How GDPR Works in Practice

GDPR has ruffled everyone’s feathers since coming into full effect in May 2018, so emails and data generally have become a bit of a worry for a lot of businesses. We recently wrote a blog post about what GDPR is and how it will affect your business, which outlines the rules and regulations and the consequences of not following them, which we strongly recommend you read if you’re not already familiar with GDPR!

Today we’re going to go a bit more in-depth and give you some information about GDPR in practice.

So, firstly…

The 6 main things GDPR outlines for data processing, as explained by Ibrahim Hasan for the Law Gazette:

Consent: “the individual has given clear consent to process their personal data for a specific purpose”

Contract: “the processing is necessary for a contract with the individual, or because they have asked the data controller to take specific steps before entering into a contract”

Legal Obligation: “the processing is necessary for the data controller to comply with the law”

Vital Interests: “the processing is necessary to protect someone’s vital interests e.g. life or property”

Public Task: “processing data that is required for the data controller to perform a task in the public interest of for official functions, and the task of function has a clear basis in law”

Legitimate Interests: “the processing is necessary for the data controller’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests” (more on this later)

Whilst all of these are very important, we’re going to explain 3 of them in a bit more detail in this post: Consent, Contract and Legitimate Interests – as these are the 3 we think are most relevant to our clients for general business practice.

The big question:

Can I still email my customers?

Yes, BUT you need their consent if it’s not contractually necessary to contact them.

i.e. If it’s about a purchase a customer has made (a contract), then you’re good to go but marketing emails are not allowed unless you have their informed consent AND they click to opt-in.

There are also different rules for B2B and B2C, and then some businesses actually need to be treated as B2C… it’s all very confusing, so we’ll try and break it down for you below:


  • All individuals are covered by GDPR and so any processing of their data must comply with the regulations (you can read them in our previous blog post here)
  • The main thing here is that you must obtain active and informed consent from everyone
  • Sole-traders, small partnerships and one-person operations must also be treated as B2C so consent must be obtained from these individuals for their data to be processed


  • You can process the data of someone who works at a business (as long any communications aimed at them are in a strictly business sense)
  • There is no need to gain specific consent as there shouldn’t be any personal data being processed
  • You can still send B2B marketing emails as long as there is legitimate interest (see below)
  • You can usually determine which email addresses are businesses by what comes after the @. If it’s (rather than, etc.), you should be alright, but it’s worth finding out from them if possible, or by researching the business online (to ensure they aren’t a sole-trader, small partnership or one-person operation) 

Now, let’s talk legitimate interest…

According to Sonovate, this is where businesses can process data that:

  • has a clear benefit
  • doesn’t impact the individual’s privacy
  • the individual would expect to be processed (within reason)

So, this means that you can process the data of someone’s business information if it’s in your interest. This allows you to send B2B marketing emails as it’s not the individual’s data that is being used, and therefore there is no need to obtain consent.

Legitimate interest does make things more flexible and, if you do only communicate B2B, should be fine for you (as long as all emails to them are aimed at their role rather than them as a consumer!). However, if you communicate B2C at all then you must obtain consent from your customers, or be filling a customer contract (if they’ve bought anything).


In summary, GDPR isn’t designed to stop you from processing data or communicating with your customers, it’s just in place to ensure that all individuals’ data is protected. The main thing is, you are still allowed to email your customers about a service they are paying for (a contract!), which we’re going to give you some advice on in next week’s blog post, so keep an eye out!

For all other communications and data processing, you must obtain consent and/or ensure your practices fit within the legitimate interests requirements.