GDPR Guide for B2B Sales and Marketing professionals

Download this practical GDPR Guide for B2B Sales and Marketing professionals. Find out what you can and can not do under GDPR and how it will impact your day to day activities.

This guide is now available on request, drop us and email or give us a call and we'll send it to you. While the GDPR is now two years old every element of it is still as relevant. 

Below is an example of the type of response that we have used with our clients to a GDPR subject access request.

Our responsibility to act within all legislation, including GDPR, is taken very seriously. 

On the basis of your response, we have immediately suppressed any further communication after this email. We will delete your records from both the email platform and Google Docs within 21 days. 

Your details were found via: LinkedIn

When: June 2018.

The personally identifiable information that we have processed is: name, job role and corporate email.

The corporate email address was created using standard email format. first.last@domain

We do not use email addresses associated with LinkedIn profiles because of the risk of these emails being personal. 

Your data was processed in line with GDPR, following a three-point Legitimate Interest test and this is the legal basis on which we sent the communication.

Your data is held in Google Docs and the email platform. 

Your first name and email address were processed to send the communication.

I will explain the legal basis of why you were contacted.

GDPR makes no distinction between a personal email address and a business email address. However, UK law does, it is this differentiation that allows organisations to still email businesses. This is because PECR, which is the regulation of the electronic communications that has been in place for many years and last updated in 2015, is not replaced by GDPR or the 2018 Data Protection Act in the UK and allows for contact without consent. 

However, GDPR does introduce legislation that means that outreach emails can only be sent under certain circumstances and that this communication needs to still be compliant.

There area number of lawful basis for sending email, including but not limited to consent, the lawful basis we have used to send business to business email which is Legitimate Interest. Currently, this allows for business to business emailing where the recipient has not given consent to processing providing a legitimate interest test has been carried out and passed, and the sender recognises and respects the rights and freedoms of the recipient, such as responding to their request and actioning the request.

The legitimate interest test is made up of three parts, Identification of a Legitimate Interest, a necessity test and a balancing test. In the first part, we look at if the recipient is likely to find the information relevant to their job function. For example, do they have responsibility for areas of high volumes of data processing or compliance. The second part of the test covers necessity and we ask is there another way we could reasonably communicate this information. And the third part looks at balance, do your rights as a data citizen outweigh our need to send the information. As we are sending a business communication to a business email address, the ICO states "Business contacts are more likely to reasonably expect the processing of their personal data in a business context, and the processing is less likely to have a significant impact on them personally.” And as we recognise and respect the recipient's rights, such as providing details on the basis for processing and giving details of how to stop processing or correct any errors as laid out in our privacy policy including ways to contact us to exercise your rights, we believe that balance is correct. The link in the email footer takes you to a page where you have the ability to exercise any of your rights under GDPR including the right to object to processing. This approach is defined by the ICO and is fully compliant with GDPR.

From the ICO Guidelines

“142. These rules on consent, the soft opt-in and the right to opt-out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies eg limited liability partnerships, Scottish partnerships, and government bodies. The only requirement is that the sender must identify itself and provide contact details."

  • Which we have done.

“145. In addition, many employees have personal corporate email addresses (eg, and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.”

  • Which we have done. 

And the ICO Guidance on PECR

"Although the Data Protection Act 1998 (DPA) only protects individuals, PECR apply to any direct marketing by phone, fax, email or other electronic means. This means that PECR protects companies and other corporate bodies from unwanted marketing, as well as protecting individuals.

However, there are different rules for marketing to corporate bodies and marketing to individuals. PECR place fewer limits on marketing to corporate bodies – but there are still limits."

"The rules on marketing by email or text are different. The only obligation on the organisation sending the email or text is that they must not conceal their identity, and must provide contact details.

There is no right to opt-out, or to register with a preference service. However, it is still worth asking an organisation to stop sending you marketing emails or texts. Most organisations will not want to waste resources or risk their reputation by sending unwanted messages.

Individual employees with personally identifiable work email addresses (eg can, however, make a written request to stop receiving marketing emails under s11 of the DPA. Organisations must then stop using that email address for marketing purposes within a reasonable period."

  • Which we have done.