How Does GDPR Affect B2B Data: The Ultimate Guide

There are a few key questions that most sales teams had when the GDPR became enforceable.

Is cold outreach still a viable sales strategy and how does GDPR affect B2B?

Can we still purchase B2B data?

Luckily, the answer to those questions is yes.

Even under the GDPR you can still reach out to prospects using outbound tactics like cold emails and cold calls.

There are, however, new rules and processes you need to adopt to ensure GDPR compliance with your B2B data usage and cold outreach.

We’ve written this article to help you gain clarity into ensuring your B2B data usage is GDPR compliant.

Let’s get into it

What is the GDPR?

The EU General Data Protection Regulation (GDPR) protects the privacy and personal data of EU citizens. It has been enforceable since the 25th May, 2018.

Sales teams are one of the most affected groups by the regulation. In most B2B sales and marketing, personal data is key to reaching the right people at the right time. B2B data gets used every day in large organizations who use outbound sales to grow.

Will the GDPR replace PECR?

The Privacy and Electronic Communications Regulations (PECR) restricts unsolicited direct marketing, which includes both cold emails and cold calls.

The GDPR does not replace PECR. You need to comply with both of the regulations in your B2B sales and marketing.

We’d recommend reading the ICO’s guide to PECR to learn more.

Key Definitions

Personal Data: Personal Data is information that relates to an identified or identifiable individual.

Data Controller: A data Controller determines the purposes and means of processing personal data.

Data Processor: A Data Processor is responsible for processing personal data on behalf of a controller.

Does the GDPR apply to B2B Data?

Yes. If you’re dealing with B2B data in any form then you need to ensure you’re using it in a GDPR compliant way.

The GDPR protects the privacy of everyone within the EU, including people working within companies.

You need to treat the personal data you control with care.

Personal data includes anything that makes someone identifiable from the data you hold, including (but not limited to):

  • Name
  • Email
  • Phone number
  • IP address
  • Address

The GDPR affects all sales teams. Without access to a good source of B2B data, you won’t be able to identify and contact prospects. You need to make sure your sales process is GDPR compliant.

What if we aren’t GDPR compliant?

The fines for not being GDPR compliant are high. If your company is in breach of the regulation, you could pay up to 4% of your annual global turnover or €20 million, whichever is greater.

B2B Email Marketing Regulations: CAN-SPAM vs. CASL vs. the GDPR

If you use email in your marketing and sales process then you’ll already know about CAN-SPAM. If you’re emailing people in Canada, you’ll know about CASL.

If you’re compliant with the above two regulations, is there anything you need to do to be GDPR compliant?

Simply put, yes. Let’s take a look at the key differences.

CAN-SPAM became effective in 2003 and outlined key rules for email marketing, including:

  • Include clear From and To, and Reply To fields that accurately represent who you are.
  • Include an Unsubscribe link
  • Include a valid postal address in each email you send

Notice that CAN-SPAM doesn’t mention anything about requiring initial consent from recipients. Sales teams don’t need to worry about how their B2B data is sourced under this regulation.

CASL is Canada’s Anti-Spam Law. It includes the same key provisions, but also adds the need for an opt-in, rather than an opt-out. We hear about CASL less than CAN-SPAM, but it sets a precedent for the GDPR’s clear rules around opt-ins.

The GDPR is the strictest of the three. Businesses who process the personal data of people located within the EU need to know how they’re affected. It’s like CASL but has stricter rules around data storage and security, and larger fines for non-compliance.

Can I Still Use B2B Data Under the GDPR?

When the GDPR first became enforceable sales teams around the world feared that cold outreach was finished.

Having a good source of B2B data is crucial for successful outbound sales teams. If you can no longer use that it’s going to hurt.

Thankfully, the GDPR doesn’t mean you can no longer use B2B data in your sales process.

But, you do need to treat the personal data you’re using carefully to ensure GDPR compliance.

You should consider these questions to ensure you’re following best practices with your B2B data usage.

Let’s take a look at them:

1. Who are you contacting?

If you’re not contacting anyone located within the EU, you don’t need to worry about the GDPR. Ensuring CAN-SPAM and CASL compliance will be enough.

However, if you contact anyone located in the EU you need to pay attention to the GDPR and make sure you’re compliant. This applies to you even if your business isn’t based in the EU.

There are limitations about who you can contact. If you sell to other businesses, there should be no major issues here. But, if you’re selling to sole traders or partnerships then there are rules to know about.

Contacting Sole Traders and Partnerships

Sole Traders and (some) Partnerships are treated as individuals in the GDPR. You can only email, text, or call them if they have provided explicit consent for you to do so.

Contacting People within Businesses

You can still contact people on their individual business email address (e.g. [email protected]). You can also contact businesses using publicly avaialble business data, such as [email protected].

2. How are you sourcing B2B Data?

So we’ve seen that you can still use B2B data in your sales process. But, you need to make sure you’re sourcing it correctly.


If you collect the data yourself you need to verify that your data sourcing process is GDPR compliant. Review the tools you’re using to collect the data, and verify that you’re storing it securely once you control the data.

B2B Data Supplier

If you’re using a 3rd party B2B Data supplier, such as Leadiro (, you should verify that their data is GDPR compliant.

A key part of the GDPR is the protection of personal data and you need to ensure your handling it with care.

How does the GDPR affect B2B Outbound Sales Processes?

