GDPR Data Subject Rights: Access, Rectification & Erasure — A Practical Guide for B2B Teams

Your prospect sends you an email: “I’d like to know what data you hold on me and request its deletion.” You have one month to respond. If you don’t have a process in place, that’s a problem.

GDPR grants individuals a set of enforceable rights against any organization that processes their personal data — including your sales team. In B2B, it’s tempting to assume these rules only apply to consumer-facing businesses. They don’t. The moment an email address contains a name (mike.johnson@company.com), it’s personal data, and all rights apply.

This guide covers what those rights are, how they apply to B2B prospecting in practice, and how to handle each type of request without disrupting your pipeline.

Enrich your B2B leads while staying compliant

Derrick finds emails and phone numbers from LinkedIn directly in Google Sheets — no shady databases, no manual CSV imports.

Try for free →

The 6 GDPR rights your prospects can exercise

GDPR defines six fundamental rights that any individual can exercise against an organization processing their data. As a B2B sales or marketing team, these rights apply every time you collect, enrich, or use contact data.

In a B2B prospecting context, the most frequently exercised rights are the first three — access, rectification, and erasure — alongside the right to object, which is the most operationally critical.

Right of access: what exactly do you need to share?

The right of access (GDPR Article 15) allows anyone to ask what data you hold on them, why you process it, and who you’ve shared it with.

In practice, if Mike — a Sales Director at a mid-size SaaS company — contacts you to exercise his right of access, you need to provide:

• A complete list of the personal data you’ve collected on him (email, phone number, job title, company, past interactions…)
• The purpose of processing: what you use the data for (prospecting, customer follow-up, segmentation…)
• The legal basis you rely on — typically legitimate interest in a B2B context
• The retention period you apply to this data
• The identity of any third-party processors who have access to the data (CRM, email platform, enrichment tool…)
• Whether any data has been transferred outside the EU/EEA

You have one month from receipt of the request to respond. This can be extended by two additional months for complex cases, provided you inform the individual within the first month.

Practical tip: build a standard response template for access requests. Pull information from your data processing register and set up a quick export from your CRM and prospecting tools ahead of time.

Right of rectification: correcting inaccurate data

The right of rectification (GDPR Article 16) is, in practice, the least disruptive to handle. A prospect telling you their job title has changed, their email is wrong, or they’ve moved to a new company — that’s a rectification request.

In most cases, you want to fix this data anyway. Inaccurate data means bounced emails, missed calls, and a deliverability rate heading south.

Emma, a Sales Ops manager at a B2B scale-up, handles 3 to 4 rectification requests per month on average. Her process: immediate update in the CRM, check and sync across connected enrichment tools, written confirmation to the requester within 48 hours. Outcome: compliance maintained, cleaner database.

If you use third-party enrichment tools, make sure the correction propagates across all your systems: CRM, prospecting spreadsheets, email platform, and so on. A partial update can still be considered a compliance failure.

Right to erasure (the “right to be forgotten”): the process to follow

The right to erasure (GDPR Article 17) — commonly known as the “right to be forgotten” — allows a prospect to request deletion of their data when they object to prospecting, when the data is no longer needed for its original purpose, or when they withdraw consent.

Important: erasure doesn’t mean deleting everything. This is where most teams make a critical mistake.

If you wipe a prospect’s email address entirely after an erasure request, nothing stops them from being re-enriched and added back to a campaign six months later. The right approach is:

1. Delete active data (CRM record, email lists, prospecting spreadsheets)
2. Keep a suppression list — also called a blocklist — containing only the minimum identifier needed (typically the email address) to prevent accidental re-enrollment
3. Document the request: date received, date processed, action taken

A suppression list is not a GDPR violation — it’s actually essential for demonstrating compliance. The ICO (Information Commissioner’s Office, the UK equivalent of France’s CNIL) explicitly endorses this practice.

