GDPR Confuses (and Concerns) Businesses

GDPR is often the subject of intense discussions, legal audits, compliance checks, and even business-wide operational changes. For many companies — both big and small — it’s a source of confusion, fear, or uncertainty. What exactly does it cover? How strict is it? And how does it impact your day-to-day work with data?

Whether you're a sales team using contact data, a marketing department running outreach campaigns, or a data provider sourcing business records — GDPR applies. And non-compliance doesn’t just mean a slap on the wrist. The consequences can be severe, as shown by some of the biggest tech giants.

In this article, we break down GDPR in simple terms, focusing on what it means for companies working with B2B data. From understanding what’s regulated to learning from real-world fines, we’ll help you navigate compliance with clarity and confidence.

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) in 2018. It was designed to protect the privacy and personal data of EU citizens and residents. GDPR regulates how companies collect, store, process, and share personal data, ensuring that individuals have control over their own information.

Why is GDPR Important for Companies Working with Data?

• Hefty fines
• Damage to your brand’s reputation
• Loss of customer trust
• Legal disputes and operational disruption

What Data is Regulated by GDPR?

GDPR applies to any personal data — meaning any information that can identify a living individual, either directly or indirectly. This includes, but is not limited to:

• Full names
• Personal and professional email addresses
• Phone numbers
• IP addresses
• Physical addresses
• Job titles
• Photos or video footage
• Social media handles and profile data
• Cookie identifiers and online behaviour
• Location data
• Financial information
• National ID numbers
• Health or biometric data (special category)
• Company names when tied to a specific individual (e.g., sole proprietors or where a person’s name is part of the company name)

Even in a B2B context, if the data relates to or can identify a natural person — such as
john.smith@infobel.com
— it is protected under GDPR.

This means that any business using such data for outreach, lead generation, analytics, or profiling must comply with GDPR requirements.

B2B Data and GDPR: Yes, It’s Covered

One of the most common misconceptions is that B2B data falls outside the scope of GDPR. In reality, any business-related data that identifies a real person is protected under the regulation.

• Work email addresses like firstname.lastname@company.com
• Direct office phone numbers tied to an individual
• LinkedIn profiles or job roles connected to a specific person
• Professional social handles and contact forms
• CRM records that can be traced back to a living person

So yes — GDPR absolutely applies in B2B contexts.

For companies collecting, selling, or using this data, that means:

• Having a lawful basis for processing (e.g., legitimate interest or consent)
• Being transparent about how the data is sourced and used
• Honoring individual rights, such as the right to opt out, request correction, or be forgotten

Failing to treat B2B data with the same level of care as consumer data can lead to the same legal risks and penalties.

What Happens If a Company Doesn’t Respect GDPR?

Failing to comply with GDPR is not just a legal risk — it’s a financial and reputational hazard. Non-compliant companies can face several consequences, including:

• Heavy Fines
  GDPR imposes two levels of fines based on the severity of the violation:
  - Up to €10 million or 2% of global annual turnover, whichever is higher, for less severe infringements.
  - Up to €20 million or 4% of global annual turnover, whichever is higher, for more serious violations.
  
  In practice, some fines have far exceeded these thresholds. For instance, Amazon was fined €746 million by Luxembourg's data protection authority for unlawful data processing practices — one of the largest fines to date.
• Public Investigations and Legal Battles
  GDPR violations often lead to official investigations by local Data Protection Authorities (DPAs), which can attract significant public attention and media coverage. This exposure can result in long-term legal battles, draining financial resources and damaging a company’s reputation.

• Reputational Damage
  Perhaps even more devastating than the fines is the loss of consumer trust. When businesses fail to protect customer or employee data, they risk losing loyalty, which can take years to rebuild — if at all. High-profile cases highlighted how poor data protection practices can cause irreparable damage to a brand’s public image.

• Operational Disruptions
  Non-compliance can also result in restrictions on how a company processes personal data, or even a complete suspension of data processing activities in severe cases. This can significantly disrupt operations, particularly for companies that rely heavily on data to drive their business.
  

The Most Common GDPR Mistakes Companies Make

• 1. Using Personal Data Without a Clear Legal Basis
  Under GDPR, companies must have a lawful basis to collect and process personal data. The six legal bases for processing data are:
  Consent from the data subject
  Contractual necessity (e.g., fulfilling an agreement)
  Legal obligation (e.g., regulatory compliance)
  Vital interests (e.g., medical emergencies)
  Public task (e.g., government functions)
  Legitimate interests (if the company’s interests outweigh privacy concerns)
  
  Example: A company may collect email addresses from people at industry events and start sending marketing material without getting their explicit consent. This violates GDPR because the data was used without proper consent or any lawful basis.
• 2. Sending Marketing Emails Without Proper Consent
  GDPR has specific requirements for marketing communications, especially around email marketing. Companies must obtain explicit consent before sending unsolicited marketing emails, and recipients must always be able to opt-out easily.
  
