GDPR (General Data Protection Regulation)
What is GDPR?
GDPR (General Data Protection Regulation) is the European Union's comprehensive data protection law that governs how organizations collect, process, store, and share personal data of EU residents. Enacted in May 2018, GDPR represents the world's strictest privacy framework, establishing baseline standards that influenced subsequent regulations globally and fundamentally reshaped digital marketing, sales operations, and customer data management practices.
GDPR applies extraterritorially—any organization worldwide that processes EU residents' data falls under its jurisdiction, regardless of where the company is headquartered or where processing occurs. This expansive scope means B2B SaaS companies in Silicon Valley, marketing agencies in Asia, and data brokers everywhere must comply when engaging European prospects or customers.
The regulation balances individual privacy rights with legitimate business interests through principles-based requirements: lawful processing, purpose limitation, data minimization, accuracy, storage limitation, security, and accountability. Organizations achieving privacy compliance benefit from customer trust, competitive differentiation, and sustainable data-driven operations within Europe's 450 million person market.
Key Takeaways
World's Strictest Privacy Law: EU regulation with extraterritorial reach affecting any organization processing EU residents' data regardless of location
Seven Core Principles: Lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, security, accountability
Six Legal Bases: Consent, contract, legal obligation, vital interests, public task, legitimate interests—must establish before processing
Eight Consumer Rights: Access, rectification, erasure, restriction, portability, objection, automated decision-making, withdraw consent
Severe Penalties: Up to €20M or 4% of global annual revenue (whichever is higher) for violations—enforcement is active and substantial
Core GDPR Principles
GDPR establishes seven foundational principles governing all personal data processing:
Lawfulness, Fairness, and Transparency
Lawfulness requires establishing legal basis before processing personal data. Six lawful bases exist:
Legal Basis | Description | B2B GTM Application |
|---|---|---|
Consent | Freely given, specific, informed agreement | Email marketing, behavioral tracking, newsletters |
Contract | Necessary for contract performance | Customer onboarding, service delivery, billing |
Legal Obligation | Required to comply with law | Tax records, financial reporting, litigation holds |
Vital Interests | Protects life or health | Rarely applicable in B2B marketing |
Public Task | Official authority or public interest | Government/nonprofit operations |
Legitimate Interests | Balancing test: business needs vs. individual rights | B2B prospecting, fraud prevention, security |
B2B organizations typically rely on consent for marketing communications, contract necessity for customer data processing, and legitimate interests for prospecting activities—provided they conduct and document legitimate interests assessments weighing business needs against privacy impact.
Fairness prohibits deceptive or manipulative data practices. Pre-checked consent boxes, hidden tracking, and unclear data sharing violate fairness principles even if technically disclosed.
Transparency requires clear, plain-language communication about data practices through privacy policies, consent forms, and just-in-time notices at collection points. Legal jargon and incomprehensible policies don't satisfy transparency obligations.
Purpose Limitation
Data collected for one purpose cannot be repurposed without new legal basis. Marketing data obtained with email consent cannot be used for product analytics without separate justification. Lead scoring models cannot incorporate customer support data unless purposes are compatible and disclosed.
This principle prevents "function creep"—gradual expansion of data usage beyond original intentions. Organizations must document specific purposes at collection and limit downstream usage accordingly.
Data Minimization
Collect only data necessary and adequate for stated purposes. Questioning whether each form field, tracking parameter, or 3rd party data enrichment genuinely serves business needs rather than creating "nice to have" data lakes. Forms requesting unnecessary information (personal interests unrelated to business purpose, excessive demographic details) violate minimization principles.
B2B practices like progressive profiling—collecting few fields initially, gradually enriching over time—align with minimization by balancing data needs with user experience and privacy impact.
Accuracy
Organizations must maintain accurate, current data and enable corrections. Inaccurate firmographic data or outdated contact information violates this principle. Regular data cleansing, duplicate detection, and providing mechanisms for individuals to update records satisfy accuracy obligations.
Storage Limitation
Retain data only as long as necessary for processing purposes. Unlike regulations specifying retention periods, GDPR requires organizations to justify retention based on business necessity, legal obligations, and legitimate interests.
Common B2B retention practices:
- Active customers: throughout relationship plus 3-7 years for contract/financial obligations
- Inactive leads: 2-3 years, then purge unless re-engaged
- Marketing engagement: 3 years of inactivity triggers deletion
- Consent records: maintain for statute of limitations periods (6-7 years)
Automated deletion workflows ensure consistent enforcement rather than manual cleanup creating compliance gaps.
Integrity and Confidentiality (Security)
Implement "appropriate technical and organizational measures" protecting against unauthorized access, loss, or damage. Requirements scale with sensitivity—healthcare data requires stronger controls than business contact information.
