GDPR B to B

  In recent years, B-to-B GDPR services, particularly SaaS, have developed very significantly. These companies provide a service on behalf of other companies. This may take the form of a tool for employees ( HR management, various services such as concierge services, etc.) or for managing prospects and clients (CRM, Bot, clientsservice, etc.).

Other companies are at risk, when it comes to GDPR BtoB. For example, digital agencies that process personal data from their clients' websites and campaigns.

  Contrary to popular belief, B2B players are in fact the first to comply, compared to B2C players. In fact, the CNIL (National Commission for Information Technology and Civil Liberties) risk is less significant, since the processing of personal data is generally less massive (except for services aimed at the general public). But the business risk is greater.

Indeed, it's no longer possible to win a contract with a large or mid-sized group without providing proof of GDPR BtoB compliance. Companies are frequently audited by their clients on this GDPR BtoB subject, and must therefore keep their compliance up to date as their tools and services evolve.

  B2C players are not to be outdone, but we note that the trigger is later when a certain e-commerce flow is reached. B2C compliance is also on the rise, as end-consumers become increasingly aware of their rights with regard to personal data. More and more requests are being made to "unsubscribe" or even to access data. There are even platforms to automate this, and it's very simple to lodge a GDPR BtoB complaint with the CNIL (National Commission for Information Technology and Civil Liberties).

Three use cases of companies processing personal data - GDPR BtoB

---

FlexTeam is an HR company whose main mission is to facilitate HR management and enable organizations to strengthen collaboration by effectively managing their hybrid face-to-face and flex office or working remotely organization.

  It's a tool that offers greater flexibility and simplicity, allowing employees to choose where they want to work, while still being able to change their minds at any time. What's more, it provides data control and easy HR management.

FlexTeam offers a wide range of services, including :

For employees :

• Find your colleagues easily ;
• Regain control of the schedule;
• Reserve an office on the plan. 

For managers :

• Implement the working remotely charter in just a few clicks;
• Real-time attendance reporting ;

For the office manager :

• Office settings: Allocation, Gauges, Panels...
• Monitoring and analysis of office occupancy rates.

  What's more, FlexTeam integrates with other well-known tools such as Outlook, Teams, Google Calendar, Windows and others.

Flexteam, through its service, processes the personal data of their clients' employees. In fact, they process a great deal of personal data, enabling their clients to generate working remotely and office space reports, as well as digitizing their charters. Changes are automatically applied to all company employees.

  Which is GDPR compliance. And that's why FlexTeam chose Dipeeo to be its outsourced DPO who handles all BtoB GDPR matters for it.

---

Livementor is a company specialized in providing training for start-up employees. Today, they have supported over 14,000 projects. For them, "entrepreneurship means following a method". And that's exactly what they offer.

To take a training course at Livementor, you must register and provide personal data. As a result, Livementor must be GDPR BtoB compliant. One of the biggest risks is the leakage of personal data on their platform available from the web.

---

Skaly is a sales prospecting tool whose main objective is to find and contact the right person at the right time with the right message. To achieve this, Skaly cleans its clients ' databases and enriches their prospects' e-mails and telephone numbers. As a result, users of this tool can collect data from LinkedIn and download files, while having enriched databases that make it easier to turn business opportunities into sales.

Here again, and as you have understood, Skaly processes personal data, and must comply with GDPR.

Emailing and prospecting in compliance with GDPR BtoB

Before we even start talking about emailing, we need to define the concepts. In other words, you need to know whatopt-in andopt-out are, and the difference between B2B and B2C commercial prospecting...

When it comes to sales prospecting, there's a big difference between the B2B and B2C sectors. In B2B, opt-in is not compulsory as long as you are addressing people who are likely to be interested in the product/service you are offering. On the other hand, opt-out remains mandatory.

But what are opt-in and opt-out?

Opt-in, as the name suggests, is a principle that requires all prospects to give their prior, explicit consent for a company to contact them through direct marketing.Opting out, on the other hand, means giving the prospect the opportunity to withdraw his or her consent to be contacted, and in particular to unsubscribe.

Speaking of these two principles, it's important to note the difference between their application in the B2B and B2C sectors. In this respect, please note that opt-in does not apply to all categories of commercial prospecting. It is therefore necessary to distinguish not only between B2B and B2C prospecting, but also the type of prospecting usede.g SMS, email, telephone and post). 

