UK B2B Data Regulations Update, H2 2019

Lady Justice statue holding balancing scale to symbolise the law

Firmly into the second half of 2019, and over a year since the implementation of GDPR, B2B marketers in the UK find themselves at an interesting juncture. 

Economic uncertainty caused by Brexit, combined with ambiguity surrounding the EU’s next legislative foray - the ePrivacy Regulation - could leave even the most stoic of marketers feeling a little uneasy. Add to this the fact that the ICO is beginning to bare its teeth, handing out fines worth hundreds of millions of pounds to businesses.

It may come as a surprise to many, that in the B2B data industry, many providers don’t appear to have adapted their data collection and supply methods, which could leave marketers with real exposure. With that in mind, it’s never been more important to understand the regulations, and conduct proper due diligence. We thought we’d take the opportunity to have a look at the B2B data landscape, recap the basics, and examine some of the likely legislative outcomes, so you can stay compliant.

The Rules

Firstly, a quick recap of the prevailing law affecting marketing activity in the UK right now, which falls into two main categories;

1. Privacy

The basis upon which an organisation may communicate with individuals - these regulations govern citizens’ right not to be disturbed or monitored. Currently the EU’s 2002 ePrivacy Directive (amended 2009) is the prevailing law. To comply with this, the UK government implemented The Privacy and Electronic Communications (EC Directive) Regulations 2003 - more commonly known as PECR.

2. Data Protection

The basis upon which an organisation may collect, store, and process a person’s data. Here, the EU’s GDPR applies directly as written.

For marketing, both pieces of legislation are pertinent. As it stands, PECR allows marketers to send marketing messages to business people, provided that they have consent, or are able to justify processing data on the basis of Legitimate Interest (as defined by the GDPR). In today’s privacy-first environment, unsolicited emails are becoming less prevalent, but they still play an important part of the marketing mix. 

There are, of course, plenty of ways to build your B2B marketing database, including trade shows, working with your sales team, and asking for consent as part of telemarketing activity. Of course, you can licence lists from legitimate data services suppliers who maintain compliant repositories.

In all cases, it’s essential that certain criteria are met, including;

  • That the recipient would find messages relevant

  • The recipient is given an easy way to opt out

  • The cadence is reasonable

  • The communication is lawful in the recipients’ EU member states own interpretation of the 2002 EU ePrivacy Directive.


As we’ve already mentioned, the UK ICO has handed out some hefty fines in the last few weeks, but it should be noted that none represent the maximum 4% of global turnover allowed by the GDPR. Industry commentators have long predicted that the ICO would focus on major organisations to make examples of - and few come bigger than the likes of British Airways or Marriott hotels, both of which suffered notable data breaches.

The ICO has certainly established itself as a credible regulatory body, but is seemingly not out to prove a point to all organisations. Other notable enforcement action it has taken has usually been to deal with negligence or deliberate breach of the law, and penalties have been much lower.

The organisation is seemingly well aware that a nudge in the right direction is often the best course of action, especially after its recent admission that its own website wasn’t complying with privacy regulations. To quote Franklin D. Roosevelt, “speak softly, and carry a big stick”.

ePrivacy Reform

Initially, the EU had hoped that a new ePrivacy Regulation (ePR) would be ready for implementation at the same time as GDPR, but the Council of the EU didn’t reach agreement in time for that to happen. Essentially, this is still the case. Most recently, the EU council met in June, and briefly discussed the ePR, but no significant progress was made - there are still many issues that’ll require clarification.

For B2B marketers, the standout revelation of the draft text was that it makes no distinction between B2B and B2C communications. Without clarification, this would likely outlaw “cold” contact - the process of gathering (or deducing) individuals’ contact information, before sending them unsolicited marketing messages. Such communication would require consent from the recipient, as is already the case in B2C marketing.

It’s important to note that the implementation of the GDPR has already brought about some changes to PECR, even though PECR itself hasn't (yet) changed. This particularly concerns various definitions, most notably that of Consent. This new definition means that often, where consent had been gathered using (what would now be considered) non-compliant means, that data can no longer be processed for marketing purposes.

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

Article 4 (11), GDPR


The ePR was being progressed as part of the Romanian Presidency of the Council of the EU. In accordance with EU rules, that presidency came to an end in June, so the new president state is Finland. It isn’t clear how much of a priority ePrivacy is for Finland. Additionally, having recently selected a new president, the EU parliament is due to appoint a new European Commission - which doesn’t sit until November 2019. 

The bottom line is that we don’t have a timeline. That said, at this point, it’s highly unlikely that the regulation (in whatever form it finally takes) will be adopted before at least 2021. Thereafter, there may also be an implementation period similar to the introduction of the GDPR, though where GDPR required wholesale reconsideration of Data Protection practices for all organisations, the ePR changes are likely to be easier to accommodate - so may phase in more quickly.


An update to the UK’s 1998 data protection laws was always going to be essential, and GDPR does a pretty good job of reshaping how organisations approach personal data. Hardly surprising then, that the UK government has already committed to transposing the GDPR into UK law, come what may.

Whether the UK does leave the EU or not, it’s highly likely that our privacy laws will be equivalent, if not identical. This for a number of reasons, but primarily because of the fact that any UK organisations wishing to sell products or services in the EU would need to comply fully with the GDPR in order to do so. For future trade agreements, the EU, in relation to its own citizens, has the power to determine that a 3rd party country’s data laws have “Adequacy”, but such a determination would only be possible where UK law is deemed the same, or stronger than EU law.

So what now?

Don’t panic! In all likelihood, very little will change in the next few years. Thereafter, it’s certainly a significant risk that cold B2B email, and maybe more will no longer be possible. To mitigate this risk, we suggest adjusting your marketing strategy. 

  • Look for legitimate data partners who can offer B2B data that suits your business needs, and is demonstrably lawful. Don’t cut corners - be demanding when assessing their compliance, it really matters - you are liable for messages you send.

  • Build out your inbound marketing capabilities - develop your content assets, build your social capabilities, ensure you’re gathering consent for ongoing contact.

  • Consider your other outbound marketing options – direct mail, telemarketing, even marketing using non-personal data, there's a whole world out there!

Named after GDPR, which is Regulation (EU) 2016/679, Dept679 works to encourage organisations to respect data subjects and protect personal data, but not compromise their core operations. Dept679 has been shaped by business people with experience of running organisations across the globe. It puts the success of the client organisation right at the front of it’s thinking.

Many years experience of running businesses is combined with formal management qualifications including MBA’s and Diploma’s in Company Direction. Specialist expertise in the field of information security is provided by CIS Lead Implementers, Lead Auditors, and Certified GDPR Practitioners. The approach has been designed to minimise the effort required by your organisation, whilst providing excellent personal data protection advice, so protecting the rights and freedoms of data subjects. To find out more, visit

The information and opinions contained within this article are not legal or professional advice and may contain errors, omissions or incorrect statements. The article is for information purposes only, and should not be relied upon in place of appropriate legal advice or as the basis for business decisions. Corpdata and Bizibl Group accepts no responsibility or liability for any loss or damage which may arise from such reliance. Where external sources are referenced, Bizibl Group is not responsible for the content of any external resources and makes no assertions as to their reliability, validity, correctness or lawfulness. No mention of any entity or individual herein, shall imply any approval or warranty of or by the same.

Want more like this?

Want more like this?

Insight delivered to your inbox

Keep up to date with our free email. Hand picked whitepapers and posts from our blog, as well as exclusive videos and webinar invitations keep our Users one step ahead.

By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy

side image splash

By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy