GDPR & B2B Prospecting: The Complete Compliance Guide for 2026

You’ve built a solid prospect list from LinkedIn, you’ve got an enrichment tool running, and your outbound sequence is ready to go. But one question keeps nagging at you: is all of this actually GDPR compliant?

It’s the question on every SDR, Growth Marketer, and Sales Ops professional’s mind in 2026. And understandably so — the legal grey areas around GDPR generate far more anxiety than actual risk, as long as you know the rules.

Here’s the good news: B2B prospecting is entirely legal under GDPR. You just need to operate within a clear framework. This guide covers exactly what you can do, what’s off-limits, and how to run a compliant prospecting operation without losing an ounce of effectiveness.

Enrich your B2B data the GDPR-compliant way

Find verified professional emails and phone numbers for your prospects directly in Google Sheets — no shady databases, no compliance headaches.

Try for free →

What is GDPR and why does it affect your B2B prospecting?

The General Data Protection Regulation (GDPR) came into force in May 2018. It governs the collection, processing, and storage of personal data belonging to EU residents — including in a professional context.

For sales and marketing teams, the question isn’t “does GDPR apply to my prospecting?” but rather “how do I prospect effectively within the framework it defines?”

GDPR applies as soon as you process data that can identify a specific individual: first name, last name, nominative email address, direct phone number. Even if that person is a professional you’re contacting in a strictly B2B context, the regulation applies the moment you handle their personal data.

The key takeaway from the start: GDPR doesn’t kill B2B prospecting. It sets the hygiene standards for doing it properly.

GDPR B2B vs B2C: fundamentally different rules

This is the distinction that creates the most confusion — and the most unnecessary fear. GDPR doesn’t treat B2C prospecting (targeting individual consumers) and B2B prospecting (targeting professionals) the same way.

B2C: opt-in is mandatory

If you’re targeting individual consumers, you cannot email them without explicit prior consent (opt-in). They must have actively checked a box, filled out a form, or agreed to receive your communications. No consent = no contact. Full stop.

B2B: opt-out is enough, under conditions

B2B prospecting operates on an opt-out basis. In plain terms: you can contact a professional without prior consent, as long as you give them a simple way to opt out of future communications.

Three cumulative conditions apply:

1. Relevance: your offer must bear a reasonable connection to the prospect’s professional activity
2. Transparency: you must indicate how you obtained their contact information
3. Easy opt-out: an unsubscribe mechanism must be clearly visible in every communication

This more permissive B2B regime rests on the legal basis of legitimate interest (Article 6.1.f GDPR). We’ll unpack this in the next section.

Concrete example: Sarah, an SDR at a B2B SaaS company, can send a cold email to the Head of Procurement at a manufacturing firm to present her supply chain software — no opt-in required. She cannot, however, send that same email to a private individual without their prior consent.

Legitimate interest: the legal backbone of B2B prospecting

Legitimate interest is the legal foundation underpinning virtually all B2B commercial prospecting in Europe. GDPR allows personal data processing when it’s necessary for the legitimate interests pursued by the data controller — that is, your business.

For this legal basis to hold in a prospecting context, three conditions must be met:

• The interest must be real and documented: growing your client base through commercial outreach is a recognized legitimate interest
• Processing must be necessary: you need the data to achieve that objective
• Your interest must not override the prospect’s rights: if a prospect has no conceivable reason to be interested in your offer, the legitimate interest argument breaks down

In practice, this means your targeting needs to make sense. Sending a sequence about a finance SaaS to CFOs and Finance Directors = clearly relevant. Sending the same sequence to HR managers or marketing coordinators = much harder to justify.

The common sense rule: if a prospect could reasonably wonder why you’re contacting them, your legitimate interest is probably on shaky ground.

Which B2B data falls under GDPR?

There’s widespread confusion about what actually constitutes “personal data” in a B2B context. Here’s the distinction that matters in practice:

Generic data: outside GDPR scope

Generic company contact details that don’t identify a specific individual are not personal data under GDPR.

