The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law. Yes, it applies to B2B cold email — but not in the way most people think.
Maximum penalty OR 4% of global annual revenue
Source: GDPR Article 83
of B2B marketers use legitimate interest as legal basis
Source: DMA Research 2024
The key insight:
GDPR doesn't ban cold email. It requires a legal basis for processing personal data — and "legitimate interest" is a valid basis for B2B outreach.
Does GDPR Apply to B2B?
Yes — whenever you process personal data of individuals. In B2B context:
GDPR Applies To:
- • Named individuals at companies (john.smith@company.com)
- • Personal work email addresses
- • Direct phone numbers
- • Any identifiable individual data
GDPR May Not Apply To:
- • Generic addresses (info@company.com)
- • Company-only data (no individual)
- • Main business phone lines
- • Pure B2B transactions (no personal data)
Pro Tip
Two Legal Bases for Cold Outreach
1. Explicit Consent
The individual actively opted in to receive your communications.
- • Highest legal certainty
- • Must be freely given, specific, informed
- • Can be withdrawn at any time
- • Not practical for cold outreach
2. Legitimate Interest
Your business interest in reaching prospects, balanced against their privacy rights.
- • Valid for B2B marketing
- • Requires documented assessment
- • Must balance interests
- • The practical path for cold email
Legitimate Interest Assessment (LIA)
To use legitimate interest as your legal basis, you must document a three-part assessment:
Purpose Test
What is the legitimate interest you're pursuing? For B2B marketing: "Reaching potential customers who may benefit from our services."
Necessity Test
Is the processing necessary for that purpose? Could you achieve the same goal with less data or in a less intrusive way?
Balancing Test
Do the individual's rights and freedoms override your legitimate interest? Consider impact, expectations, and vulnerability.
Documentation is critical:
You must document your LIA before starting outreach. If challenged, "we thought about it" isn't sufficient — you need written records.
What Makes Cold Email "Legitimate"
Do This
- Email relevant to recipient's professional role
- Targeted outreach (not mass blasts)
- Clear business purpose that benefits recipient
- Easy, working opt-out mechanism
- Minimal data collection (only what's needed)
- Clear explanation of how data was obtained
Avoid This
- Mass generic emails to purchased lists
- Targeting personal life from work data
- Making opt-out difficult or confusing
- Continuing after opt-out request
- Collecting excessive data 'just in case'
- Sharing data without legal basis
Pro Tip
Required Email Elements
Every cold email under GDPR should include:
- Clear sender identification
Who you are and what company you represent
- How data was obtained
"I found you on LinkedIn" or "Your company is listed in [source]"
- Purpose statement
Why you're reaching out
- Easy opt-out mechanism
Clear way to stop receiving emails
Data Handling Requirements
Data Minimization
Only collect what you need. Email and name? Fine. Collecting birthday and home address for B2B outreach? Unjustifiable.
Storage Limitation
Don't keep data forever. 12-24 months for inactive prospects is typical. After that, delete or anonymize.
Security Measures
Protect the data appropriately. Encrypted storage, access controls, breach notification procedures.
Data Subject Rights
Be prepared to honor access, deletion, and correction requests within 30 days.
Penalties: €20 Million or 4% Revenue
€20M
Maximum penalty for violations
4%
Of global annual revenue (whichever is higher)
Real Enforcement Examples:
- • €27.8 million — Italian DPA fine for aggressive marketing (2023)
- • €20 million — British Airways data breach fine
- • €746 million — Amazon GDPR fine (largest to date)
UK Post-Brexit: GDPR + PECR
The UK retained GDPR as "UK GDPR" after Brexit, with some modifications. For B2B email:
- • UK GDPR — Substantially similar to EU GDPR
- • PECR — Privacy and Electronic Communications Regulations (additional rules)
- • B2B "soft opt-in" — Corporate emails have more flexibility under PECR
- • ICO enforcement — Information Commissioner's Office handles UK complaints
Pro Tip
GDPR Compliance Checklist for MSPs
- Legal basis identified (consent or legitimate interest)
- Legitimate Interest Assessment documented
- Email content relevant to recipient's business role
- Clear sender identification included
- Data source disclosed (where you found them)
- Purpose of outreach explained
- Easy opt-out mechanism provided
- Data minimization applied (only necessary data)
- Data retention policy in place (12-24 months)
- Security measures implemented
- Process for handling data subject requests
- Records of processing activities maintained
Legal Disclaimer
This content is provided for educational purposes only and does not constitute legal advice. Regulations vary by jurisdiction and change frequently. We strongly recommend consulting with a qualified attorney or compliance professional regarding your specific situation before implementing any outreach program. Pipeline Engine is designed with compliance in mind, but ultimate responsibility for legal compliance remains with the business.