Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

GDPR, PECR and Business to Business Marketing

by Adam Brogden
in Blog

07-Oct-2019 11:37


GDPR applies whenever you collect, store, or process personal data. This means that GDPR applies to business data even if this relates to a person indirectly, as such it is important to ensure that GDPR principles are applied to the processing of all data. In addition, it is possible that person data [i.e. non-business] related data could be processed inadvertently resulting in risk of complaint, investigations and enforcement action. This reinforces the need to apply GDPR principles across everything you do.

The relationship between PECR and GDPR can be confusing and is often the source of discussion, however it is important to remember that both PECR and GDPR apply and should be considered jointly and separately. So, if you send electronic marketing you must comply with both PECR and the GDPR.

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR. They give data subjects specific privacy rights in relation to electronic communications. There are specific rules on:

  • Marketing calls, emails, texts and faxes

  • Cookies (and similar technologies)

  • Keeping communications services secure

  • Customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

To do this PECR defines the type of electronic marketing that requires the consent of the data subject. The main area of overlap between GDPR and PECR is where this consent is required, GDPR has strengthened the underlying definition of consent and the defined how consent should be captured in order to be legitimate.


PECR in isolation – From a PECR perspective, consent for business to business marketing is not required under PECR. PECR relates to individuals [or unincorporated bodies] B2B marketing to staff members of limited companies, public limited companies, incorporated partnerships, trusts and foundations, local authority and government institutions is exempt from PECR and B2B marketing companies are free to use legitimate interest as their legal basis for electronic marketing because PECR simply does not apply.

GDPR in isolation – Since GDPR still applies it is vital to ensure that appropriate controls and processes are in place to meet GDPR requirements. Legitimate interest is often a valid approach but needs to be proven, targeted, carefully crafted offers, and filtering of data to remove non-limited company contacts and a strong legitimate interest assessment can provide your answer. Legitimate interest can be a powerful lawful basis for some companies

PECR and GDPR – consent is not required by PECR to send B2B emails, legitimate interest is a valid lawful basis for you to collect, store, and process data.

ICO input:

The ICO provides useful information relating to PECR and GDPR. The ICO’s Digital Marketing Checklist is a good example of this.


Is your company fundamentally GDPR compliant:

  1. Approach is exclusively B2B marketing

  2. Targeting and qualifying results in a high degree of accuracy and minimises risk of non-corporate contacts being collected

  3. Carefully crafted emails increases the response rate but also reduces the risk of complaints from recipients

  4. Legitimate interest assessment is strongly in favour of you and your clients

  5. SAR / Complaint / Breach handling functions

  6. Privacy policy meets GDPR requirements

  7. Opt-out on every communication meets PECR requirements


In order to best protect yourself and your clients a number of controls must be in place:

  1. Status of controller / processor / joint-controller should be established

  2. GDPR documentation including DPIA, LI, Privacy policies etc… must be in place and reviewed regularly

  3. Client documentation should be in place (DPIA, LI etc…)

  4. A contract and detailed joint controller agreement should be in place between you and your clients

  5. Include a link to / access to an appropriate privacy policy on all email communication

  6. Opt-out option should be included in all communication

  7. SAR / Complaint / Breach policies should be established


Check that your marketing approach is fundamentally GDPR and PECR compliant and by ensuring appropriate processes and controls are followed this approach minimises risk of data protection issues. It is vital that mistakes / admin errors are avoided and that appropriate cyber security measures are in pace.

Complaints from individuals are inevitable due to a lack of understanding by data subjects although the chance of enforcement action is negligible.

Reference Links:


ICO – email marketing:

ICO – Digital Marketing Checklist:

PECR – .GOV site:

DMA – good PECR advice:

Hope this helps!

Good luck all.