomInfo users to remain compliant while using our products.