• info@company.com → not personal data
• sales@company.co.uk → not personal data
• Company main switchboard number → not personal data
• Company headquarters address → not personal data

Nominative data: subject to GDPR

The moment data allows you to identify a specific individual — even in a professional context — GDPR applies.

• j.smith@company.com → personal data
• jane.smith@startup.io → personal data
• Direct professional mobile number → personal data
• LinkedIn profile of an individual → personal data

The dividing line is clear: the nominative character of the data determines GDPR applicability — not the professional or B2B nature of the interaction.

Staying GDPR compliant in practice: 7 rules for sales teams

With the theory covered, here’s how to apply this in your day-to-day prospecting operations.

1. Tell prospects where you got their data

Your first contact must disclose where you sourced their information. This isn’t a footnote buried in the email — it’s a transparency obligation.

Recommended format in your outreach:

“I came across your profile on LinkedIn / I found your details on your company website / I saw you spoke at [event].”

2. Include a clear and systematic opt-out

Every B2B prospecting email must contain a simple, visible unsubscribe mechanism. Supervisory authorities like the UK’s ICO and France’s CNIL both require this link to be direct — one click, no extra steps.

As soon as a prospect unsubscribes, remove them from all your lists within 24 hours and maintain a suppression list to prevent re-contacting them via other channels.

3. Keep your messaging relevant

Your offer must bear a reasonable connection to the prospect’s professional role and activity. “Reasonable” is the operative word — you don’t need to guarantee interest, but you must avoid targeting that’s manifestly incoherent.

If you sell a B2B data enrichment tool, targeting Sales Ops managers, Growth Marketers, and SDRs is clearly relevant. Targeting yoga instructors or independent farmers — not so much.

4. Respect the 3-year retention limit

Both the ICO (UK) and CNIL (France) set a maximum retention period of 3 years from the last contact for prospecting data. After this window passes with no interaction, data must be deleted or anonymized.

Build an automatic purge process into your CRM or Google Sheets: any contact with no engagement (email open, reply, click) for 36+ months should exit your active database.

Example: Mark, Sales Ops at a lead gen agency, runs a quarterly database review. Any prospect with zero interaction in 36 months is automatically removed. Result: a cleaner list, better deliverability rates, and documented compliance.

5. Maintain a Record of Processing Activities (Article 30)

Every organization processing personal data must maintain a Record of Processing Activities (RoPA). This document lists all your data processing operations, specifying for each: the purpose, data categories, recipients, legal basis, and retention period.

You don’t submit this proactively to your supervisory authority — but it must be immediately available during an audit or inspection.

6. Sign a DPA with your enrichment tool providers

When you use a third-party tool to enrich prospect data (email finder, phone finder, LinkedIn scraper), you’re delegating part of the data processing. GDPR requires a Data Processing Agreement (DPA) — a contract that defines each party’s role and the data protection safeguards in place.

Verify that your enrichment tool offers a DPA before using it in production. Most reputable providers include it in their terms or make it available on request.

7. Keep your data fresh and accurate

An outdated database is both a GDPR risk and a performance problem. According to Salesforce research, CRM databases lose an average of 30% accuracy per year due to natural attrition — job changes, departures, company mergers.

Invalid emails generate hard bounces that damage your sender reputation. Regularly verifying your email lists and cleaning your prospect database are both GDPR best practices and deliverability wins.

GDPR and B2B data enrichment: what you need to know

Data enrichment is central to modern B2B prospecting. It also raises legitimate compliance questions. Here’s what applies.

What’s allowed

• Enriching from publicly available data (public LinkedIn profiles, company websites, public business registries): allowed, provided the purpose is B2B prospecting and you respect data subjects’ rights
• Using a third-party enrichment tool: allowed, as long as the provider is GDPR-compliant and a DPA is in place
• Purchasing or renting a B2B database: allowed, but you must verify that the vendor can demonstrate lawful collection practices

What’s prohibited (or high-risk)

• Enriching with data collected without a legal basis: the origin of data matters as much as its use
• Storing personal data indefinitely: the 3-year rule applies regardless of how the data was sourced
• Combining datasets for a new, undisclosed purpose: if you’re cross-referencing databases for a different purpose than the one originally communicated, you must inform the data subjects

Derrick’s Lead Email Finder and Phone Finder from LinkedIn work from publicly accessible data, which provides a solid legal basis for B2B enrichment — provided you still meet the transparency and opt-out obligations when using the enriched data in outreach.

