GDPR with Business to Business Marketing
Yes. The GDPR applies wherever you are processing ‘personal data’. This means if you can identify an individual either directly or indirectly, the GDPR will apply – even if they are acting in a professional capacity. So, for example, if you have the name and number of a business contact on file, or their email address identifies them (e.g. firstname.lastname@example.org), the GDPR will apply.
The GDPR only applies to loose business cards if you intend to file them or input the details into a computer system.
Is consent required for B2B Marketing?
Not always. Consent is one lawful basis for processing, but there are alternatives. In particular, you may be able to rely on ‘legitimate interests’ to justify some of your business-to-business marketing.
However, sometimes you will need consent to comply with the Privacy and Electronic Communications Regulations (PECR).
You can rely on legitimate interests for marketing activities if you can show the way you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing – but only if you don’t need consent under PECR.
Does PECR still apply for B2B Marketing?
Yes. The GDPR does not replace PECR – although it has amended the definition of consent. You need to comply with both GDPR and PECR for your business-to-business marketing.
The EU is in the process of replacing the current e-privacy law with a new ePrivacy Regulation (ePR). However, the new ePR is yet to be agreed. The existing PECR rules continue to apply (with the new definition of consent) until the new ePR is finalised.