GDPR, Consent and B2B emails explained

Part of our work here at Doogheno involves sending B2B emails for our award winning Account Based Marketing campaigns.  Sometimes it’s for ourselves, sometimes it’s for our customers, such as a large survey we do every year with a company called ServiceteamIT.

Most people respond well.

Some don’t.  Some say you have no right to send me an email, you are in breach of GDPR, and some are even less polite than that.

But the simple truth of the matter is that in the UK, you can still send cold B2B emails.

GDPR makes no distinction between a personal email address and a business email address.  However, UK law does; it is this differentiation that allows companies to still email other businesses, primarily for marketing but in this instance, an invitation to take part in the research. This is because PECR, which is the electronic communications regulation that has been in place for many years and last updated in 2015, has not been replaced by GDPR or the 2018 Data Protection Act in the UK and allows for contact without consent.

However, GDPR does introduce legislation that means that outreach emails can only be sent under certain circumstances and that this communication needs to still be compliant.

There is a legal basis for sending business-to-business email which is called Legitimate Interest.  Currently, this allows for business-to-business emailing where the recipient has not given consent to the processing, providing a legitimate interest test has been carried out and passed, and the sender recognises and respects the rights and freedoms of the recipient, such as responding to their request and actioning the request.

The legitimate interest test is made up of three parts: Identification of a Legitimate Interest, a necessity test ad a balancing test.  In the first part, we look at if the recipient is likely to find the information relevant to their job function, in this case, it is a survey that will be used to provide insight into UK technology adoption and made available after anonymisation, which is reasonable to believe will be informative to the recipient.  The second part of the test covers necessity, and we ask if there is another way we could reasonably communicate this information.  And the third part looks at balance: do your rights as a data citizen outweigh our need to send the information, as we recognise and respect the recipient’s rights, such as providing details on the basis for processing and giving details of how to stop processing or correct any errors we believe that balance is equal.  This approach is defined by the ICO and is fully compliant with GDPR.

The ICO states that in the case of B2B emails this balance will generally fall on the side of the sender but obviously, don’t send irrelevant information to the wrong people.  If you are sending relevant information to someone who it is reasonable to believe will find that information of value and interest then you should be ok.

From the ICO Guidelines

“142. These rules on consent, the soft opt-in, and the right to opt-out do not apply to electronic marketing messages sent to ‘corporate subscribers’, which means companies and other corporate bodies eg limited liability partnerships, Scottish partnerships, and government bodies. The only requirement is that the sender must identify itself and provide contact details.”

“145. In addition, many employees have personal, corporate email addresses (eg, and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.”

And the ICO Guidance on PECR

“Although the Data Protection Act 1998 (DPA) only protects individuals, PECR apply to any direct marketing by phone, fax, email or other electronic means. This means that PECR protects companies and other corporate bodies from unwanted marketing, as well as protecting individuals.

However, there are different rules for marketing to corporate bodies and marketing to individuals. PECR place fewer limits on marketing to corporate bodies – but there are still limits.”

“The rules on marketing by email or text are different. The only obligation on the organisation sending the email or text is to not conceal their identity and must provide contact details.

There is no right to opt-out, or to register with a preference service. However, it is still worth asking an organisation to stop sending you marketing emails or texts. Most organisations will not want to waste resources or risk their reputation by sending unwanted messages.

Individual employees with personally identifiable work email addresses (eg can, however, make a written request to stop receiving marketing emails under s11 of the DPA. Organisations must then stop using that email address for marketing purposes within a reasonable period.”

And if you found this article of use you will be interested in