The GDPR question most B2B teams get wrong

The most common GDPR question we get from B2B teams is whether it even applies to them. They sell software to businesses, not products to consumers. Their contacts are all professional email addresses. Surely GDPR is a consumer privacy regulation?

It's not. GDPR covers any personal data belonging to any individual in the EU, regardless of whether they're acting as a consumer or a business professional. A work email address is personal data. A job title attached to a name is personal data. A direct dial phone number linked to an individual is personal data. If you're storing, processing, or contacting EU-based professionals, GDPR applies.

The mistake most teams make is assuming 'legitimate interest' covers everything. It does cover quite a bit — B2B outreach to relevant professionals can fall under legitimate interest. But you still need to document that balancing test. You still need to provide an opt-out. You still need to keep records of where the data came from and when consent or interest was established.

The enforcement risk for B2B teams has historically been low. Regulators have focused on big tech and egregious consumer violations. But that's shifting. In 2024, several European data protection authorities started paying more attention to B2B data brokers and the companies that buy from them. A fine isn't the only risk — data processing orders can shut down your ability to contact entire markets.

What actually protects you: documented sourcing for every record, a legitimate interest assessment you can produce if asked, clear opt-out mechanisms in every communication, and data retention policies that actually get followed. What doesn't protect you: assuming B2B is exempt, buying lists from providers who can't explain their sourcing, and keeping contacts indefinitely without ever checking if they're still relevant.

We build GDPR documentation into every database we deliver because our clients' compliance risk is our compliance risk. If a regulator asks your team where a specific contact record came from, the answer needs to be better than 'we bought a list.'