The GDPR applies to the examples of personal data that we explained above.

You can still market relevant services to individuals within a business, as long as you let recipients opt-out.

Before sending that first cold email you will need to verify that you’re allowed to contact them under the GDPR.

Article 6 of the GDPR establishes that you need a lawful basis in order to process personal data.

There are six ways to establish a lawful basis to process someone’s personal data and contact them in your outbound sales process.

These are:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interest: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

You can read more details on these within Article 6 of the GDPR.

So, if you had a booth at a trade show and gained consent to email prospects via a sign up form, you’re good to go. That would fall under Consent.

Clearly, most sales teams won’t have a lawful base to contact people via Contract, Legal obligation, Vital interests, or Public task.

Luckily, Legitimate interest does mean sales teams can still establish a lawful base for cold outreach.

Establishing Legitimate Interest for B2B Sales

Legitimate Interest means that you’re processing someone’s personal data because they will care about why you’re contacting them.

For B2B sales teams, this legitimate interest should already be well established as you know what kind of customer usually buys from you.

By knowing who your ideal customer is you can easily establish legitimate interest when reaching out to people.

Let’s look at a quick example of legitimate interest in practice:

If your best customers (i.e. those who get the most value from your product or service) are Human Resource Managers within FMCG companies, then asking your sales team to reach out to HR Managers at FMCG who aren’t yet customers is allowed.

You can establish that there is a legitimate interest due to similarity with your existing customers.

You still need to allow them to easily opt-out.

So, the GDPR doesn’t put an end to using B2B data for outbound sales.

It does mean that you need to ensure you’re emailing the right people, with a message they will be interested in hearing. But, that’s just good sales.

More Best Practices for Outbound Sales Teams using B2B Data

However, you will be faced with some extra work to adhere to GDPR best practices.

Let’s take a look at them.

  1. Accountability and Documentation

Article 30 of the GDPR means you need to be accountable for your B2B data usage.

This includes a log of who controls the data, why you’re using it, a description of the data, any 3rd parties (such as a CRM) that also process the data, as well as information on when you will delete the data, and any security measures you’re using to keep it secure.

If your business has under 250 employees there are some exceptions. Unfortunately, Article 30 highlights that the exceptions don’t apply if “the processing is not occasional”.

Therefore most sales teams, even in small to medium sized businesses, should be maintaining a record of processing activities unless it’s truly a one-off outbound campaign.

2. Data Cleaning

If you’re sending emails at a high volume you should be re-permissioning contacts. This helps to make sure you’re contacting the right person, and confirm that they still want to receive your emails.

This is a best practice to ensure the data you’re processing is up-to-date. B2B data suppliers like Leadiro regularly test, verify, and clean data to ensure it’s valid.

Forrester highlights that the GDPR should actually be seen as a good thing for B2B sales teams.

Sales reps will be spend less time sending emails to massive lists of potentially unqualified leads, and spend more time talking to well-qualified, interested prospects.

Specific Rules for Companies with 250+ employees

If you’re part of a company with 250+ employees there are a few more rules around your B2B data usage under the GDPR.

  1. Document your data processing activity

Are you or your team in control of a large list of B2B contacts? If so, you need to document what personal data you control, as well as where and how you store it.

You can read more on how to ensure your B2B data processing and documentation is GDPR compliant here on the ICO website here.

  1. Assign a Data Protection Officer

Large organizations will need a Data Protection Officer (DPO).

There are a range of responsibilities for the DPO. These include educating your team on data processing best practices, and ensuring your data protection policies and audits are all GDPR compliant.

Choosing a B2B Data Supplier under the GDPR

Choosing a GDPR compliant B2B data supplier is crucial. If the data supplier isn’t GDPR compliant, you will be in breach of regulations once you control that data.

There are a few factors you should consider, or ask your data supplier about.

  1. Where do they source their B2B data?

All of the B2B data you buy must be available in the public domain.

Leadiro’s data is sourced from the public domain to ensure GDPR compliance, whether you or your leads are located within the EU, MEA, NA, LATAM or APAC.

  1. How up to date is the B2B data?

If you buy lists from B2B data suppliers that are out of date, or contain false information then you should reconsider.

If you cold email the wrong people due to bad B2B data, then you won’t be able to establish a legitimate interest and won’t be GDPR compliant.

At Leadiro we clean our B2B data to make sure contact data is up-to-date and GDPR compliant.

Sales teams can upload bounced emails that they purchased from us and we’ll clean the data and provide a replacement credit.

If you use up-to-date B2B data and only send cold emails to people you can prove have a legitimate interest, you shouldn’t run into any issues.

3. Are they transparent about their B2B data sourcing?

It sounds obvious, but if your B2B data supplier aren’t transparent about how their data is acquired that’s a bad sign.

Make sure your data supplier is happy to tell you how they acquire and process the B2B data in their possession.

Most good B2B data suppliers will have a section on their website outlining how they approach GDPR compliance. You can check out Leadiro’s here.

Recap – B2B Data and the GDPR

The GDPR doesn’t mean you need to stop using B2B data in your outbound sales process.

Rather than limiting your sales team, the GDPR enables them to focus in on your ideal customer more than they may have done before.

As with any legal topic like this, we’d recommend talking with a legal professional if you have any concerns about your B2B data usage.

Additional Useful Resources: