The General Data Protection Regulation (GDPR) is a comprehensive legal framework that establishes guidelines for the collection, storage, and processing of personal information from individuals residing in the European Union (EU).

In the UK, the Information Commissioner’s Office (ICO) oversees the enforcement of the Data Protection Act 2018, GDPR, and the Privacy and Electronic Communications Regulations (PECR) 2003. Think of the ICO as the data protection authority—we make sure to stay on their good side.

Compliance with GDPR is crucial, as the penalties for non-compliance are severe and designed to be a deterrent. You certainly don’t want to be subject to an ICO investigation or enforcement action.

At Alvo, we are committed to offering 100% GDPR and PECR-compliant B2B prospecting.

Many modern marketing strategies rely heavily on customer data. GDPR governs the conditions and methods by which data can be legally processed and introduces significant consequences for non-compliance. It also defines which types of data are considered private and should be treated as such, often referred to as Personally Identifiable Information (PII).

Businesses are often surprised by the amount of PII they store, sometimes without a specific purpose or intent.

The goal of GDPR is to provide clear data protection guidelines for companies that collect, store, or process personal data—something that applies to nearly every business. In the context of email outreach, GDPR and PECR require that marketing emails be targeted toward individuals likely to find the content useful and relevant in their professional role within the target business. This is the primary test for qualifying communication as B2B in nature and thus exempt under PECR.

To ensure compliance, Alvo:

• Identifies only those companies that precisely match your campaign requirements.

• Clearly identifies the subject of each email.

• Crafts emails to ensure the content is relevant to the business prospect.

• Provides an easy opt-out mechanism in every email.

• Includes a link to the client’s privacy policy, which explains how the data was collected, the GDPR lawful basis for processing, the data subject’s right to stop further processing, and contact information for exercising GDPR rights.

GDPR is indeed complex, and when combined with PECR requirements, it can become even more confusing. However, Alvo takes both GDPR and PECR seriously.

Our innovative prospecting approach is inherently compliant with both GDPR and PECR. We target business customers with carefully tailored communication and ensure we meet PECR’s consent and opt-out requirements. We fully acknowledge our GDPR responsibilities and work diligently to meet them while helping our clients understand and meet their obligations.

Since GDPR’s implementation, some prospects have mistakenly believed that email marketing became largely illegal after May 25, 2018. It didn’t, and here’s why:

Our legal and technical teams worked tirelessly to ensure that we comply with all GDPR guidelines on data protection, relevance, targeting, and more. It wasn’t easy, and it took months of preparation before May 2018 for us to confidently say that every Alvo campaign is—and always will be—100% GDPR compliant.

Yes, PECR continues to apply alongside GDPR. Although GDPR has amended the definition of consent, businesses must still comply with both GDPR and PECR for B2B marketing.

The EU is working on replacing the current e-privacy law with a new ePrivacy Regulation (ePR). However, the new ePR is still under discussion. Until it is finalised, the existing PECR rules remain in force, with the updated definition of consent.

While appointing a Data Protection Officer (DPO) is recommended for certain types of processing, it is not a legal requirement for all businesses. At the very least, you should designate a compliance officer who can act immediately when needed. This person can be a direct employee, such as a CTO or managing director, or an external compliance support service.

If your business handles its own marketing activities to promote a product or service, you are the data controller for the data associated with that campaign (Article 24). If you are a provider of marketing services, hired to assist a business in promoting a product or service, the client is the data controller, and you are typically the processor (Article 28).

At Alvo, we work closely with our clients to meet their exact requirements, targeting the right customers with tailored emails. This collaborative approach means we often act as Joint Controllers with our clients, as defined under GDPR. We jointly determine how data is collected, stored, and processed, ensuring the success of every campaign. To clarify these roles, we’ve developed a comprehensive Data Sharing Agreement.

Yes, B2B marketing campaigns are perfectly legal when conducted in a compliant manner. We recognize that both GDPR and PECR apply.

GDPR outlines six lawful bases for processing personal data, with ‘legitimate interest’ being our primary basis. We’ve conducted a thorough Data Protection Impact Assessment to ensure our approach fully complies with GDPR.

To ensure your marketing aligns with all relevant regulations, we recommend conducting your own assessments and completing your own GDPR preparations. If you need assistance, we offer a Legitimate Interest Assessment (LIA) that can be conducted on your behalf.

Not necessarily. GDPR governs how personal data is collected, stored, and processed.

Consent is one lawful basis for processing personal data under GDPR, but alternatives exist. For instance, you might rely on ‘legitimate interests’ to justify data processing for marketing purposes.

When it comes to using data for marketing, the relevant framework is actually PECR. Under PECR, consent is generally not required for B2B marketing communications. However, careful consideration is needed regarding whom you target and the messages you send. That’s where Alvo comes in—our approach is 100% GDPR and PECR compliant.

For more details on the relevant regulations, you can refer to the UK ICO’s Guide to PECR: UK ICO’s Guide to PECR.

GDPR heavily regulates the storage and processing of Personally Identifiable Information (PII).

You should map your business systems to determine which data fields you store and categorise these in terms of their GDPR status.

In general, company information is not considered PII and can be stored and processed freely as needed. This means you do not need consent to maintain a database of target companies. However, PII may include fields such as a prospect’s name, email, phone number, job title, and social profile URLs.

GDPR outlines several permissible circumstances for processing PII. The most relevant category in this context is Legitimate Interest, although other categories may also apply.

For more information on the Legitimate Interests basis for processing PII, you can refer to this ICO guide.

To ensure your marketing activity falls within this category, it’s advisable to conduct a full Legitimate Interests Assessment (LIA) before starting any marketing campaign.

Regardless of whether you engage Alvo, we strongly advise you to complete your GDPR preparations. Failure to comply with GDPR can result in significant fines and enforcement action by the ICO.

We’ve created a template Privacy Policy and Legitimate Interest Assessment to help you get started and to facilitate your partnership with Alvo.

Your key document is your Privacy Policy.

Any marketing messages should include a link to a privacy policy that explains the user’s rights, the type of data held about them, who holds it, and how the data was collected. To ensure full coverage, you should also include Alvo in your Privacy Policy.

(If needed, Alvo can provide a template Privacy Policy or review your existing one to ensure it meets the required standard.)

The rest of the documentation is just the standard GDPR set. Importantly, you need to know how you will handle requests from data subjects. We can assist with this, but examples include:

• Managing opting out and exclusion lists: All recipients must be able to easily opt out of future communications. Alvo automatically excludes previous opt-outs from the data selection process. However, you also need a process to remove anyone who contacts you directly.

• Subject Access Requests: Your team needs a process to respond to data subject access requests. We advise having a template letter and a consistent process for responding. Ideally, you should appoint a Data Protection Officer or designate a compliance officer to handle this on your behalf.

• Right to Erasure (Right to be Forgotten): The Right to be Forgotten is one of the most complex and powerful data protection rights. It is essential to have a process in place for removing individuals from all internal and partner systems. If you need help with this, we’ve developed a Right to be Forgotten process that can be used internally.

Further Questions? Our support team is here to answer any questions you may have. We’re happy to schedule a call or provide a written response to any compliance-related queries.

Remember, you’re in safe hands with Alvo.