Security measures include encryption (at rest and in transit), access controls based on job function, regular security testing, incident response procedures, and vendor security assessments. Data clean rooms provide privacy-preserving analysis without exposing individual records.
Accountability
Organizations must demonstrate GDPR compliance through documentation: privacy policies, consent records, Data Processing Agreements, legitimate interests assessments, data protection impact assessments, training records, and audit logs. "Compliance by assertion" doesn't suffice—regulatory inquiries demand proof.
Appointing Data Protection Officers (when required), conducting regular audits, maintaining processing records, and documenting decisions create accountability infrastructure enabling compliance demonstration.
Data Subject Rights
GDPR grants individuals eight fundamental rights regarding their personal data:
Right of Access (Article 15)
Individuals can request confirmation of data processing and obtain copies of their data. Organizations must provide:
- All personal data held
- Processing purposes and legal basis
- Data categories and sources
- Retention periods
- Recipients (who data was shared with)
- Automated decision-making logic
Response timeline: 1 month (extendable to 3 months for complex requests). First copy must be provided free of charge.
B2B implementation: Build data subject access request (DSAR) portals aggregating data from CRM, Customer Data Platform, marketing automation, support systems, and data warehouses into comprehensive exports.
Right to Rectification (Article 16)
Individuals can correct inaccurate or incomplete personal data. Organizations must update records and notify recipients if data was shared with third parties.
B2B implementation: Provide profile update mechanisms, implement change propagation across systems via identity resolution, and maintain audit trails of corrections.
Right to Erasure/"Right to be Forgotten" (Article 17)
Individuals can request deletion when:
- Data no longer necessary for original purpose
- Consent withdrawn and no other legal basis exists
- Objection exercised and no overriding legitimate grounds
- Data unlawfully processed
- Legal obligation requires erasure
Exemptions apply for legal claims, contract fulfillment, and public interest. Pseudonymization (removing direct identifiers while maintaining statistical utility) may satisfy erasure requirements for analytics.
B2B implementation: Build automated deletion workflows removing data from production systems, backups, and third-party processors. Document exemptions when requests cannot be fully honored.
Right to Restriction (Article 18)
Individuals can request processing suppression (not deletion) when disputing accuracy, challenging lawfulness, or objecting to processing. Restricted data can be stored but not actively processed.
B2B implementation: Flag accounts as "restricted" in systems, suppress from email campaigns and behavioral signals tracking, but maintain for contract fulfillment or legal obligations.
Right to Data Portability (Article 20)
Individuals can receive their data in structured, machine-readable format (JSON, CSV) and transmit to another controller. Applies to data provided by individual (not derived/inferred data) when processing is based on consent or contract.
B2B implementation: Build export functionality providing complete data packages enabling migration to competitors—turning compliance burden into customer empowerment signal.
Right to Object (Article 21)
Individuals can object to processing based on legitimate interests or for direct marketing purposes. Organizations must stop processing unless demonstrating compelling legitimate grounds overriding individual interests.
B2B implementation: Provide opt-out mechanisms for marketing, respect objections immediately across channels, and document legitimate interest overrides when applicable (typically limited to fraud prevention, security).
Rights Related to Automated Decision-Making and Profiling (Article 22)
Individuals can opt out of decisions based solely on automated processing (including profiling) that produce legal effects or similarly significant impacts. Organizations must provide human review mechanisms when automated decisions determine credit, employment, contracts, or similar consequential outcomes.
B2B implementation: Lead scoring models automating sales prioritization trigger disclosure requirements. If scores determine pricing, contract terms, or service levels (significant impact), individuals can request human review and explanation of decision logic.
GDPR Compliance Requirements
Organizations processing EU data must implement comprehensive compliance programs:
Data Protection Officer (DPO)
DPO appointment is mandatory when:
- Processing by public authority
- Core activities involve large-scale systematic monitoring
- Large-scale processing of special category data (health, biometric, racial/ethnic, political opinions)
Many B2B organizations voluntarily appoint DPOs even when not strictly required, as DPOs demonstrate commitment to compliance and serve as regulatory contact points.
DPO responsibilities include:
- Monitoring GDPR compliance
- Advising on data protection impact assessments
- Training staff on privacy obligations
- Serving as contact for supervisory authorities and data subjects
- Conducting internal audits and compliance reviews
Data Protection Impact Assessment (DPIA)
DPIAs are required when processing poses high risk to individual rights—particularly for new technologies, large-scale profiling, or sensitive data. Customer Data Platforms implementing identity resolution across channels typically warrant DPIAs given comprehensive behavior tracking.
DPIA components:
1. Description of processing operations and purposes
2. Assessment of necessity and proportionality
3. Identification of risks to individual rights
4. Evaluation of mitigation measures
5. Documentation of decisions and safeguards
DPIAs must be conducted before commencing high-risk processing and updated when circumstances change.
