GDPR Compliance for UK B2B Businesses: What You Need to Know

If your business mainly sells to other businesses, it’s easy to assume GDPR is more of a “B2C thing”. After all, you’re dealing with companies, not consumers… right?

The catch is that GDPR doesn’t just protect customers. It protects people. And B2B activity almost always involves personal data about people inside those businesses (like named contacts, email addresses, work phone numbers, meeting notes, and even IP addresses).

So if you’ve been searching for guidance on GDPR for business-to-business activity, you’re not alone. Many small businesses want to do the right thing, but aren’t sure what actually applies in a B2B setting.

Below we’ll walk through what GDPR means for UK B2B businesses in practical terms, what you need to put in place, and the common traps that can catch growing teams off guard.

Does GDPR Apply To B2B Businesses In The UK?

Yes, GDPR can apply to B2B businesses in the UK.

In the UK, the main data protection framework is the UK GDPR (the UK version of the General Data Protection Regulation) and the Data Protection Act 2018. These rules apply when your business processes personal data.

Key point: GDPR doesn’t only apply when you’re dealing with consumers. It applies whenever you’re processing personal data, including in business-to-business relationships.

What Counts As Personal Data In A B2B Context?

Personal data is any information that relates to an identified or identifiable individual. In B2B, that often includes:

• Named contacts at client or supplier organisations
• Work email addresses (e.g. firstname.lastname@company.co.uk)
• Direct phone numbers (including work mobiles)
• Meeting notes that reference individuals
• Job titles when combined with a name or contact details
• IP addresses or device identifiers (common with website analytics)

Even where you’re “selling to a business”, you’re typically communicating with a person acting on behalf of that business.

What About Generic Company Emails?

Emails like info@, accounts@ or sales@ may not identify an individual on their own, so they may fall outside GDPR.

But in practice, many B2B databases contain both general and personal contacts. It’s safest to assume GDPR applies unless you’re genuinely only handling non-personal business contact details.

What Personal Data Do B2B Businesses Usually Handle (And Where Does It Sit)?

Understanding what data you hold (and where) is the first real step towards GDPR compliance in a business-to-business environment.

Most small businesses collect personal data across more places than they realise, especially as they scale. Common examples include:

• CRM systems (sales pipelines, contact histories, follow-up notes)
• Inboxes (supplier negotiations, customer support threads, contract discussions)
• Spreadsheets (marketing lists, leads, event attendees)
• Accounting tools (billing contacts, payment references)
• Proposals and contracts (named signatories, operational contacts)
• Web forms (demo requests, contact forms, newsletter sign-ups)
• Website analytics (IP addresses, cookie identifiers)

On top of that, many B2B businesses use collaboration tools, cloud storage, and shared drives, which can lead to data being duplicated or stored longer than necessary.

A Simple “Map Your Data” Checklist

If you want a practical way to start, ask:

• What personal data do we collect (names, emails, phone numbers, notes, IDs)?
• Why do we collect it (sales, delivery, support, invoicing, compliance)?
• Where do we store it (CRM, email, cloud drives, internal systems)?
• Who has access to it (sales, support, contractors, third-party providers)?
• How long do we keep it (and do we actually need it for that long)?

This exercise makes it much easier to draft policies and contracts that reflect what you’re actually doing (rather than what you think you’re doing).

Your Core GDPR Obligations As A B2B Business

Once you accept that GDPR applies to business-to-business activity, the question becomes: what do you actually need to do?

For most SMEs, GDPR compliance isn’t about building a huge legal program. It’s about putting in place sensible, repeatable privacy practices that match your operations.

1. Have A Lawful Basis For Processing B2B Personal Data

Under UK GDPR, you need a lawful basis for processing personal data. In a B2B context, the most common lawful bases are:

• Contract – where processing is needed to provide your services (e.g. sending updates to a named operations contact)
• Legitimate interests – often used for B2B sales, relationship management, and basic marketing (but you need to assess and balance interests)
• Legal obligation – for record-keeping, compliance, tax and related obligations
• Consent – sometimes used, but often harder to manage properly in B2B

Legitimate interests can be very helpful for GDPR in a business-to-business setting, but you should treat it as a documented decision, not a default setting.

