GDPR (General Data Protection Regulation)
GDPR, the General Data Protection Regulation, is a comprehensive European Union law that governs how organisations collect, store, use, and share the personal data of individuals in the EU and European Economic Area.
It came into force in May 2018 and applies to any organisation that processes the personal data of EU residents, regardless of where the organisation itself is based. For UK businesses, the UK GDPR, which closely mirrors the EU version, applies following the UK’s departure from the EU. GDPR fundamentally changed the relationship between organisations and the people whose data they hold, placing significantly more control in the hands of individuals.
Under GDPR, organisations must have a lawful basis for processing personal data. For marketing purposes, the two most commonly used bases are consent (the individual has actively agreed to their data being used for a specific purpose) and legitimate interest (the organisation has a genuine business reason that outweighs the individual’s privacy interests). The regulation also grants individuals a set of rights over their data, including the right to access, correct, or erase information held about them.
For marketing teams, GDPR has practical implications at every stage of the customer relationship. Signup forms must be explicit about how data will be used. Email marketing requires a documented lawful basis. Data retention policies must be defined and enforced. And the systems used to collect, store, and process contact data must meet GDPR’s security and accountability standards. Non-compliance carries the risk of significant fines, up to 4% of global annual turnover or 20 million euros, whichever is higher.
Does GDPR apply to B2B email marketing?
Yes. GDPR applies to the processing of any personal data, and a business email address is personal data if it can be used to identify an individual. This means that email marketing to business contacts is subject to GDPR requirements. The lawful basis for B2B email marketing is often legitimate interest rather than consent, but this requires a documented legitimate-interest assessment and must still promptly respect opt-out requests.
What is the difference between consent and legitimate interest under GDPR?
Consent means an individual has actively agreed, through a clear and positive action, to have their data used for a specific purpose. It must be freely given, specific, informed, and unambiguous. Legitimate interest is a broader basis that allows processing when the organisation has a genuine and proportionate business reason that does not override the individual’s rights. For B2B marketing, legitimate interest is commonly used for direct marketing to professional contacts, but it requires a documented three-part test and must be balanced against the individual’s reasonable expectations.
What are the individual rights under GDPR?
GDPR grants individuals eight key rights: the right to be informed about how their data is used, the right of access to a copy of their data, the right to rectification of inaccurate data, the right to erasure (the right to be forgotten), the right to restrict processing, the right to data portability, the right to object to processing, and rights related to automated decision-making. Marketing teams must be prepared to respond to requests exercising any of these rights within the legally defined timeframes.