As already mentioned, in the B2B sector, if you're selling fridges, it's imperative that you approach companies that are likely to have an interest in fridges. If you don't, you're not compliant, and what's more, it will be pointless and damaging to your reputation.

By respecting this condition, you'll be able to collect information, whether from LinkedIn or elsewhere, in order to get more and more prospects, and send them prospecting e-mails. On the other hand, in doing so, compliance with the opt-out remains mandatory in both BtoC and BtoB, so you'll need to set up an unsubscribe button for prospects you've contacted for purely commercial purposes.

Data retention

In BtoC, to be GDPR compliant, you are not allowed to keep your prospects' personal data forever under certain conditions. In BtoB, on the other hand, there is no specific limit to keeping your prospects' personal data .

In BtoB, however, there is neither prior consent to use an e-mail address for prospecting, nor any precise limit on Data retention , given the absence of opt-in. In other words, unlike BtoC, BtoB is a more open sector when it comes to commercial prospecting. You don't need your prospects' consent before you can send them prospecting e-mails, so there's no opt-in principle. What's more, you can keep your prospects' data indefinitely after contacting them, unless they ask you to opt out.

For further details, please consult our article which covers the subject in detail.

processor in the sense of GDPR BtoB:
What does this mean?

In legal terms, and in accordance with the General Data Protection RegulationGDPR), a processor is an organization that processes personal data on behalf of another (Data Controller). In other words, you, as the data controller, are concerned whenever you choose to subcontract the processing and management of your data to other organizations (private or public) which will, in this case, be considered your processors.

In this regard, the GDPR has set up a management process that involves any company or organization that contributes in any way to the processing of personal data, including processors. The processors are here to help you with the GDPR BtoB and BtoC complianceprocess.

For a better understanding, here's a simpler example cited by the CNIL (National Commission for Information Technology and Civil Liberties) If you are an organization that decides to entrust IT maintenance to a company X, this company will be your processor.

For further details, see article from the CNIL (National Commission for Information Technology and Civil Liberties) on this subject.

The risks ofGDPR processors

Whether you are a processor or data controller, you risk sanctions and the CNIL (National Commission for Information Technology and Civil Liberties) and this, for a lack of knowledge of the GDPR BtoB provisions.

Indeed, when a processor is not GDPR, it may receive complaints from prospects, clients or even competitors. Complaints are frequently followed by an inspection by the CNIL (National Commission for Information Technology and Civil Liberties).

What's more, in addition to CNIL (National Commission for Information Technology and Civil Liberties) control and the sanctions that can be linked to it, not being GDPR compliant particularly affects the''Business'' side. Indeed, although the risk of being audited by the CNIL (National Commission for Information Technology and Civil Liberties) remains reduced, the latter requires organizations to only work with companies that are GDPR compliant. In this way, their personal data will be better secured.

If you're not GDPR compliant, you simply risk losing clients , and worse than that, your prospects may go elsewhere. Which is a real obstacle to growing your business.

The risks ofGDPR BtoB processors

A processor is obliged to keep a register of the various processing operations carried out on behalf of the controller. It must therefore set an example of transparency and traceability , so that the data controller's instructions must be set down in writing.

In addition, all processors must take into account the various principles of personal data protection, right from the design stage. Furthermore, a processor must be capable of ensuring the security of the personal data it processes.

As regards public contracts that are concluded with processors, they must implement certain mandatory clauses that have been cited in article 28 GDPR.

In addition to all this, a processor has certain obligations, in particular towards the data controller, which must be respected to the letter. First of all, a processor is obliged to process data only for a single Purpose for which the data is processed. Secondly, data must be processed in accordance with documented instructions, as already mentioned. Instructions issued by the data controller. In this case, if a processor considers an instruction to be a breach of the General Data Protection Regulation, it must imperatively inform the controller.

It goes without saying that the confidentiality of personal data processed must be guaranteed.     

GDPR BtoB audits

If you're a processor, you'll probably be audited by your clients. Remember that the CNIL (National Commission for Information Technology and Civil Liberties) requires companies to only work with organizations that are already GDPR compliant.

Your prospects will then check whether or not you comply with the GDPR , and most likely before they even become your clients. A GDPR audit can be carried out by an internal or external DPO (such as Dipeeo)

You'll therefore be asked a few dozen questions, and you'll need to provide all the documents justifying your GDPR compliance. A procedure that will prove that you are capable of ensuring the security of the personal data you are going to process on behalf of your data controller.