GDPR for B2B Companies
Note: This article is not legal advice. Consult your legal team to understand the effect which GDPR may have on your business.
The dust is settling and the GDPR is now law. In a perfect world, all affected manufacturers and distributors have already taken steps to make their operations compliant. Right?
Well… this isn’t a perfect world. For manufacturers and distributors who are still working to establish compliance, understanding the law is critical. I’ve spent many months preparing Corevist Commerce for the GDPR. In that time, I’ve had numerous conversations with our clients on the GDPR and how it will affect their ecommerce initiatives. While this article is not legal advice, I’d like to share some thoughts on what the GDPR means for B2B manufacturers and distributors. I’ll frame this in terms of 4 questions.
1. Do B2B buyers really reveal personal information when dealing with a manufacturer or distributor?
In a word—yes.
The GDPR’s definition of personal data is actually quite broad. “Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.”
It’s impossible for a B2B buyer to deal with a manufacturer or distributor without revealing this data. Here are common pieces of personal information which a B2B buyer may have to provide to complete a transaction:
- A personal work email like firstname.lastname@example.org.
- Their direct office phone number.
- The address of the office where they work.
- The IP address from which they make an ecommerce purchase with your company.
Of course, not all information is personal. It’s important to understand that distinction. Here are some pieces of information that don’t fall under the GDPR:
- A generic company email like email@example.com.
- Data that has been irretrievably anonymized.
2. Since it protects consumers, the GDPR doesn’t apply in B2B, right?
Wrong. The GDPR protects data that relates to an identified or identifiable living individual. The GDPR law doesn’t particularly care if that individual is acting as a B2C consumer (buying something for themselves through a retail outlet) or a B2B professional (buying something at work). If personal information is involved, the data exchange falls under the GDPR.
Think about it like this. At a minimum, if you’re using a business email to conduct a B2B transaction, that data exchange reveals your first name, last name, and IP address. That IP alone allows someone to identify and/or contact an individual, even if it’s just locating them for the portion of the day when they’re at work. With that IP address, a hacker can figure out what country the buyer is in, what city, even what building.
So while the GDPR does not protect the data of businesses, it does protect the data of individuals who work for businesses. It’s that simple.
3. What are some typical B2B ecommerce data handling practices that must change after the GDPR?
At the end of the day, the processes that have to change in B2B are identical to those that have to change in B2C.
At Corevist, we went through all the same exercises that B2C company would—securing data, securing compliance, improving data segregation, disclosing who all our processors and subprocessors are, data flow mapping, and creating addenda to every client and subprocessor contract.
There is no difference here in the requirements between B2B and B2C.
On the Forrester Blog, Lori Wizdo says that B2B marketers should embrace the GDPR “as a waypoint on the path to customer-obsessed marketing.” While it’s true that the spirit of GDPR puts the customer/individual first, companies shouldn’t lose sight of this fact: non-compliance can incur massive liabilities.
So yes, embrace a customer-first approach. But remember that the GDPR carries a big stick.
4. How can manufacturers/distributors safeguard the data of B2B buyers?
Ultimately, safeguarding customer data is all about normal cybersecurity best practices. Data encryption at rest and in transit, separation of duties, access to personally identifiable information, audit capabilities, capabilities for users to have their data be deleted upon request—it’s the whole list of requirements that GDPR has for security safeguards that have to be in place to do this. You have to declare where the data is being stored, how it’s being processed, how it’s being transferred, and who’s accessing it.
Yes, that’s a little vague. But every business is different, and there’s no one checklist for every manufacturer/distributor.
At the end of the day, it’s about clearly documenting the flow of personal information. Where you get it, why you have it, how you use it, who can access it (and where). Those things have to be clearly defined and documented.
Then you need safeguards in place to ensure that ONLY those people, in only those places, only for those reasons, can access that data.
Lastly, you have to document the fact that your safeguards are actually in force.
If you have any questions about the GDPR and what it could mean for your SAP ecommerce initiative, please get in touch with us. We’re happy to answer your questions on how Corevist Commerce complies with the GDPR.