How does the GDPR affect B2B sales?

The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation that came into effect on May 25, 2018 and affects businesses and organizations operating in EU member states as well as in the European Economic Area.

Compliance with data privacy regulations like the GDPR can be as beneficial for B2B relationships as for B2C ones. Building trust, demonstrating respect for privacy, and doing business with attention to detail and customers’ and partners’ best interests is always a competitive advantage.

The primary goal of the General Data Protection Regulation (GDPR) is to protect EU residents’ personal data and provide them with greater control over it. The GDPR is extraterritorial, which means that it applies to any organization that processes the personal data of EU residents, regardless of the geographic location of the organization.

The regulation applies to the collection and use of personal data, for example via websites, mobile apps, and other properties. It applies to companies doing business with other companies and with consumers. Does the GDPR protect B2B data? Absolutely. Organizations must protect and compliantly handle personal data, no matter what the commercial basis of the business relationship is or what the data is used for.

In many cases, the GDPR requires organizations to appoint a data protection officer, or DPO, (Art. 38). It is that person’s responsibility to oversee and ensure compliance with relevant data privacy regulations. Overall, compliance is the responsibility of the business or website or application operator if the business collects and/or processes personal data via that property.

Does the GDPR distinguish between B2B and B2C? Not really. The GDPR centers on protecting personal data of EU residents but doesn’t distinguish among which residents. The purpose for use and legal basis might be different for a B2B audience, but companies involved in B2B sales and marketing need to meet the same responsibilities under the GDPR as for a B2C audience.

The GDPR has a significant impact on B2C marketing, as many marketing operations make extensive use of consumers’ personal data for communications, personalization, and other activities.

The need for prior consent is one of the biggest responsibilities that companies engaged in B2C marketing need to meet. So is the need for transparency with consumers about what data companies process, for what purposes, and who may have access to it.

Companies also need to ensure that they follow GDPR principles, e.g. data minimiziation, transparency, etc., and that their B2C marketing target audience is informed about their GDPR rights and can exercise them at any time. Additionally, it’s important for companies to exercise discretion regarding how much data they collect, for which purposes, and how long they retain it.

B2B operations and transactions processing personal data can include vendor relationships, like for advertising, or other services or partnerships. It’s important for companies to understand who they are reaching out to, and with what plans and goals.

In addition to having a legal basis for data processing, companies must do the same things they would for a consumer audience: provide clear notifications about data collection and use, securely store and manage data, maintain records of processing activities, conduct data protection impact assessments (DPIA) and appoint a data protection officer where applicable.

Companies can take additional steps to ensure the most care in respecting and protecting personal data:

• conduct data audits to ensure they know what data they collect and manage from B2B contacts
  • know where, how, and for how long data is stored; how it’s used; and who it’s shared with
• limit access to data to only those necessary
• train employees on best practices for data protection and use
• ensure robust data security and maintenance
  • perform regular reviews and upgrades to systems
• establish robust processes for data breaches
  • create plans and policies for timelines, chains of notification, and investigation and mitigation actions
• create and display clear and easily accessible privacy policies or notices, typically found on the website
  • ensure notices include all the relevant information about data processing, as well as details about opting out and for contacting the organization

   

Companies should also employ a privacy by design approach in all aspects of business operations to achieve and maintain compliance. This includes B2B outbound sales and marketing activities. This demonstrates a respect for privacy, and results in less work to achieve or maintain compliance later on, as the core principles are already in effect.

Consent is a commonly used legal basis for B2C operations, obtained from the customer or data subject. Under the GDPR, consent must be obtained before data is collected or processed.

There are five other legal bases for data processing under the GDPR (Art. 6). Some of the other ones may be more relevant for B2B sales.

The full list of legal bases includes:

• data subject consent
• performance of a contract with the data subject
• compliance with a legal obligation to which the data controller is subject
• protection of the vital interests of the data subject or of another natural person
• exercise of official authority or in the public interest
• legitimate interests pursued by the controller or by a third party

Legitimate interest is also a popular legal basis among companies, which means the organization has a genuine and legitimate reason to process data. The GDPR does recognize that organizations may invoke legitimate interest as a lawful basis for direct marketing to business contacts. Authorities do require organizations to prove the legitimacy of the choice of that legal basis.

