We get asked lots of questions about how to ensure that our sales and marketing efforts are compliant with the data protection regulations.

It would seem sensible to answer some of these in a series of top tips articles.

First up, for no reason other than that there appears to be some degree of uncertainty surrounding it, is how to ensure that we comply with Article 14. This is all about the information we need to provide when personal data have not been obtained from the data subject. Remember that B2B contact data will include personal data as defined by the GDPR.

What this is when we are sourcing: third party lists, irrespective of their stated compliance to GDPR or otherwise; LinkedIn data; Zoominfo data and our own research into prospects’ data in the public domain.

We will focus on GDPR and the Data Protection Act 2018 here but you must also consider the PECR (Privacy and Electronic Communications Regulations) before commencing any marketing communications activity.

Our top five tips are:

If you are sourcing personal data indirectly e.g. from LinkedIn, Zoominfo, bought in mailing lists or your own research of data in the public domain and you store this for prospecting purposes (you are processing the data by doing this) you must:

  1. Determine your lawful basis for processing. For most of us, this is likely to be Legitimate Interests. You will need to complete a Legitimate Interests Assessment, if so.
  2. Establish which data could be deemed to be personal data. Which data could enable a person to be ‘identified, directly or indirectly’?
  3. Assuming that you will be using data that could enable this, provide the individual concerned with the following:
  • The identity and contact details of the controller (i.e. your organisation)
  • Contact details for your Data Protection Officer, if you have one
  • Purposes of processing (for example communicating with business prospects) and lawful basis you have chosen e.g. legitimate interests
  • The source(s) of the data
  • The categories of personal data concerned
  • Recipients or categories of recipients of the data, if any. If you are sharing this data with others who are they?
  • Transfers to a third country, and reference to appropriate or suitable safeguards. This is becoming increasingly topical. Find out where data will be held by any processors such as email marketing providers. Is this in the EEA? If not, are there adequacy provisions in place for the country concerned?
  • How long you will hold the data or the criteria used to determine that period
  • Individual Rights including: ability to stop processing; withdraw consent and right to lodge a complaint with a Supervisory Authority
  • Existence of any automated decision-making, including profiling
  1. The information can be provided in short explanatory text at the footer of an email with a link to a Privacy Notice where full details are given. Providing an easy link to object to processing (opt out/ unsubscribe) is good practice.
  2. When do you need to provide this information?
  • within a reasonable period after obtaining the personal data, but at the latest within one month
  • if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication or
  • if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

The keyword for B2B marketers is TRANSPARENCY. Are you making it crystal clear to the prospect exactly what you are doing with their data and why?

Make sure that you document all of this too. Keep a record of the Legitimate Interests Assessment, the wording you use in explanation and the Privacy Notice to demonstrate compliance.

For more help on B2B marketing within the GDPR, Data Protection Act and PECR contact us today

Happy birthday GDPR

A year before the GDPR came into force we started training marketers and others on how to ensure compliance with the new regulation.

A year on, we thought it would be a good time to discover where some of the companies that we trained are now. We asked five simple questions:

  1. How comfortable are you that your business is now fully GDPR compliant?

Not all were certain that they were fully compliant. All saw complying with the GDPR as a ‘journey’ with the need to constantly update and review their approach. There was a fear factor or lack of confidence for some.  Issues had been experienced by some with data transfers outside the EU.

  1. What are the good things that have happened as a result of the GDPR coming into force?

All saw some positives in the GDPR coming into force a year ago. Generally, it has meant that those spoken to have become more organised with data (when and where it is held) and more stringent in tracking consent – where appropriate.  Specific comments included:

“GDPR makes us think twice – for example whether to use mailing lists. It has stopped us doing things that we shouldn’t have done in the past”


“Customers are clear about what we are doing with their data”


“Clearing out large quantities of data that we didn’t need to hold”

  1. What are the bad things that have happened?

The work, time and money spent in getting ready for the regulation was the comment from most people. Having to keep it in mind at all times and the ongoing level of administrative work was another. There were also some concerns voiced over the amount of conflicting information that still appears to be out there regarding exactly what is needed to get it right.

One person commented that, on a wider issue, the GDPR has made marketing relationships between organisations and consumers harder to develop. This echoes comments from others in recent articles.

  1. What data protection and privacy areas would you still like to improve?

All thought that there were areas where their organisations could improve. Particular mentions include: more exploration of which data could be linked to a natural person; improving physical data protection going forward; the slightly draconian wording of some of the statements being used and the need to review privacy policies.

  1. Final comments?

Last words included:

“It’s been a lot more work that we thought it would be. We started with the big picture. The detail keeps going and going.”


“ good if the ico did let us know how we were doing. Not black and white.”


“…GDPR hasn’t had the impact I thought it would.”


“…found the sales team has struggled with it especially with relationship building.”

Are there many happy returns for the GDPR?

A selection of marketers that we have trained largely think so. Overall, there does seem to be benefits to both organisations and individuals although the amount of time and effort it continues to need is a concern for many.