2. Give People The Right Privacy Information

If you collect personal data (even as part of B2B communications), you need to tell people what you’re doing with it.

In practice, that usually means having a clear Privacy Policy that explains:

• what data you collect
• how you use it
• your lawful basis
• who you share it with
• how long you keep it
• the rights individuals have
• how people can contact you about privacy

If your website uses cookies or similar technologies, you may also need a Cookie Policy and a compliant cookie consent approach (what’s required depends on the types of cookies you use).

3. Keep Data Secure (And Limit Access Internally)

UK GDPR requires you to take appropriate technical and organisational measures to protect personal data.

For small businesses, that often means practical steps like:

• strong passwords and MFA on key tools
• limited access controls (only people who need the data get access)
• device security (screen locks, encryption where appropriate)
• secure sharing practices (avoid emailing spreadsheets of contacts unless necessary)
• staff training so people don’t accidentally mishandle data

If your team uses work devices (or personal devices for work), it helps to set clear internal rules about acceptable use and data handling. An Acceptable Use Policy can be a simple but powerful way to set expectations from day one.

4. Be Ready For Data Subject Rights Requests

Even in B2B, individuals can exercise GDPR rights (for example, asking for access to their data, asking you to correct it, or objecting to certain uses).

Most small businesses don’t get lots of requests, but you should still have a process for handling them quickly and consistently (especially if the request lands in a shared inbox and gets missed).

5. Only Keep Data As Long As You Need It

One common B2B habit is storing contact details forever “just in case”. That can be risky.

Set retention rules that match your reality. For example:

• active client contacts: retained for the duration of the relationship
• former clients: retained for a defined period for warranty/support/defence of claims
• prospect leads: retained for a limited time unless they stay engaged

The right retention period depends on your sector, sales cycle, and legal obligations, so it’s worth getting advice tailored to your business model.

B2B Marketing Under GDPR: Emails, Calls And LinkedIn Outreach

B2B marketing is where many small businesses get stuck, because you’re often balancing growth goals with privacy compliance.

The main thing to know is that GDPR is only part of the picture. You also need to consider ePrivacy rules (in the UK, that’s commonly associated with the Privacy and Electronic Communications Regulations, or PECR).

If your marketing involves phone calls, it’s worth sanity-checking how you handle personal data in those conversations and logs. Business calls can trigger GDPR issues if you’re recording calls, keeping detailed notes, or using call data for marketing.

Email Marketing In A B2B Setting

B2B email marketing often involves sending messages to named individuals at organisations (e.g. a Head of Ops or IT Manager). That’s personal data, so you need a lawful basis for processing, and you need to be transparent.

Common compliance steps include:

• only contacting people who are relevant to what you’re offering (avoid broad scraping)
• making it clear who you are and why you’re contacting them
• including a working unsubscribe option
• honouring opt-outs quickly across all systems (CRM, mailing lists, spreadsheets)

If you’re buying a B2B list, be careful. You’re still responsible for how personal data is sourced and used, and poor data hygiene can lead to reputational damage (and complaints).

LinkedIn And Direct Outreach

Direct outreach (including LinkedIn messages) can still be “processing personal data”. The same core principles apply:

• be fair and transparent
• keep outreach relevant and proportionate
• don’t over-collect data (for example, copying full profiles into your CRM without a clear need)

If you’re routinely copying data from online profiles into your systems, you should think carefully about your lawful basis and transparency obligations.

Web Scraping Leads: Is It Ever OK?

Some B2B businesses consider scraping business directories or websites to build lead lists. This can create GDPR and broader legal risk, depending on what you collect and how you use it. If this is part of your growth strategy, it’s worth checking the legal position first. Web scraping can raise both data protection and intellectual property issues.