Performance of a contract could also be relevant in B2B operations like it is in B2C (e.g. payments), as could compliance with legal obligations. Choice of legal basis should always be balanced with data subjects’ rights. It is important to consult with qualified legal counsel and/or a data privacy expert when determining the most accurate legal basis for data processing for GDPR compliance, and what actions need to be taken to achieve and maintain compliance.

Relevant personal data processed in the B2B sales cycle could include business contact details, like names, phone numbers, or email addresses, or even less obvious information like IP address recorded upon login to shared systems.

The controller needs to ensure that there are contractual agreements in place with all third parties involved in personal data processing when sales agreements are put in place. These contracts set expectations and requirements for data security, management, transfer, and use.

All entities with access to personal data are required to comply with the GDPR, maintain confidentiality and security, and document their operations, reviews, and compliance. Data use could be for communications, marketing, finance, resellers, and more.

Business today is increasingly global. Just as companies processing EU residents’ data may be located elsewhere, their B2B contacts and partners may be in other countries as well. In that case international data transfers are a concern (Art. 50).

Some countries have standard contractual clauses or adequacy agreements, which means that parties consider the operations and data protection measures of their partners in other countries to be adequate in terms of security and legal compliance. Countries with data security measures that are considered inadequate could find significant challenges doing business in a global marketplace.

It absolutely can. B2B contacts’ consent potentially needs to be obtained for some data uses, and they may also need to be notified about what data is collected, how it’s used, and who it may be shared with. B2B marketing often involves many integrated systems and additional partners, so data can be used and shared more broadly than people initially realize, making it more complicated, but also more important, to meet GDPR responsibilities.

Even when explicit user consent is not required for B2B marketing, implementing best practices is a good idea to show that your organization respects all data it manages, and values partners’ privacy. Great brand reputation is as important among potential business partners, vendors, and clients as it is with consumers.

All entities involved in data processing are responsible for ensuring data subjects’ rights are maintained and complied with (Arts. 15-22). These rights include:

• Right of access to know what data an entity has and processes
• Right to rectification to have inaccurate data corrected
• Right to erasure (“right to be forgotten”)
• Right to restriction of data processing
• Right to be notified regarding rectification, erasure, or restriction of processing
• Right to data portability to get a copy of personal data in a usable format
• Right to object to processing (opt out)
• Right regarding automated individual decision-making, including profiling

Per Art. 5 of the GDPR, organizations processing data have specific responsibilities, or principles for lawful processing.

• Lawfulness, fairness and transparency (process data within legal requirements, with a legal basis, and comply with data subjects’ expressed rights)
• Purpose limitation (only process personal data for the stated purpose)
• Data minimization (only process as much data as is necessary to carry out the stated purpose)
• Accuracy (ensure data collected and processed is accurate and kept up to date)
• Storage limitation (only retain data for as long as is needed)
• Integrity and confidentiality (maintain security and privacy of data and limit access)
• Accountability of the controller to comply with all principles for lawful processing

Organizations need to have systems in place to receive and respond to data subject requests, like for access, correction, or deletion, in the prescribed ways (e.g. with verification and in a certain amount of time) whether they come from business contacts or consumer ones.

The GDPR has two tiers of penalties for violations and conditions for levying them (Art. 83).

In the first tier, violations are subject to fines up to € 10 million or up to 2 percent of the total global gross annual revenue for the preceding financial year, whichever is higher. This tier is generally for less severe offenses or first-time violations with efforts to cure the issue.

The second tier of penalties is for more egregious or repeated violations, and includes fines up to € 20 million, or up to 4 percent of global gross annual revenue for the preceding financial year, whichever is higher.

Controllers are responsible for data processing activities of processors they engage, so violations committed by the processor are, for legal purposes, violations by the controller. Additionally, organizations can suffer damage to brand reputation and loss of trust by customers and partners, as well as loss of revenue from decreased sales or lost partnerships.

To comply with the GDPR, all personal data collected and processed needs to be protected by all entities with access to it. Whether for the B2B outbound sales process or marketing campaigns, GDPR compliance requires the same respect for privacy and action to meet responsibilities. A privacy by design approach can help with this, as can the expertise of a data protection officer.

It is also important to view GDPR compliance not as a one-off project, but as an ongoing set of business operations to be reviewed and upgraded as technologies and business priorities change, and as regulations evolve.

Download our GDPR checklist now to help you ensure privacy compliance for B2B operations.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.