Site Loader
Rock Street, San Francisco

It’s the elephant in the room for organisations
everywhere- the General Data Protection Regulation, or the GDPR. But it’s not
as scary as all that! GDPR is an
evolution.  It’s an evolution of data
protection regulations that are already in place, regulations that businesses
already have to comply with.  We are currently
in a “period of grace” before the GDPR rules are fully enforced, and so we must
use this time wisely to fully prepare.

A few key areas are changing, and we
all need to knuckle down and check we’re compliant by 25th May 2018;
but as the Information
Commissioners Office point out – if
you’re already compliant with the current regulations, then you’re almost

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

The major question is – how will this affect the world of B2B
marketing? In this blog we aim to take you through a few ways the new GDPR
will alter B2B marketing, and the simple steps you can implement to have fully
compliant marketing systems. (For an even more in depth study on GDPR in
business, download our free guide – you can find the link below). The important thing is not to fear it or
worse, ignore it.  The best thing B2B
marketers can do right now, is to understand GDPR and the truth about how it
will affect their business.  Data is at
the very heart of our business, and we make it our business to ensure we are
ahead of the crowd when it comes to understanding data regulation and

What Data Matters for the GDPR?

The first thing to do is address the
key area of the GDPR (Hint: it’s in the title!) – Data. It’s a known fact that
the GDPR applies to “personal data” and “sensitive personal data”, but not to
“business data” – but how do we distinguish between these terms and ensure no wires
are crossed in confusion.  Data can be
defined as follows:

Personal Data: Any information that allows a person to be
directly or indirectly identified. The obvious fields of “personal data” are
names and identity numbers, but factors such as location and online identifiers
(emails/usernames) also count under the ICO definition.

Sensitive Personal Data: This is referred to in the GDPR as “special
categories of personal data”, and mainly covers data surrounding genetics and

Business Data: The GDPR only applies to data relating to
individuals, not relating to businesses. So, data that is clearly related to a
business such as business name and address, landline number and [email protected] email are
all outside of GDPR ruling. However personal business email addresses can fall
under a classification of “personal data”. There has been some ambiguity around
the subject from the ePrivacy Regulation, though it appears that where a name
is present in the body of an email address- that address counts as “personal
data”- whatever the format of the name (initialised, abbreviated etc.). So this
data must be processed in compliance with the GDPR, and will affect what lawful
basis of processing you choose under GDPR.



GDPR Lawful Basis for Processing Data

“You must have a valid lawful basis in order to process personal
data” – The ICO

The GDPR is meticulous in its requirements for all data to be
processed under a lawful basis. It allows six different options, encouraging
companies to choose the basis that applies best to their needs in each business

The six different lawful basis of processing personal data are:



Legal Obligation

Vital Interests

Public Task

Legitimate Interest

These are aimed to be all encapsulating, relating to every type of
organisation as well as all departments within them.  Some are not applicable to B2B marketing – the
main two lawful basis for processing personal data that apply to B2B marketing
are ‘Consent’ and ‘Legitimate Interest’. 
Let’s explore each of those further:


Consent is the most commonly known and practiced lawful basis of
processing used by organisations currently, but the new GDPR has rigid rules
surrounding consent. If it’s your chosen path, then you’ll need to intricately
check your ongoing systems for consent and refresh them accordingly.

The most notable change is to the definitive “opt-in” process.
This cannot be in any way ambiguous, for example pre-ticked opt-in boxes are
expressly unlawful under the new consent regulations. Opt-in must be a
separate, individual and “granular” process, singled out from any other terms
and conditions. There must also be a clear right to withdraw.

Please see the ICO’s page
on Consent for further information.


The ICO labels Legitimate
Interest as “the most flexible” of all lawful basis of processing, and it is
likely that data processing for most B2B marketing departments will sit
comfortably within this basis. In essence, it allows you to process personal data
on the grounds that your organisation is working towards the legitimate
interest of the individual – this can include commercial interests.  As long as the data processing doesn’t
infringe on the rights and
freedoms of an individual and you can prove the data subject (individual) in
question could be likely to have a legitimate interest in what you’re
marketing, you can collect and process their data.

For example; if you’re an organisation offering HR software, and
you collect and process data relating to HR Managers from a range of
businesses, that individual is likely to have a legitimate interest in your HR
software, based upon their job function and seniority within the business.  This example would be a perfect example of how
legitimate interest would apply in a B2B marketing scenario.  If however, as an organisation you purchased
a large list of gmail, yahoo or hotmail email addresses without any
consideration of who was being sent your email marketing communication, and without
any thought with regard to the relevance of your email message, then you’d be
in breach of their legitimate interest and would likely be in breach of the
GDPR regulation.

When leveraging legitimate interest as the lawful basis of
processing personal data, you must also ensure that the rights and freedoms of
the data subject are not compromised. 
Will your message put that person in danger?  Will it land them in trouble?  Are they likely to be personally negatively
affected by your message?  If so, then it
is likely that your message will not be compliant with GDPR.  Of course, for most B2B marketing it is
highly unlikely that a data subjects’ rights or freedoms will be compromised –
at most they won’t be interested in your message, so it is essential to provide
an ‘unsubscribe’ method, as the individual should always have the right to ‘opt

Now is the perfect time to investigate whether legitimate interest
will be suitable for your business, and if so, start putting together your
policies around how you collect, process and store data – to demonstrate that
you have conducted your due diligence in considering your data subjects.

