What information to store. And what not to.

It won’t be long until the GDPR goes into effect. This law will set new requirements regarding the collection, storage and use of personal data that every organization will need to comply with. It will also require you to register what information you’re recording, and why. And that doesn’t just apply to B2C companies. B2B organizations will face the same requirements.

GDPR and B2B

Organizational data isn’t personal data

At first glance, it may seem like a B2B organization will be able to get out of these GDPR requirements. After all, organizational data isn’t personal data. You can indeed store an organization’s name, general phone number, info@ email address, etc. without any issues. You also don’t need to register why you store this data and for how long. But when company details that include information about an individual are involved, the requirements do apply.

What about corporate contacts?

When you link a business contact to an organization and store their (business) mobile number and direct email address, the GDPR applies. You don’t need to get special permission to store this data — provided that you have a good reason to store it, and that the information can’t impact a contact’s personal life. But the new law does require everything to be registered. Like any other organization, a B2B company will need to put down in writing the reason why this contact’s details will be stored, and for how long.

Make clear what the data you collect is used for

Any data you collect must not be used for other purposes. The reason why people are asked for certain information must be clear to them. There can’t be a situation where someone gives you his direct business email address in order to confirm an appointment, only for you to go on to also use that email address to delight him with your newsletter. If you’d like to do so, you’ll need to obtain explicit permission from your client. And when you request such permission, there must be no room whatsoever for any confusion about what it is that your client is giving permission for.

Prove that you’ve received permission

The new law requires you to obtain permission to be entitled to send someone (direct) mailings. The difference with the current situation is that the GDPR also requires you to register what specific details you collect for this purpose (which has to be limited to genuinely relevant data), and for how long. You also need to be able to prove that a person opted into your mailings. So you need to be able to show that your contact gave permission before, e.g., sending him a newsletter.

Lots of records to keep?

The new law primarily means that you need to start registering and keeping track of many things. That also applies to B2B companies. So to avoid ending up tangled in red tape, it’s important to give some thought to what details you really need.