The GDPR Compliance Guide for B2B Organizations

The General Data Protection Regulation (GDPR) was created to provide individuals more control over their personal data and to help ensure that personal data is adequately protected when it is collected, stored, and processed by businesses. Any company conducting business in the European Union (EU) must comply with the rules and regulations laid out by GDPR or risk facing hefty fines. 

Responsible business leaders should have a comprehensive understanding of GDPR, including what it is, how it relates to them, the most commonly asked questions about GDPR and data usage, and how to remain GDPR compliant with B2B marketing and sales. 

What is GDPR?

In April 2016, all the countries in the EU adopted GDPR regulations and it officially went into effect on 25 May 2018. The GDPR established guidelines for greater transparency, confidentiality, and accountability for the collection and use of personal data in the EU. It predates privacy legislation in most other countries and often serves as a template for new laws on data privacy and security around the world.

The GDPR replaced the EU’s Data Protection Directive. A “directive” allows EU member countries to choose whether or not to enact similar laws that they can customize. A “regulation” requires all members to enact the law in full. The GDPR replaced the DPD because: 

  1. The GDPR granted citizens more control over their personal data and was designed so that data controllers and processors were required to protect personal data.
  2. The Data Protection Directive was enacted in the internet’s infancy and no longer addressed everything needed to be covered.
  3. There were benefits to enacting an EU-wide law instead of having different versions throughout the member countries. 

Why Was GDPR Created in the EU?

The GDPR stems from concerns over how individuals’ personal data is collected, stored, and used. Almost all modern businesses collect and analyze personal data. Think about how many web forms you’ve filled out in your life with your information — first name, last name, email address, home address, employer, credit card information, etc.

As technology advances, our digital footprints continue to expand. The amount of data created and collected each day is growing exponentially. In fact, it’s estimated there are 40 times more bytes in the digital universe than there are stars in the observable universe. 

As the internet evolved, the need for more comprehensive privacy regulations quickly emerged. Decades-old legislation that protected names, addresses, and images were no longer enough to protect personal data. GDPR was introduced to bring regulations up to speed with the current state of technology. 

Note: The UK has its own framework known as the UK GDPR. While the GDPR stopped being “directly applicable” when the UK exited the EU in December 2020, the Data Protection Act of 2018 retained GDPR requirements in domestic UK law and supplements the UK GDPR by providing exceptions to the law.

What is Considered Personal Data Under GDPR?

GDPR protects any personal data that could be used to identify an individual. This includes physical addresses, phone numbers, job information, and education status, as well as other types of data like IP addresses and biometric data (fingerprints, facial recognition data, etc.). Its official definition of personal data reads as follows:

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Who Does GDPR Impact? 

GDPR applies to any company, inside or outside the EU, that processes personal data regarding any EU individuals where the processing relates to the offering of goods or services to those individuals or to the monitoring of data subjects’ behavior within the EU. This means that companies located around the globe that operate in the EU must have a solid plan for GDPR compliance or risk the penalties. 

It’s important to note that a financial transaction does not need to take place for GDPR regulations to apply. Even if a prospective EU customer never purchases a product or service from your organization, if your organization is subject to the GDPR then you are required to adhere to GDPR requirements when processing that prospective customer’s data.

How are GDPR fines assessed? 

GDPR fines are prioritized and processed differently from country to country. For example, to date, Luxembourg had the largest sum of fines at €746,267,200 for only 19 fines total; whereas Spain had the most fines at 425, but the sum paid was far less, only €55,524,770. 

Data from enforcementtracker.com

GDPR fines are determined by the following ten criteria:

  1. Gravity and nature: What exactly happened? Why did the infringement occur? How many people were affected? How long did it take to fix? How bad was the damage? 
  2. Intention: Was the violation intentional or the result of negligence? 
  3. Mitigation: Was there action taken to mitigate the damage? 
  4. Degree of responsibility: What level of responsibility is attributable to the organization? Were appropriate security measures implemented? Were efforts made to implement data protection by design and by default?
  5. History: Does the company or organization have a history of infringements under or outside the GDPR?
  6. Cooperation: Is the organization cooperating with data protection regulators? 
  7. Data category: What are the specifics of the type of data affected by the violation? 
  8. Notification: Was the organization proactive in reporting the infringement? 
  9. Certification: Has the company adhered to approved codes of conduct under Article 40 of the GDPR? Has the company adhered to approved certification mechanisms under Article 42?
  10. Aggravating/mitigating factors: Are there any other aggravating or mitigating factors applicable to the case? 

Since the inception of GDPR, “non-compliance with general data processing principles” and “insufficient legal basis for data processing” make up over 50% of the total number of fines and over 75% of the total sum paid.

What is the Difference Between Data Controller and Data Processor? Why is it Important? 

An important aspect of the GDPR is the difference between data controllers and data processors. Under the GDPR, a data controller holds most of the liability should their organization experience a data privacy breach. The data controller is responsible for making sure that any data processors they work with are GDPR compliant. 

Here’s the official definition of the two roles:

Data Controller: 

A natural person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data. The data controller controls the methods used for the collection and use of personal data and determines the purposes for which personal data is processed. 

Being a data controller comes with serious legal responsibilities. It’s important that you understand whether the GDPR regulations apply to you as an individual or to your company as a whole. If you’re not sure, we recommend that you consult with a legal advisor familiar with the local laws. 

Data Processor: 

A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.

This is a person or company who holds or processes personal data at the direction of and on behalf of the data controller. Examples of data processors include third-party vendors such as payroll companies or accountants.

