Merit’s guidance to B2B organisations on becoming GDPR compliant

13th February 2017

The UK government has confirmed that the new EU General Data Protection Regulation (GDPR) will be enforced, in full, by the UK’s Information Commissioner’s Office. In other words, the UK is ‘copying’ the EU regulation and it is most likely that GDPR will continue to be enforced in the UK, as it currently stands, even after Brexit.

Most organisations now have a dedicated GDPR Compliance Project underway to be ready for the deadline of 25 May 2018, when the new regulations will start being enforced.

There is still uncertainty about how some elements of GDPR compliance need to be applied, especially in ‘business-to-business’ (B2B) organisations. The ePrivacy Directive, the current UK transposition of which permits B2B email marketing on an opt-out basis, is also changing. The draft of the new text has retained the opt-out clause, but it remains to be seen how this will be incorporated into UK law. We anticipate the B2B opt-out for electronic mail marketing to be retained.

Merit takes its data processing responsibilities seriously, and have already implemented many of the controls required by GDPR, including assisting the Data Controller with their obligations through transparency of our operations. We are committed to helping our clients, who act as data controllers, comply with the law. We therefore strongly recommend that all organisations we work with do the following as soon as possible – as the very first steps in ensuring GDPR compliance is possible:

  1. Launch a GDPR Compliance Project, headed by a senior executive in your organisation
  2. So that you can be confident you have analysed and recorded how all customer or prospect data is captured and managed within your organisation, conduct a detailed audit of the following 2 areas and ensure a full report is created with this information:
    • a. Customer and prospect data storage and management systems and processes
    • b. Customer and prospects data capture points and workflows
  3. If you don’t already have a reputable and reliable database management system (DMS) or customer relationship management (CRM) system in place where all your data is stored centrally, implement one as soon as possible and ensure that:
    • a. All your customer and prospect data is stored in this system (and ideally not in any other systems or spreadsheets, unless these are fully integrated with the central database)
    • b. All your employees and relevant partners use this system to store, access and update records, and that they are all fully aware of their obligations with regard to keeping this data secure within the organisation
  4. Ensure that for all the contacts you store in your database or CRM, and all data points pertaining to these contacts are relevant to your relationship, or possible future relationship with that individual. It may therefore be necessary to clean and append all the contact records you have to ensure the individuals you wish to engage with will find your products and services relevant. If there is no relevancy, then we strongly recommend you remove these contacts from your database.
  5. If you have not already done so, ensure all your communications with your prospects and customers has a clear and easy ‘opt out’ mechanism, ensuring they can, at any time, opt out from a relationship with you, communications from you (by channels) and/or you holding/storing their data.
  6. Make allowance in your budgeting process to appoint a dedicated Data Protection Officer (DPO) by the end of 2017. Not every organisation will require a DPO, and specific guidance is yet to be published on which organisations will require a dedicated and full time DPO. But it may be most prudent to set aside the required funds for this appointment.
  7. The Information Commissioner’s Office publishes all the relevant information and updates on their website: We strongly recommend you visit this website regularly for updates so that you can receive news of announcements on specific areas of GDPR as information becomes available about how the various clauses within the legislation will be applied and enforced, particularly in relation to B2B organisations.

In addition to taking all the steps above, we strongly recommend you consult a specialist to review your compliance position and risk around GDPR. Like all compliance issues, organisations need to assess their prosecution and reputational risk by defining and implementing a strategy to ensure they minimise this risk, or at least take on a level of risk with which they are comfortable.

It is not for Merit to advise you on these legal and risk management matters, so we have compiled a list of specialists and law firms you may wish to approach to advise and support you accordingly*. Demand for these types of services will be very high over the coming months, and we strongly recommend you ensure the specialist individual or team you chose for initial and ongoing support has the necessary knowledge of your B2B business model, as well as understands the differences between how GDPR will apply to B2B versus B2C organisations.

Company Name Website Address
Allen & Overy
DLA Piper
Farrer & Co
iCompli (Merit Partner)
Taylor Wessing


*Please note: Apart from iCompli, who are a Merit partner, Merit is not in a position to specifically recommend an advisory service or law firm and the list provided is listed alphabetically, and in no specific order of preference or priority. There are many more law firms and advisory services that provide the relevant support in this area, so we recommend you make independent investigations as to which one best meets your requirements.

If you wish to discuss this statement with anyone from Merit, please contact us:
Tel: +44 (0)845 226 0631

Download PDF

I have read and understood Merit's privacy policy.

[dynamictext post_id "CF7_get_post_var key='ID'"]

We look forward to hearing from you.