Mark, a Growth Manager at a B2B lead gen agency, maintains his suppression list in a dedicated tab in Google Sheets. Before every new import or campaign send, he automatically checks addresses against the list. Time spent: 5 minutes. Risk of a regulatory complaint: near zero.

Right to object: the most critical right in prospecting

The right to object (GDPR Article 21) is the most frequently exercised right in a sales context — and the most restrictive. When someone objects to their data being used for direct marketing, the right is absolute and takes immediate effect.

Unlike other rights, you can’t invoke legitimate interest to keep contacting someone who has objected to prospecting. From the moment you receive the request, you must:

• Stop all outreach immediately (email, phone, LinkedIn…)
• Update your suppression list
• Confirm receipt and action to the individual

In practice, the unsubscribe link at the bottom of every prospecting email is the main mechanism for exercising this right. But a prospect can also object by direct email, phone call, or LinkedIn message. All forms are equally valid.

Potential consequence: contacting a prospect after they’ve exercised their right to object exposes your company to a formal complaint and GDPR fines of up to €20 million or 4% of global annual turnover.

How to handle data subject requests in practice: a 4-step process

Now that you know the rights and what they require, here’s how to build an operational process that keeps you compliant without grinding your team to a halt.

Step 1: Set up a dedicated contact point

Designate a clear email address for incoming requests (e.g. privacy@your-company.com) and reference it in your privacy policy, legal notices, and ideally in your prospecting emails. This inbox needs to be monitored regularly.

Expected outcome: No request falls through the cracks. Every email received triggers a documented process.

Step 2: Verify the requester’s identity

Before sharing any data, confirm the person is who they claim to be. In most cases, a reply from the email address in question is sufficient. If you have doubts (a generic email address, inconsistencies in the request), you can ask for additional verification.

Expected outcome: You avoid sharing personal data with an unauthorized third party.

Step 3: Process the request within the regulatory deadline

Once the request is validated, act on it:

• Access: export data from all relevant systems (CRM, Google Sheets, email tool, enrichment platform)
• Rectification: update across all systems simultaneously
• Erasure: delete active records and add the identifier to your suppression list
• Objection: halt all outreach immediately, update suppression list

You have one month from the date of the complete, valid request.

Expected outcome: Request handled on time, regulatory exposure minimized.

Step 4: Log every request

Keep a record of every request received and how it was handled: date received, type of right exercised, action taken, date of response. A simple spreadsheet works fine for small teams. This log is your proof of compliance if you’re ever audited.

Expected outcome: You can demonstrate compliance on demand, without scrambling.

Data retention: how long can you keep prospect data?

Retention periods are directly tied to data subject rights. Keeping data longer than necessary is itself a GDPR violation — even if you’ve never received an erasure request.

For B2B prospecting, the generally accepted framework is:

• Active prospects (currently being solicited): data can be kept throughout the active sales cycle
• Inactive prospects (no interaction for an extended period): 3 years maximum from the last contact
• Customers: contractual duration plus applicable accounting obligations (typically 10 years for invoices in most EU jurisdictions)

Beyond these periods, data should be deleted or anonymized. Regular list hygiene — ideally automated — is good practice for both compliance and data quality.

The special case of third-party enriched data

If you use B2B data enrichment tools to complete your prospect profiles (email, phone, LinkedIn job title…), you remain the data controller for that data — even if you didn’t collect it directly.

That means:

• You must be able to respond to access requests covering enriched data
• If someone requests erasure, you must delete that data from your systems
• The enrichment tool is a data processor under GDPR and must offer compliance guarantees — specifically, a signed Data Processing Agreement (DPA) and transparency about data sourcing

Before adopting any enrichment tool, verify that it provides a DPA and can clearly explain where the data it supplies comes from.

For teams working with LinkedIn-sourced data — profiles, professional emails, phone numbers — the GDPR question comes up with every enrichment. B2B database enrichment needs to rely on transparent sources and clearly defined processing purposes.