GDPR and LinkedIn scraping: what’s actually allowed

LinkedIn is the number-one source of B2B data. But profile scraping raises legal questions worth addressing clearly.

What GDPR says about LinkedIn scraping

GDPR doesn’t prohibit collecting publicly available data for B2B prospecting purposes in principle. A public LinkedIn profile is, by definition, visible to anyone — the user has chosen to make that information accessible.

Collecting data from public LinkedIn profiles for B2B outreach is generally permissible under GDPR’s legitimate interest framework, provided you respect data subjects’ rights (opt-out, transparency, retention limits).

What LinkedIn’s Terms of Service say

LinkedIn prohibits scraping in its Terms of Service — which is a contractual matter separate from GDPR. In practice, using an import tool like Derrick’s, which operates from your own Sales Navigator session, sits in a far more comfortable position than anonymous mass scraping.

The right approach

Regardless of how you extract the data, LinkedIn-sourced prospecting data must:

• Be used only for purposes consistent with the prospect’s professional activity
• Be accompanied by a source mention in your outreach (“I came across your LinkedIn profile”)
• Be deleted promptly upon any objection request

GDPR enforcement: what’s the real risk for sales teams?

Let’s be straightforward: the risk of a regulatory sanction for a small or mid-sized B2B company running a proper prospecting operation is low. Supervisory authorities like the ICO and CNIL primarily target large companies, B2C actors, and manifestly abusive practices (mass spam, unlawful data collection, data resale without consent).

That said, the risks aren’t zero and are worth understanding:

Regulatory risks:

• Fines up to €20 million or 4% of global annual turnover (for large enterprises)
• Warnings and enforcement notices (more common for SMBs)
• Orders to cease non-compliant processing activities

Business risks (often more immediate):

• Prospect complaints to supervisory authorities
• Reputational damage — an angry prospect can cost more than a fine
• Per an Ifop survey, 66% of French consumers say they’d abandon a service following a GDPR breach; trust is a commercial asset in its own right

The good news: following the 7 rules above puts you in a solid compliance position for standard B2B prospecting. Real risk comes from abuse — bulk spamming, selling data, no opt-out mechanism at all — not from a well-structured cold email sequence.

The most common GDPR mistakes (and how to fix them)

Problem 1: No opt-out in prospecting emails

Symptom: Your outbound emails contain no unsubscribe link, or the link is buried and hard to find.

Impact: Direct violation of GDPR and ePrivacy requirements. Exposes you to regulatory complaints and damages your sender reputation with email providers.

Solution: Add a clearly visible unsubscribe link to every email — “Unsubscribe” in plain text, one click, immediate effect. When a prospect opts out, remove them from all active lists within 24 hours and add them to a permanent suppression list.

Problem 2: Database never purged — contacts from 4+ years ago still active

Symptom: Your CRM or Google Sheets contains prospects who haven’t engaged with you in 4, 5, or even 6 years.

Impact: Violation of the 3-year retention rule. These contacts are also likely obsolete, which actively degrades your email deliverability.

Solution: Run a quarterly database review. Any contact with no engagement (open, reply, click) in the last 36 months should be removed or anonymized. A simple date-based filter in Google Sheets or your CRM is all you need to identify them.

Problem 3: Using an enrichment tool without a DPA

Symptom: You’re using an email finder or LinkedIn scraping tool without verifying its GDPR compliance or signing a Data Processing Agreement.

Impact: As the data controller, you’re jointly responsible for your processors’ practices. If the tool isn’t compliant, neither are you — even if you had no idea.

Solution: Before using any third-party tool that handles personal data, check that it offers a DPA and a clear GDPR-aligned privacy policy. Prioritize tools that enrich from public data sources and can document their compliance approach on request.

