<img alt="" src="https://secure.glue1lazy.com/215697.png?trk_user=215697&amp;trk_tit=jsdisabled&amp;trk_ref=jsdisabled&amp;trk_loc=jsdisabled" height="0px" width="0px" style="display:none;">

5th March 2021

Understanding your data: GDPR questions we still get asked today

Understanding your data: GDPR questions we still get asked today

Posted by Emily Malone

As a business that deals with a lot of B2B data, we still get asked a lot of GDPR-related questions — questions that you may have niggling away at you, too. We’ve written this blog to answer some of the most common B2B GDPR questions we still get asked today.

Please note that though we’re a marketing company that deals with b2b data, we’re not lawyers. If you’re affected by the GDPR, we strongly recommend that someone in your organisation reads it and that you consult a lawyer to ensure you are GDPR compliant.


What is GDPR?

First of all, if you’re a new business that hasn’t had to think about GDPR before, you may need a little background on what GDPR is and what it means for your business.

GDPR stands for General Data Protection Regulations, and is, in its own words, ‘Europe’s newest data privacy and security law that includes hundreds of pages’ worth of new requirements for organizations around the world.’ And even though the UK has now left Europe, we’re still covered by GDPR regulations by the UK GDPR data protection law.

It’s a really great piece of legislation for all of us — there is a huge amount of very personal information that lots of companies hold on us. The GDPR has lots of benefits:

  • It ensures our individual data is looked after correctly and securely.
  • We can transparently see who has our information, what they’re going to do with it, why and how long they’ll retain it.
  • It penalises companies quite severely if our personal data is misused.
  • As a business, your data will be high quality, meaning you’ll get better responses from the data you hold.

However, to achieve this,  it’s the toughest privacy and security law we’ve ever had and merits thorough understanding to avoid harsh violation fines.  The GDPR includes regulations around the security and lawfulness of things like:

  • Personal data
  • Data processing
  • Consent
  • Privacy rights

The regulation itself (not including the accompanying directives) is 88 pages.

Can I still use my database?

Well, that depends on you! The great thing about the regulation is that you choose which data you hold, why you hold it and the legal basis you are holding it. You just need to be very transparent and tell people.

The 6 legal bases for holding data are as follows:

  • Legitimate interest
  • Consent
  • A contract
  • A vital interest
  • A legal obligation
  • A public interest.

The 2 main bases that companies have used to process personal data for marketing purposes are legitimate interest and consent.

If you use consent, then you need to be able to demonstrate you have their consent, for what reason you have it, and how long their consent lasts.

However, if you’ve used legitimate interest from the get-go, then yes, your data is totally fine to be used!

If you’re unsure about whether legitimate interests apply, you can undertake a Legitimate Interests Assessment (LIA).

What is legitimate interest?

The GDPR states, ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’

Legitimate interest is the most flexible of the GDPR’s lawful bases for processing personal data. Theoretically, it applies whenever an organisation uses personal data in a way that the data subject would expect.

If you can substantiate your reasoning, a legitimate interest can be a way for you to reach your target data without their written consent.

However, you will still need to show that there is a balance of interests – your own and those of the person receiving the marketing.

The UK GDPR doesn’t actually define what factors to take into account when deciding if your purpose is a legitimate interest. It could be as simple as it being legitimate for you to start up a new business activity or to grow your business, where direct marketing is the only way to effectively do that.

Whilst any purpose could potentially be relevant, anything illegitimate, unethical, or unlawful is not a legitimate interest.

Under GDPR, is email marketing dead?

No, email is still covered legally under the GDPR. As long as your data is GDPR-compliant, there is no reason you can’t email your data.

Think about the last time you received a sales or marketing email. I’ll take a wild guess and say it was this morning when you were pouring your first cup of morning coffee.

Email is still a vital aspect of sales. If we’re talking best practice, you just need to make sure you’re sending the right kind of email to those who are likely to appreciate them. Think about the spammy emails you sometimes get sent that just aren’t relevant to you. Are you thankful for them, or are they annoying as hell?

There are lots of ways to make sure you’re not that guy. This includes setting up relevant, targeted and timely emails for your campaigns, and making sure they provide valuable content that your contacts are going to find useful.

So no, email certainly isn’t dead — just make sure your data is GDPR-compliant and that the emails you’re sending comply with the PECR.

Wait… what is the PECR?