Working With Suppliers And Clients: Controller Vs Processor (And The Contracts You’ll Need)

In a B2B world, you’re often handling personal data in collaboration with other organisations.

For example:

• you provide services to a client and access their customer database
• you outsource payroll, IT support, or marketing operations
• you use cloud providers to host client files containing personal data

These relationships usually involve “controller” and “processor” roles. Getting this right matters because it affects what you must do under GDPR and what must go in your contracts.

Controller Vs Processor (A Plain-English Explanation)

• Controller: decides why and how personal data is processed.
• Processor: processes personal data on behalf of a controller (following their instructions).

Sometimes you might be a controller for your own sales and HR data, but a processor when delivering services for a client.

Do You Need A Data Processing Agreement?

If you process personal data on behalf of another business (or they process data on your behalf), you’ll usually need GDPR-required clauses in place.

This is where a Data Processing Agreement (or a data processing schedule within your main contract) becomes important. It typically covers things like:

• what data is being processed and why
• security measures
• sub-processors (who else gets access)
• international transfers (if data leaves the UK)
• breach notification obligations
• returning or deleting data at the end of the contract

This is one of those areas where templates can be risky. The right drafting depends on what your business actually does and where the data flows.

Don’t Forget Your Internal GDPR “Toolkit”

GDPR compliance often isn’t one document. It’s a small set of aligned policies, contracts and processes that work together.

Depending on your business model, it can help to put together a GDPR pack that covers the core building blocks in one place, like a GDPR package.

That way, when a client asks “Are you GDPR compliant?” you have a clear answer and documents that match what you do in practice.

Common GDPR Mistakes B2B Businesses Make (And How To Avoid Them)

Most GDPR problems for small B2B businesses aren’t caused by bad intentions. They’re caused by growth happening faster than processes.

Here are a few common pitfalls we see:

Keeping Prospect Lists Forever

If someone downloaded a guide from your website three years ago and you’re still emailing them, you may struggle to justify that as fair and proportionate processing.

Fix: set clear retention periods for leads and inactive contacts, and build regular list-cleaning into your marketing routine.

Not Being Clear About Who Has Access

Shared inboxes, shared drives and “everyone has admin access” setups can quickly turn into a security and compliance risk.

Fix: apply access controls based on role, and make sure staff understand how to handle personal data.

Using AI Tools Without Thinking About Privacy

It can be tempting to paste emails, contracts or customer info into AI tools to summarise or draft replies. That may involve sharing personal data with third parties.

Fix: have clear internal rules and do a quick privacy risk check before adopting new tools. If your team is using AI regularly, it’s also worth asking whether AI tools are confidential in your specific context (often, the answer is “not by default”).

Assuming “B2B Means No Consent Needed”

GDPR doesn’t always require consent, but you still need a lawful basis and fair processing. And for electronic marketing, PECR can add extra rules.

Fix: document your lawful basis for marketing, keep outreach relevant, and make opt-out easy.

Key Takeaways

• GDPR applies to business-to-business activity whenever you process personal data about individuals (including business contacts).
• Common B2B personal data includes named contacts, work emails, direct phone numbers, meeting notes, and website identifiers like IP addresses.
• You should identify your lawful basis for processing (often contract or legitimate interests) and be ready to explain it.
• A clear Privacy Policy and an appropriate cookie approach help you meet transparency obligations, especially when you collect data via your website.
• Security isn’t just “IT stuff” - it also includes access controls, staff training, and sensible internal policies.
• If you share or process personal data with/for other businesses, you’ll often need GDPR-compliant contract terms like a Data Processing Agreement.
• B2B marketing can still raise GDPR (and PECR) issues, so it’s worth setting up your outreach and retention practices carefully from day one.

This article is general information only and not legal advice. If you’d like help getting your GDPR foundations right for your B2B business - whether that’s your privacy policy, data processing terms, or internal processes - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.