Forensics, the GDPR and Legitimate Interest

The Lead Forensics software identifies business visitors to your
website….how much more of a legitimate interest is there, than a person
pro-actively visiting your website?!  Use
Lead Forensics to fuel your Lead Generation strategy, whilst also ensuring your
compliance with GDPR.  Request your
demonstration and trial


Importance of Documentation

Another important aspect of the GDPR which will affect B2B
marketing is the requirement to document all processes associated with personal
data.  At first, the prospect of
documenting everything can seem a time consuming and daunting task, however the
benefits of documenting thought processes and due diligence will pay dividends
if ever your organisation is investigated by the ICO – and once completed, will
only need to be subject to periodic reviews, so the pain is short lived!  Whilst it will be time consuming, by
documenting processes and procedures it is likely that you will find further
business benefit by having better structures in place and a better framework
for all data flowing through the business. 
You may find pockets of inefficiency that you can improve upon, and by
conducting your due diligence around your data flows, you can be safe in the
knowledge that your business is committed to protecting the freedoms of your
data subjects and that your business processes are robust and secure.  

The ICO have said that their main aim is to educate with regard to
data protection, and that during an investigation they will be assessing the
steps an organisation has taken and the risk to the data subjects.  If an organisation can demonstration
pro-active and thorough thinking, processes and procedures through
comprehensive data planning, the ICO will be pragmatic and pro-active in
assisting the organisation in becoming further compliant.  By documenting processes and procedures an
organisation will be putting themselves in a strong position, should an investigation
ever take place.  Businesses should
review all data processes throughout all departments, and wherever personal
data is involved, should look to review and document the end to end processes
and rationale including the data’s sourcing, purposes, sharing and retention.
If you have 250 or more employees, then all processing activities must be
documented, however if you have less than 250 employees, the rules are
slightly different. We would recommend however that the
documentation process is in depth for all organisations, as it goes a long way
to prove compliance and due diligence consideration around your selected lawful
basis for processing and possible personal data breaches.




If your organisation has over 250 employees, you must elect a Data
Protection Officer, who will oversee the documentation process
and your organisation’s overall compliance with the GDPR. It will be up to you
to assess where this will fit in your organisation- whether as a new role or in
addition to an established one, but a fundamental part of their
responsibilities should be to document the following –

The details of the company and the details of
the elected Data Protection Officer

Categorisation of individuals, their personal
data and the recipients of this data

The purpose of processing, along with accurate
information about your lawful basis of processing

Your data retention schedules and rationale

Evidence of due diligence around your selected
method for lawful processing

Details of any third parties that come into
the data journey, including any oversees offices

Records of security measures taken by the
company in both technology and organisation

The process for identifying a data breach and
notifying the appropriate parties (who will require the above listed

A privacy policy written in plain English,
publically available (usually on your company website) detailing how data is
collected and processed and why, with the methods of opt out clearly stated

All documentation should be in writing and there should be an
effective review process in place to ensure that all policies are kept up to
date in line with changes within the business and with regulation.  Business processes change all the time, and
therefore it is important to consider compliance up front with all new
processes to ensure that your business is compliant both now, and in the

with Third Parties

The GDPR won’t change an enormous amount for B2B marketing,
especially when it comes to third parties. You’ll still be able to work
alongside them as you do now, there are just some extra, cautionary steps needed
to ensure compliance.

Remember to always request the privacy statement from the third
party, and review their lawful basis for processing.  Whether they work under consent or legitimate
interest, it is best for you to investigate their procedures and be sure that
the personal data in question has been considered under the same process. For
example, if you’re an organisation that currently markets to businesses, and
you document your use of the data for business marketing purposes, you will not
be able to purchase consumer data and leverage the same lawful processing.  You will need to document a separate process
and conduct due diligence around the best and most suited lawful basis for
collecting and processing that specific data.

Ultimately, it all comes down to being confident in your
compliance, and that of your supply chain. 
Ensure that you procure and digest all relevant documentation to ensure
that they align with your own policies.  If
you’re ever unsure, use the ICO
website to find in depth answers to any questions.

So there we have it – GDPR is nothing to hide from!  By using these next vital few months to fully
adapt to the new GDPR, you’ll breeze beyond 25th May 2018 without a
worry. You can still have an amazing B2B marketing and lead generation
strategy, which brings your business great success whilst also being GDPR

Want to know more? Download our free guide “GDPR: What it means
for Businesses”.

Lead Forensics is the essential software for ultimate lead
generation, fully compliant with the GDPR lawful basis of legitimate
interest.  Fuel your sales pipeline by
identifying your website visitors who are actively interested in your products
and services.  Find out more by
requesting a demonstration now.

DISCLAIMER: Lead Forensics is a global market leading SaaS
organisation.  We have conducted
extensive research into the GDPR and have an active working knowledge intended
to help our clients to become better prepared ahead of the GDPR coming into
force.  Lead Forensics however does not
provide legal advice on the GDPR and cannot be held responsible for the GDPR
compliance of any organisation other than its own, it is the responsibility of
each business to ensure their own compliance with the GDPR.  If you have any need for legal advice, please
contact a solicitor or visit the ICO website for further information

Post Author: admin


I'm Dora!

Would you like to get a custom essay? How about receiving a customized one?

Check it out