What Does it Mean for a B2B Organization to be GDPR Compliant?

For a company to be GDPR compliant it must abide by these principles:

  • Data must be processed lawfully, fairly, and in a transparent manner
  • Data can only be collected for specified, explicit, and legitimate purposes
  • The scope of the data collected must be adequate, relevant, and limited to what is necessary in order to achieve the purposes for which the data was collected
  • Data must be accurate and kept up to date
  • Data can only be held for the time necessary to accomplish the purposes for which the data is collected and processed, and no longer
  • Data must be processed in a manner that ensures appropriate security of the personal data

If your business falls under GDPR, we recommend that you explore compliance solutions, training, and legal expertise to gain the tools you need to protect yourself and your customers.

What Does GDPR Mean for Consumers?

EU consumers have eight fundamental rights under GDPR:

  1. The right to be informed
    Organizations must be transparent in how they use personal data.
  2. The right of access
    Individuals have the right to know what information is held about them and how it is processed.
  3. The right of rectification
    Individuals are entitled to have personal data rectified if it’s inaccurate or incomplete.
  4. The right of erasure
    Also known as “the right to be forgotten,” individuals have the right to have their personal data deleted or removed.
  5. The right to restrict processing
    Individuals have the right to block or suppress the processing of their personal data in certain circumstances.
  6. The right to data portability
    Individuals have the right to receive their personal data in a commonly used format and transmit that personal data to another entity.
  7. The right to object
    In certain circumstances, individuals are entitled to object to their personal data being used. For example, if a company uses personal data for the purpose of direct marketing, for scientific research, or for the performance of a task in the public interest, individuals may object to the processing for those purposes.
  8. The right to not be subject to automated decision-making and profiling
    GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them or is based on automated processing.

Is ZoomInfo GDPR compliant? 

ZoomInfo works to comply with all applicable privacy regulations, including the GDPR. 

Certification & Validation: ZoomInfo’s privacy practices and posture have been independently assessed by multiple third parties. Our attestations include:

  • ISO 27701 Certification
  • TRUSTe GDPR Practices Validation
  • TRUSTe CCPA Practices Validation
  • TRUSTe Enterprise Privacy & Data Governance Certification

Data Accuracy: Data accuracy and completeness are core requirements of data protection laws like the GDPR. More accurate data helps your team ensure compliance, including the ability to effectively serve notice to individuals when required by law, or determine what laws may or may not apply given an individual’s location. 

Understanding that data accuracy is paramount to a robust and effective compliance program, ZoomInfo endeavors to maintain a high degree of accuracy of our information. To aid in this, we employ an in-house research team, composed of over 300 people, to gather, review, and verify the information we provide on our platform.

Transparency: ZoomInfo provides a privacy notice, direct by email, to all addressable contacts regardless of where they are located geographically. The notice establishes transparency in our processing and provides easy mechanisms for individuals to control their information. In particular, this notice tells the individual who we are, what types of data we collect, and informs them that their information may be accessed by our customers for their sales, marketing, and recruiting purposes.

Managing Preferences: Enabling individuals to control their data is essential to maintaining compliance with established privacy laws. In addition to the standard [email protected] email address, we maintain a full self-service Privacy Center (www.zoominfo.com/privacy) where individuals can directly manage their data, including removing their information from our systems. Our full-time privacy fulfillment staff manage these requests, ensuring we process requests in a timely manner.

How does ZoomInfo support its customers in being GDPR compliant?

There are a number of ways in which ZoomInfo supports and encourages customers to achieve compliance. Here’s what you can expect:

Options included with all ZoomInfo subscriptions

ZoomInfo’s Opt-Out List
All individuals are afforded the right to opt-out of ZoomInfo’s processing of their data via an opt-out list within the platform. We also require our customers to regularly review the list and remove any contacts they have obtained from ZoomInfo unless they have an independent lawful basis to process such information.

Master Suppression
The Admin user on your account is able to manage a Master Suppression list within the ZoomInfo platform. By uploading your opt-out lists, unsubscribe lists, or internal blacklists into this tool, your opted-out individuals will be scrubbed from your instance of ZoomInfo. 

Do Not Call Toggle

The Admin user can turn on this feature, which will hide phone numbers found in various global Do Not Call registries from your instance of ZoomInfo. Our coverage for this feature is ever evolving, but currently includes the USA, UK (both the TPS and the Corporate TPS), France, Germany, Ireland, Australia, New Zealand, and Canada.

Admin-Defined Dataset

Admin users can upload a list of accounts, limiting what their reps are able to access within the ZoomInfo platform to information related to the uploaded list of accounts.

Notice Provided Date

Each contact record contains an associated “Notice Provided Date” to indicate when ZoomInfo has provided the individual with our Privacy Notice.

Options included with ZoomInfo’s Global Data Passport 

Hide EU Contact Details: If your ZoomInfo subscription contains access to contacts located in the EU/UK, this feature allows you to redact email and phone from these records while still allowing access to important information like office location, title, web-references, org charts, and employment/education history.

Add-On Options

Compliance API: By referencing ZoomInfo’s database, Compliance API helps you identify duplicate records of individuals who have opted out, boosting your confidence that you have fully honored the individual’s request.

For more information about ZoomInfo’s privacy compliance practices, check out our Privacy Center to learn more.

Please note that the above is for informational purposes only. ZoomInfo is not qualified to provide legal advice of any kind and is not an authority on the interpretation of U.S. or international laws, rules, or regulations. To understand how the GDPR, marketing laws, or any other laws impact you or your business, you should seek independent advice from qualified legal counsel.