The Privacy and Electronic Communications Regulations (PECR) sits alongside the Data Protection Act and the UK GDPR. They give people specific privacy rights in relation to electronic communication areas such as:

  • Marketing by electronic means, including marketing calls, texts, emails and faxes.
  • The use of cookies or similar technologies that track information about people accessing a website or other electronic service
  • Security of public electronic communications services.
  • Privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (e.g. caller ID and call return), and directory listings.

You can read more about PECR here.

Can I email contacts to ask for consent?

No. Contrary to what many unlucky businesses believed before GDPR came into effect, you don’t have to have documented consent if you chose legitimate interest as your legal basis (our poor, poor inboxes).

Now GDPR is in effect, if you’re using the reason of consent as the legal basis to hold your data and didn’t have their consent at the point of collecting their data, you’re now not allowed to hold or email these people.

However, again, if you chose legitimate interest to be the legal basis for holding your database from the beginning and can prove that is it legitimate and lawful, you won’t need their consent.

I told my database that we needed them to opt-in but very few did, can I still use the database?

Unfortunately, because you went down the route of consent being your grounds for holding and using your data, it would be harder to switch to legitimate interest and be able to justify it legally.

Take care to get it right the first time — you shouldn’t swap to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.

My database doesn’t have job titles or industry information on it, can I still use it?

The more information you have about your database, the more personalised and relevant you can be with your communications and the easier it’ll be to demonstrate legitimate interest for your business.

Legality aside – missing job titles and industry information can also lead to you sending wasted, irrelevant comms to people who won’t respond and may even mark your email as spam. It would also be harder to justify legitimate interest for your business.

Can we email prospects under GDPR?

Yes! As long as your data falls under the guidelines of GDPR and your emails comply with PECR, you can email your prospects.

I don’t know how old my data is or where it came from, can I still use it?

No, as under the GDPR you would have to disclose where your data came from should a data subject ask for it. Besides, if your data is outdated and you have no idea where it came from, you really shouldn’t be relying on it to result in sales anyway.

Old data has consequences like high bounce rates from ‘dead’ email addresses which will get you banned from most email marketing platforms, as well as not pulling in good quality leads, if any at all.

It’s incredibly important to your business to keep tabs on your data and ensure it’s looked at and updated on a regular basis.

I haven’t got consent, can I still email contacts?

Yes, if there’s a legitimate interest that can be proven or you’re using one of the other legal bases, you can still email contacts without their consent.

Do I need consent to use legitimate interest?


I have a lot of personal, Gmail etc., emails, can I still use them?

Gmail and personal emails can be used if they have given consent. Under PECR, you have to be able to demonstrate that somebody has opted in to use a personal email address. If you haven’t got opt-in, you shouldn’t use them.

It’s important to note that sole traders and partnerships are personal emails too. You can only email limited companies and partnerships without their consent.

My friend told me that legitimate interest isn’t for email marketing and I need to delete my data, is that correct?

No, that is not correct. But both the GDPR and PECR tie into each other here.

Under GDPR, you can absolutely hold your data for email marketing s long as it’s under the legal basis of legitimate interest.

And for the PECR-compliant emails, you need to make sure you’re using business email addresses and sending relevant information that the recipients would expect to receive for their job. You also need to be sure to include a subscription preferences link so they can opt-out of further comms if they want to.

Can I email my B2B list with my wife’s company holiday offers?

No, you can’t, as that doesn’t fall into the grounds of legitimate interest for your own business — and you need to remember that the PECR comes into play here too.

Just because you’re emailing a business address, doesn’t mean you can email them anything you like – it must be something that person would expect to receive for their job.

This scenario would be classed as consumer marketing, and you’d need their consent to do so.


These are just some of the questions we’ve been asked recently, but if there’s an answer you were looking for that you didn’t find here, feel free to get in touch!

At Shortlist Marketing, we understand data. Better yet, we understand how it impacts the success of your lead generation and direct marketing campaigns. We will always work with our clients to ensure they are within any relevant regulations.

With the right database, you’ll save time, money and effort by ensuring you only target those who are likely to buy from you. But if you need help reaching your target market, we can help. We’re currently offering a free no-obligation data count, so you can understand your current data count and identify more of your target market.

We’ll uncover:

  • What percentage of your target data you currently have in your database
  • If there are more data available for a complete picture of your target market.
  • How to access 100% of your target data.

Just click the link below to request yours!


New call-to-action

Like this article? Why not share it?

Understand, Engage, Convert: Small sales improvements with a big impact

Next up...

Understand, Engage, Convert: Small sales improvements with a big impact

Maybe later