Records of Processing Activities
Organizations must maintain detailed records documenting:
- Controller/processor identity and contact details
- Processing purposes
- Data subject categories (customers, leads, employees)
- Personal data categories (contact info, behavioral data, financial)
- Recipient categories (vendors, partners, advertising platforms)
- International transfers and safeguards
- Retention periods
- Security measures
These records prove compliance during regulatory audits and inform data subject rights responses.
Data Processing Agreements (DPAs)
Controllers must execute DPAs with all processors handling personal data on their behalf—marketing automation platforms, CDPs, analytics providers, cloud infrastructure, email service providers.
DPAs must specify:
- Processing scope, purpose, and duration
- Data types and subject categories
- Controller instructions and processor obligations
- Security measures required
- Sub-processor authorization and management
- Data subject rights assistance
- Breach notification procedures
- Post-termination data return or deletion
GDPR Article 28 establishes minimum DPA requirements—pre-GDPR vendor agreements likely lack necessary provisions.
International Data Transfers
Transferring personal data from EU to countries lacking "adequacy decisions" (GDPR-level protections) requires specific safeguards:
Standard Contractual Clauses (SCCs): European Commission-approved contract templates establishing data protection obligations for importers. Following Schrems II ruling invalidating EU-US Privacy Shield, SCCs represent primary mechanism for transatlantic transfers—but organizations must assess whether importer country laws (US surveillance, for example) undermine SCC protections.
Binding Corporate Rules (BCRs): Multinational corporations can adopt internal policies approved by supervisory authorities enabling intra-group transfers.
Specific Situation Derogations: Limited exceptions for consent-based transfers, contract necessity, vital interests, public interest, legal claims, and compelling legitimate interests—narrow interpretations apply, making these unsuitable for ongoing business operations.
Most B2B SaaS providers rely on SCCs combined with supplementary measures (encryption, pseudonymization, access controls) addressing importer country risks.
Breach Notification
Supervisory Authority Notification: Data breaches must be reported to relevant supervisory authority within 72 hours of discovery unless breach poses no risk to individual rights. Notifications must describe:
- Nature of breach and data categories affected
- Approximate number of individuals and records impacted
- Likely consequences for individuals
- Measures taken or proposed to address breach and mitigate harm
- Contact point for additional information
Late notifications require justification for delay. "Discovery" means when organization had reasonable degree of certainty that security incident occurred and involved personal data.
Individual Notification: When breach poses high risk to individual rights and freedoms (identity theft, financial loss, discrimination), organizations must notify affected individuals "without undue delay." Notifications should explain breach in clear language and advise individuals on protective steps.
Exceptions: Notification not required if appropriate technical protections (encryption) render data unintelligible, subsequent measures eliminate high risk, or notification involves disproportionate effort (public communication may substitute).
Penalties and Enforcement
GDPR establishes two-tiered penalty structure:
Tier 1 (€10 million or 2% of global annual turnover): Violations of processor obligations, data transfer rules, supervisory authority orders, or certification requirements.
Tier 2 (€20 million or 4% of global annual turnover): Violations of core principles, data subject rights, consent conditions, or lawfulness requirements.
Penalty calculation considers violation nature, duration, scope, intent, mitigation actions, cooperation with authorities, and prior infringements. Organizations demonstrating good faith compliance efforts, prompt breach disclosure, and corrective actions receive more favorable treatment than those with negligent or willful violations.
Enforcement Trends: Early GDPR enforcement targeted tech giants (Google €50M, Amazon €746M, Meta €1.2B) establishing precedents. Recent enforcement increasingly affects mid-market B2B companies, particularly for:
- Inadequate consent mechanisms (pre-checked boxes, unclear language)
- Insufficient data security (breaches from poor access controls)
- Delayed breach notifications (beyond 72-hour requirement)
- Unresponsive data subject rights requests (missing deadlines, incomplete responses)
- Unlawful marketing practices (cold email without legitimate basis, continued contact after opt-out)
B2B GTM Compliance Strategies
Email Marketing and Consent Management
Acquisition Consent: B2B cold email navigates "legitimate interests" vs. consent debate. GDPR permits processing for legitimate interests if balanced against privacy impact, but interpretations vary across member states. Conservative approach: obtain explicit consent for marketing emails, rely on legitimate interests only for truly relevant B2B prospecting (targeting appropriate job functions with relevant business propositions).
Opt-In Mechanisms: Present clear, specific consent requests at appropriate moments—newsletter signups, content downloads, event registrations. Pre-checked boxes violate GDPR; users must take affirmative action. Granular consent (separate choices for newsletter, product updates, promotional offers) empowers users and improves engagement quality.
Preference Centers: Enable subscribers to manage communication frequency, topics, and channels. Providing control reduces unsubscribes while demonstrating respect for preferences strengthens brand perception.