  Example: A company sends promotional emails to individuals who have never opted in, or they continue sending emails after the individual has unsubscribed. This is a breach of GDPR consent provisions and can lead to hefty fines.
• 3. Failing to Provide a Privacy Policy
  Every company that processes personal data must have a clear and accessible privacy policy that outlines how personal data is collected, used, stored, and shared. This policy should be readily available on websites and apps.
  
  Example: A business collects user data via its website but doesn’t provide clear, detailed information about how that data is used. If users don’t understand how their data is being handled, this is a direct violation of GDPR transparency requirements.
• 4. Storing Data Longer Than Necessary
  GDPR requires companies to only retain personal data for as long as necessary to fulfill its purpose. Once the data is no longer needed, it must be deleted or anonymized.
  
  Example: A company retains customer data (such as purchase history) indefinitely, even after the customer has canceled their subscription or account. Keeping data unnecessarily long, especially without a valid reason, violates the principle of data minimization and storage limitation under GDPR.
• 5. Inadequate Data Protection and Cybersecurity Practices
  One of the key principles of GDPR is ensuring that personal data is securely protected. Companies must implement adequate technical and organizational measures to prevent data breaches.
  
  Example: A business stores sensitive customer data on an unencrypted server that is vulnerable to hacking. If a data breach occurs, exposing personal information, this could result in serious legal consequences, including fines and reputational damage.
• 6. Not Responding to Data Access or Deletion Requests in Time
  Individuals have the right to request access to their personal data and ask for it to be corrected or deleted under GDPR’s right to access and right to erasure (also known as the “right to be forgotten”).
  
  Example: A customer requests that a company delete their personal information, but the company fails to respond within the required time frame (usually one month). This failure to act promptly on a data subject’s request violates their GDPR rights and can lead to complaints and fines.
  
  

How Do Companies Get Fined for Non-Respecting GDPR?

• 1. Direct Complaints by Data Subjects
  Individuals (data subjects) have the right to lodge complaints with their local Data Protection Authority (DPA) if they believe their data is being misused or if their rights under GDPR are violated.
  
  Example: A consumer notices that a company is sending marketing materials without consent. They lodge a complaint with the relevant DPA, who investigates the company’s practices. If found in violation, the company could face fines.
• 2. Routine Audits by Data Protection Authorities
  DPAs frequently conduct routine audits to ensure that companies are adhering to GDPR standards. If a company is found to be non-compliant during an audit, the DPA can impose fines.
  
  Example: A company is audited by the French DPA, CNIL, which finds that it has not been obtaining explicit consent from users before collecting their data. The company may be fined as a result of the audit.
• 3. Media Reports or Whistleblowers
  Sometimes, a company’s non-compliance is revealed through media coverage or whistleblowers. These external sources can trigger investigations by DPAs, leading to fines if violations are confirmed.
  
  Example: A whistleblower within a company leaks information about the company mishandling personal data, leading to an investigation by the DPA. If the investigation finds violations, fines may follow.
• 4. Public Outcry or Investigations Triggered by Data Breaches
  Data breaches are one of the most common reasons for GDPR enforcement. If a breach occurs and personal data is exposed, it can attract immediate scrutiny and investigation from DPAs. The company may be fined if it is found that the breach was due to negligence, insufficient security measures, or non-compliance with GDPR protocols.
  
  Example: A major data breach occurs at a company due to weak cybersecurity measures. If the breach exposes the personal information of thousands of customers, the company may be fined for not properly safeguarding that data under GDPR’s security requirements.
  
  

3 High-Profile GDPR Cases

• Uber – €290 Million Fine for Data Transfers
  The Dutch Data Protection Authority fined Uber for transferring European drivers' sensitive data to U.S. servers without proper safeguards, violating cross-border data transfer rules. This fine highlighted the importance of adhering to GDPR’s stringent rules on data protection during international transfers, especially when dealing with sensitive personal data.
• Amazon – €746 Million Fine for Privacy Violations
  Luxembourg’s data regulator fined Amazon for unlawful processing of personal data. Despite Amazon’s legal appeals, the court upheld the record fine, underscoring the importance of following GDPR's provisions on data processing and privacy for consumers. The case demonstrated that even global tech giants are held accountable under strict data protection laws.
• X (formerly Twitter) – Under Investigation for AI Training Data
  Ireland’s Data Protection Commission (DPC) is currently investigating X for allegedly using public user posts to train its AI tool, Grok, without user consent. This investigation serves as a reminder that even publicly available data, when used for AI training or other advanced technologies, must still comply with GDPR's consent and data protection requirements.

