The General Data Protection Regulation, or GDPR as it is known to many of us, came into force in May 2018.

When Brexit went into effect, and the UK formally left the European Union (EU) in 2021, the EU GDPR regulation stopped applying in the UK, but the government introduced what is often referred to as UK GDPR, which is very similar in nature.

In this blog, we delve deeper into the difference between Business to Business (B2B) and Business to Customer (B2C) when it comes to GDPR, which we think is particularly important to recruiters who deal with both kinds of data.


The key differences between B2B and B2C


  • You do not have to specifically ask for consent when processing business data
  • You are allowed to send marketing emails to business email addresses without specific consent if there is a legitimate interest


  • You have to ask for active consent when processing personal data
  • Sole Traders and some Partnerships do fall into this category and should be treated as B2C
  • If they do not give active consent to join your mailing list or to be sent further correspondence from initial contact, then you must not retain their information

Some more information on this can be found here.

So, how do I differentiate between business data and personal data?

Initially, you can segment your existing mailing lists between what you recognise as personal data versus business data. For example, you can add all the @hotmail, @gmail or @btinternet type email addresses into a B2C list and all business name ones into your B2B list.

Then when you ask for people to fill in their details, on your website for instance, you could ask them for a few more bits of information to gauge whether you’re dealing with a business or an individual. You could ask for their company name and maybe how many employees are at the company, so you can estimate the size of the company too. It will not tell you for sure, but you should be able to get a good idea from asking for this information.

The best thing to do to be on the safe side, if you are in any doubt, is to treat everyone as an individual and ask for active consent when they give you their details. You must also then record proof of consent with the data you store.

Legitimate Interest

If you’ve been reading around the subject of GDPR you will more than likely have come across the term ‘legitimate interest’. This term refers to when a business is allowed to process someone’s data because it is of legitimate interest to the business. Businesses are being encouraged to use this as a reason for processing data when:

  • The processing of the data is of clear benefit to their business
  • There is a limited impact on privacy of the individual
  • The individual would reasonably expect the business to use their data in this way
  • The business doesn’t want to bother people with a consent request when they are not likely to object anyway.

It is important that a record is kept of when you are using legitimate interest as a reason to process someone’s data, including the reason that you are retaining their information; just as you would if you had asked for consent. Be prepared to justify this though, if you get asked.

8 Golden Rules to remember when it comes to GDPR

Finally, we have 8 Golden Rules to remember when it comes to GDPR, consent and legitimate interest:

  1. Make sure you have a clear and accessible privacy policy.
  2. Always provide a clear opportunity for people to opt out if they wish.
  3. Respect your opt-outs. Make sure you remove them from your mailing lists and dispose of their data.
  4. Comply with all legal and ethical standards. Make sure the content you send is relevant and do not spam people.
  5. Consider the nuisance factor. Do not email too frequently.
  6. Do not target vulnerable individuals.
  7. Think specifically about legal justification if you are changing what you’re doing or doing something new.
  8. Record the reason you are retaining the data and be prepared to justify this if necessary.

So, there are some key differences when dealing with business data compared to personal data, but it is always best to play it on the safe side and treat all data with caution. If in any doubt at all then make sure you get active consent before retaining any data or adding them to your mailing lists. Be prepared to be able to recall this information should you get asked for it and make sure you have a process in place for removing that data too. After all it pays to be careful and respectful of other people’s privacy and mindful of being sensitive with their data and the use of it.

The advice in this article is not exhaustive. Responsibility for compliance of GDPR lies with each individual company. More information on GDPR can be found on the following sites:

Click here to check out some more tips on how to prepare your recruitment business.


About The Recruitment Network

This blog article was provided by The Recruitment Network.

The Recruitment Network is the ultimate support club for recruitment business leaders. We give our members an unparalleled level of support, guidance and tools to help them transform their recruitment businesses with the ultimate objective of improving business performance, increasing business efficiency and significantly growing profitability and shareholder value.