Website Tracking and Cookies
Cookie Consent: Non-essential cookies (analytics, advertising, tracking) require consent before placement. Essential cookies (site functionality, security, load balancing) don't require consent but need disclosure.
Consent management platforms present cookie banners categorizing cookies (necessary, functional, analytics, advertising), allowing granular acceptance/rejection, and enforcing choices by blocking non-consented tracking.
Continued browsing doesn't constitute valid consent—users must take affirmative action (clicking "Accept" button). Cookie walls (blocking site access unless accepting cookies) violate GDPR's "freely given" consent requirement.
Lead Generation and Scoring
Progressive Profiling: Collect minimal data initially (name, email, company), enriching profiles gradually as engagement deepens. This aligns with data minimization while building comprehensive profiles over time.
Scoring Transparency: Lead scoring constitutes profiling under GDPR. When scores determine significant outcomes (pricing, contract terms, service levels), organizations must disclose automated decision-making, explain logic, and provide opt-out mechanisms.
Enrichment Considerations: Appending firmographic or technographic data from 3rd party sources requires legal basis—typically legitimate interests for company-level attributes, or consent for personal enrichment. Document legitimate interests assessments weighing business needs against privacy expectations.
Related Terms
Privacy Compliance: Broader framework encompassing GDPR and additional regulations
CCPA: California's privacy law with distinct requirements from GDPR
Consent Management: Systems implementing GDPR consent requirements
Data Clean Room: Privacy-preserving analysis aligning with GDPR principles
Customer Data Platform: System managing personal data under GDPR requirements
Identity Resolution: Unifying customer data while respecting GDPR rights
Frequently Asked Questions
Does GDPR apply to B2B data about companies?
GDPR protects personal data relating to identified or identifiable individuals. Company-level information (firmographic data like revenue, industry, employee count) isn't personal data. However, data about individuals at companies—names, email addresses, job titles, behavioral patterns—falls fully under GDPR regardless of B2B context. "john@acme.com" is personal data; "Acme Corp has 500 employees" is not. B2B organizations cannot avoid GDPR by claiming they process business rather than personal data when their databases contain individual identifiers and activity.
What's the difference between controllers and processors under GDPR?
Controllers determine purposes and means of processing (your company deciding to collect leads and score them), while processors handle data on controllers' behalf (marketing automation platform executing scoring rules). Controllers hold primary compliance responsibility, including establishing lawful basis, respecting data subject rights, and ensuring processor compliance through Data Processing Agreements. Processors must follow controller instructions, implement security, and assist with rights requests and breach notifications. Most B2B organizations act as controllers for prospect/customer data, with SaaS vendors (Salesforce, Marketo, Segment) acting as processors—though processors may also be controllers for their own business purposes.
Can we still use legitimate interests for B2B marketing after GDPR?
Yes, but with careful documentation and limitations. Legitimate interests permit processing when business needs don't override individual rights and freedoms. B2B prospecting targeting appropriate job functions with relevant propositions may qualify—reaching out to VP Marketing at SaaS companies about marketing automation represents legitimate interest. However, sending consumer retail offers to unrelated contacts, persistent contact after objection, or intrusive tracking don't pass balancing tests. Organizations must conduct and document legitimate interests assessments weighing necessity, alternatives, and privacy impact. When in doubt, obtain consent—it provides clearer legal footing than debating legitimate interests nuances.
How does GDPR affect third-party cookies and advertising?
GDPR requires consent for non-essential cookies, including advertising and tracking cookies. Continued browsing doesn't constitute valid consent—users must affirmatively accept. Browser restrictions (Safari, Firefox blocking third-party cookies; Chrome's upcoming deprecation) make cookie-based advertising unreliable regardless of regulatory compliance. Privacy-forward alternatives include server-side tracking, authenticated user experiences with 1st party signals, contextual advertising (content-based rather than user-based targeting), data clean rooms, and cohort approaches grouping users anonymously. B2B strategies increasingly emphasize direct customer relationships and owned channels over third-party tracking networks.
What happens if we violate GDPR?
Penalties up to €20M or 4% of global annual turnover—but enforcement considers violation severity, intent, cooperation, and prior compliance efforts. First-time violations with prompt corrective action and good faith compliance programs typically result in warnings or lower fines. Willful violations, negligent security, unresponsive data subject requests, or repeated violations receive harsher penalties. Beyond monetary fines, violations damage brand reputation, erode customer trust, and create competitive disadvantages. Supervisory authorities can also impose processing bans, audits, and temporary restrictions. Proactive compliance through documented policies, regular audits, prompt breach disclosure, and transparent data practices demonstrate good faith reducing penalty risk while building customer trust.
Last Updated: January 16, 2026
