Since the changes in GDPR (The General Data Protection Regulation, May 2018) legislation came in to force it has forced changes to many business processes. The ICO (Information Commissioners Officer), UK’s independent body set up to uphold information rights has taken actions against many organisations, resulting in millions of pounds penalties and fines.

The ICO is combining GPDR along with PECR (Privacy & Electronic Communications Regulation 2003) to ensure organisations are taking appropriate actions to protect the privacy of individuals and behaving within the guidelines.

One area that the ICO is regularly taking actions against is Marketing, making it ever more important you are aware of these regulations and conducting your activities in a compliant way.

More and more organisations are using the global social media platform LinkedIn for many marketing and awareness campaigns … and so the question arises

Is prospecting through LinkedIn in breach of GDPR?

Here are some key points for you to consider;

  • Business to Business marketing is NOT exempt from GDPR – it’s a myth that it only applies to B2C (Business to consumer). If you trade with or engage with either, you must comply with GDPR.
  • A business contacts name, email address and mobile phone number are all considered personal data under GDPR. Therefore, using your LinkedIn contacts data must be done so in accordance with GDPR.
  • The legislation comes in to play if you add a business card and its details to files, computer systems or databases. This will include downloading (digital or handwritten) a copy of your personal contacts from LinkedIn. It is important that your organisations’ policies and procedures cover this to ensure this does not undermine the organisations’ level of compliance with GDPR. All personal data (including B2B contact details) must be adequately protected from data loss and or breach.
  • You must have a lawful basis for processing personal data, there are 6 available;
    1. Consent
    2. Legitimate Interest
    3. Contract
    4. Legal Obligation
    5. Vital Interest
    6. Public Task
  • The most common reason that applies to marketing is ‘consent’ or ‘legitimate interest’. You must have a clear and easy opt out process at all times.
  • Processing will include everything that the entity does with the data including receipt, collection, storing, amending, disclosure and destruction.
  • You can rely on legitimate interests for marketing activities if you can show the way in which you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing.
  • Legitimate Interest is easily demonstrated by using a legitimate interest assessment (LIA).

Therefore, when it comes to LinkedIn and compliance with GDPR you;

COULD – send an existing contact a message to seek agreement to email, call or meet about a topic including potential of their interest in goods or services for them or their organisation.

COULD – send a request to connect to someone you do not know expressing interest that you would welcome the opportunity to connect with them to explore potential interest in your goods or services.

COULD NOT – Use search finds of unknown contacts from LinkedIn to extract their email address or telephone number to issue company marketing.

In the last 12 months to June 2021, in excess of £3.4 million fines were issues by the ICO related to marketing activities. The amount of penalties continues to grow year on year.

DIRECTORS – the ICO is going further than just issuing fines and penalties, they are now pursuing banning orders against Directors of organisations who are in significantly in breach of GDPR & PECR regulations.

For those curious about recent fine here are some more examples:


Learn more on how Net-Defence can help your organisation with GDPR.