The 5 most common mistakes (and how to fix them)

Mistake 1: Missing the response deadline

Symptom: An access or erasure request arrives by email and sits unanswered for more than a month. Impact: The individual can file a complaint directly with the ICO (or relevant national authority), potentially triggering an investigation. Fix: Set up an alert on your privacy inbox. Every request should automatically generate an internal ticket with a deadline 25 days out — giving you a buffer before the 30-day limit.

Mistake 2: Deleting data without keeping a suppression list

Symptom: A deleted prospect gets re-enriched and re-added to a campaign three months later. Impact: The prospect receives outreach again after exercising their right to object — a clear violation. Fix: Maintain a permanent suppression list. Integrate an automatic check against this list before every import or campaign launch.

Mistake 3: Only updating one system

Symptom: The erasure is done in the CRM but not in the email platform or prospecting spreadsheets. Impact: Data persists elsewhere — the request is only partially fulfilled. Fix: Map all systems where prospect data is stored. Create a multi-system erasure checklist and run through it for every deletion request.

Mistake 4: Not logging processed requests

Symptom: When audited, you can’t prove you handled an erasure request received eight months ago. Impact: No evidence of compliance, potential aggravation of any penalty. Fix: Keep a simple request log (date, type, identity, action taken, response date). A Google Sheet works perfectly for most teams.

Mistake 5: Ignoring requests that come in through non-email channels

Symptom: A prospect calls to request deletion of their data, but the request isn’t acted on because “it didn’t come through the right channel.” Impact: The request goes unhandled — the prospect files a complaint. Fix: Train your sales team to recognize and escalate any data subject request, regardless of the channel (phone, LinkedIn, in-person). The format of the request doesn’t matter. Your obligation to handle it does.

Key takeaways

• GDPR grants 6 rights to individuals whose data you process: access, rectification, erasure, objection, restriction, and portability.
• The right to object to prospecting is absolute — you cannot decline it.
• You have one month to respond to any request; two months for complex cases, with notification.
• Erasing data doesn’t mean wiping all traces: keep a suppression list to prevent accidental re-enrollment.
• You are responsible for data enriched via third-party tools — verify your processors are compliant.
• Log every request received and every action taken.

Conclusion: compliance as a competitive advantage

Handling data subject rights isn’t a blocker for B2B prospecting — it’s a trust signal. Teams that respond quickly and transparently build a reputation for seriousness that compounds over time.

In practice, putting a solid process in place takes half a day at most. A dedicated email, a request log, a suppression list, and a multi-system erasure checklist — that’s the core of it.

For prospect data that’s always up to date, verified, and enriched within a compliant framework, Derrick App lets you enrich your leads directly in Google Sheets — no opaque databases, no manual CSV exports.

Clean, compliant prospect data — right in your Sheets

Derrick enriches your prospects in real time from LinkedIn. Verified emails, transparently sourced data.

Try for free →

FAQ

What is the GDPR right of access? The right of access lets any individual ask an organization what personal data it holds on them, why it’s being processed, and who it’s been shared with. The organization has one month to respond and must provide a copy of the data concerned.

Can a B2B prospect request deletion of their data? Yes. Any individual whose data is being processed can exercise the right to erasure — including a professional contacted as part of B2B outreach. You must delete their data from all your systems and keep their identifier in a suppression list to prevent accidental re-enrollment.

How long can you keep inactive prospect data? The widely accepted standard under GDPR is 3 years from the last contact with an inactive prospect. After that, data must be deleted or anonymized — regardless of whether an erasure request has been received.

What if a prospect objects to prospecting over the phone? The format of the request doesn’t matter — a phone call is valid. You must note the request, immediately stop all outreach, and add the person to your suppression list. Train your sales team to recognize and escalate these requests, whatever the channel.

Am I responsible for data enriched by a third-party tool? Yes. As the data controller, you’re responsible for all personal data you hold — regardless of its source. Your enrichment tool is a data processor: verify it offers a DPA and can demonstrate GDPR-compliant data sourcing.