Problem 4: Sending the same sequence to your entire list regardless of relevance

Symptom: No segmentation by industry, function, or company type — the same message goes to everyone.

Impact: If your offer has no manifest relevance to a prospect’s role, your legitimate interest basis is indefensible. You’re also likely seeing poor engagement rates, which compounds the compliance risk.

Solution: Segment your list before every campaign. Make sure each sequence is calibrated for a profile that has a genuine reason to care about your offer. Derrick’s AI Segmentation can automate this step at scale.

Problem 5: No Record of Processing Activities

Symptom: No document formally listing your data processing operations (prospect database, CRM, newsletter, etc.).

Impact: In the event of a regulatory audit, you can’t demonstrate compliance. This is a direct violation of Article 30 GDPR — and one of the first things inspectors check.

Solution: Create a simple document (a Google Sheet or Notion page works fine) listing each processing activity: purpose, data categories, legal basis, retention period, and recipients. It doesn’t need to be complex — it just needs to exist and be kept up to date.

Key takeaways

• Under GDPR, B2B prospecting does not require opt-in consent — you can cold email on the basis of legitimate interest
• Nominative data like j.smith@company.com is personal data, even in a professional context
• Three non-negotiable obligations: relevant message, transparent data source, easy opt-out
• Maximum retention period: 3 years from last contact — purge or anonymize beyond that
• Sign a DPA with your enrichment tools — their non-compliance becomes yours
• Maintain a Record of Processing Activities — even a simple one — it’s Article 30 and it must exist before any audit

Conclusion: GDPR compliance as a competitive edge

GDPR doesn’t spell the end of B2B outbound. It professionalizes how it’s done. Teams that embed compliance into their workflows don’t just protect themselves legally — they build a reputation as trustworthy operators that prospects and partners actually want to engage with.

Bottom line: B2B prospecting remains open and legal in 2026, provided you target intelligently, communicate honestly, and make opting out frictionless. That’s exactly what a well-built prospecting workflow enables — with the right tools, clean enriched data, and a routine database hygiene process.

Clean, enriched, compliant B2B data — in Google Sheets

Find professional emails and phone numbers from public data sources, directly in your spreadsheets. No friction, no compliance risk.

Try for free →

FAQ

Is cold email B2B legal under GDPR? Yes. Cold emailing B2B contacts is legal under GDPR on the basis of legitimate interest. You can reach out to professionals without prior opt-in consent, provided your message is relevant to their professional activity, you disclose your data source, and you include a clear opt-out mechanism.

How long can I keep B2B prospect data under GDPR? The standard retention limit is 3 years from the last interaction with the prospect. After this period with no engagement, the data must be deleted or anonymized. This rule applies equally in B2B and B2C contexts.

Is a generic email like info@company.com subject to GDPR? No. A generic address that doesn’t identify a specific individual is not personal data under GDPR. However, a nominative address like j.smith@company.com is — even if it’s used exclusively in a professional setting.

Do I need to sign a DPA with my data enrichment tool? Yes. Whenever a third-party provider processes personal data on your behalf, a Data Processing Agreement is required under Article 28 GDPR. Most reputable tools include it in their terms or provide one on request. Verify this before any production use.

Can I use LinkedIn data for B2B prospecting without violating GDPR? Yes, under the right conditions. Data from public LinkedIn profiles can be used for B2B prospecting, provided your message is relevant to the prospect’s professional role, you mention LinkedIn as your source, and you honor opt-out requests promptly. Note that this is separate from LinkedIn’s Terms of Service, which governs scraping practices independently.

What’s the difference between TPS/CTPS compliance and GDPR for phone prospecting? GDPR covers the lawful basis for processing phone numbers as personal data. TPS (Telephone Preference Service) and CTPS (Corporate TPS) are UK-specific registers that allow individuals and businesses to opt out of unsolicited calls. Before calling any UK number for prospecting purposes, you must screen it against the TPS/CTPS lists — this is a separate obligation from GDPR, not a replacement for it.