How to Stay GDPR Compliant

• Understand Your Data: Know What You Collect and Why
  The first step in GDPR compliance is understanding the types of data you collect and why you need it. For example, if you're a marketing company collecting email addresses, you should know whether those emails are for transactional purposes or for marketing campaigns. If you're unsure of the purpose or need for specific data, it's essential to reassess why you're collecting it in the first place. Data minimization is a core principle of GDPR, meaning you should only collect data that is necessary for your operations.
  
  Example: A company collecting information about employees' personal phone numbers should ensure it's necessary for their work, rather than collecting this data out of convenience.
• Have a Legal Basis: Rely on Legitimate Interest, Consent, or Contractual Need
  GDPR requires that companies have a valid legal basis for processing personal data. This can be based on the individual's consent, a contractual agreement, a legal obligation, vital interests, public tasks, or legitimate interest. One of the most common legal bases is "legitimate interest," which allows businesses to process data as long as they have a valid reason and don’t harm the individual's rights or freedoms.
  
  Example: A company conducting email marketing should obtain clear consent from individuals before sending promotional emails, otherwise, they risk violating GDPR. Similarly, if a company processes personal data for customer support purposes, they must rely on a contractual agreement with the customer.
• Keep It Transparent: Update Privacy Policies and Inform Users Clearly
  Transparency is one of the core principles of GDPR. Your customers and users need to know what data you're collecting, how you're using it, and how long you're retaining it. Make sure your privacy policy is up to date and clearly communicates this information. Users should easily understand what rights they have, including how they can access, correct, or delete their data.
  
  Example: A SaaS company that stores client data for service provision must clearly explain in their privacy policy why and how long that data will be stored, how it will be used, and who has access to it. They should also ensure the language is simple and not overly technical, so users understand their rights.
• Enable Data Subject Rights: Offer Access, Correction, and Deletion Options
  Under GDPR, individuals have specific rights over their data, such as the right to access, rectify, and delete their data. You must put mechanisms in place to allow users to exercise these rights easily. Failure to honor a data subject’s request can lead to penalties and loss of trust.
  
  Example: If a customer requests to delete their account information or corrects an inaccuracy in their profile, you need to act promptly. Many businesses have systems set up to process these requests automatically to ensure compliance within the required time frame (usually 30 days).
• Secure Your Systems: Protect Data Through Encryption and Secure Infrastructure
  Data security is a critical part of GDPR compliance. Businesses must implement adequate security measures to protect personal data from breaches, unauthorized access, and loss. This includes encryption, secure servers, and access controls. Regular audits and penetration tests help identify vulnerabilities in your systems.
  
  Example: If you’re storing sensitive customer data, such as payment details or medical records, you must use strong encryption methods both during storage and when transmitting that data over the network. Without encryption, if a data breach occurs, the exposed data could be easily accessed by unauthorized parties, resulting in fines and reputational damage.
• Vet Your Data Sources: Make Sure B2B Data Providers Are Also Compliant
  If you’re using third-party data providers to source B2B data (such as contact details for prospecting or lead generation), make sure they are GDPR-compliant as well. Just because you’re purchasing data doesn’t absolve you from responsibility — you need to ensure the data provider has obtained consent or has a legitimate basis for collecting and sharing the data.
  
  Example: If you purchase a list of business contacts from a third-party provider, it’s your responsibility to verify that the provider followed GDPR rules when collecting that data. This could involve asking the provider to show you their data protection policies or ensuring they have a system in place to verify the data is GDPR-compliant. If the provider hasn’t followed the law, you might also be held liable for non-compliance.

Conclusions

GDPR compliance isn’t just a box to tick — it’s a fundamental part of doing business ethically in today’s data-driven world. As we've seen, it's not only small businesses that struggle with GDPR compliance; even the largest global corporations are facing investigations and record-breaking fines for non-compliance.

If you’re working with B2B data, particularly data related to individuals in the EU, it's essential to ensure your practices are fully compliant with GDPR regulations.

Find a fully GDPR-compliant B2B dataset here and rest assured that all the data you work with is 100% GDPR compliant.