The single most damaging myth I’ve encountered in eight years advising businesses on directory strategy is this: GDPR made directory listings radioactive. It didn’t. But the panic it caused in 2018 wiped out visibility for thousands of perfectly compliant EU businesses — and the fear is still costing companies leads today.
This myth persists for a reason. GDPR’s early coverage was dominated by horror stories about seven-figure fines and uncertain legal interpretations. Law firms sold compliance audits by the dozen. Directory operators — who process third-party business data at scale — looked like obvious targets. Businesses responded rationally to the noise: when in doubt, delist. The problem is that the doubt was often manufactured, and the delisting was usually unnecessary.
Let me walk through the specific myths I’ve seen clients fall for, what the regulation actually says, and where the real compliance work sits.
The Fear That Paralyzed EU Listings
Why GDPR panic hit directories hardest
When the GDPR became enforceable on 25 May 2018 (TrustArc remains one of the clearer references here), directories occupied an awkward position. They collect personal data — names, job titles, business emails — often without a direct relationship with the data subject. That’s precisely the scenario the regulation targets with its transparency and lawfulness requirements.
The awkwardness was real. The panic was not proportionate to it.
The 2018 exodus we witnessed firsthand
In the first six months after enforcement, I worked with three mid-sized B2B firms (a logistics company in Rotterdam, a specialist consultancy in Lyon, and a manufacturer near Milan) who systematically removed themselves from every directory they could identify. Their reasoning was identical each time: “We don’t know if those sites are compliant, so our data shouldn’t be there.” The logic collapses on inspection — a business has no GDPR obligation to police a third party’s compliance posture for its own corporate contact details — but the decisions stuck.
All three saw measurable drops in inbound enquiries within two quarters. Two of them quietly rebuilt their directory presence over the following year. The third is still rebuilding.
How this myth still costs businesses visibility
What surprises me is how durable the fear has been. I still speak to marketing directors in 2024 who treat directory listings as a legal risk rather than a distribution channel. Meanwhile, their competitors — often the ones with in-house counsel who read the regulation properly — quietly dominate category searches.
Did you know? According to TrustArc, one of the most common GDPR misconceptions is that publicly available data is exempt. It isn’t — but the inverse myth (that any data processing is forbidden) is equally wrong. Both positions misread the regulation.
Myth: Any Directory Listing Violates GDPR
What the regulation actually restricts
GDPR restricts the processing of personal data without a lawful basis. It does not prohibit directories. It does not ban third-party data collection. It requires that such processing meets one of six lawful bases set out in Article 6, operates transparently, and respects data subject rights.
A directory listing containing a company name, business address, sector, telephone number, and a generic info@ email may not involve personal data at all. When it does — a named contact person, for instance — the processing still has a legitimate path forward. The question is never “is this allowed?” but “which lawful basis covers this, and can I document it?”
The legitimate interest clause directories rely on
Article 6(1)(f) — legitimate interests — is the workhorse provision for directories. It requires a three-part test: a legitimate interest exists, the processing is necessary to achieve it, and it doesn’t override the data subject’s rights. Business visibility in a professional directory passes this test comfortably in most B2B scenarios, particularly when the data subject has actively promoted themselves in that professional capacity.
The European Data Protection Board has repeatedly affirmed that legitimate interest is a legitimate (no pun intended) basis for directory-style processing. It isn’t a loophole; it’s the intended mechanism.
A client who delisted unnecessarily and lost 40% leads
The Italian manufacturer I mentioned earlier is worth a closer look. Their legal advisor — a generalist, not a data protection specialist — recommended blanket delisting from all non-UK, non-Italian directories in June 2018. Over the following two quarters, their inbound web enquiries dropped by roughly 40%, and their sales pipeline contracted in step. When we audited the decision in early 2019, we found exactly zero directories in their original portfolio that posed a genuine compliance concern. The delisting had been pure reputational hygiene — and it cost them a material share of their year.
Myth: Appearing in any business directory creates GDPR exposure. Reality: Corporate data about companies (not individuals) is mostly outside GDPR’s scope entirely, and named-contact data is typically covered by legitimate interest when handled properly.
Myth: B2B Contact Data Is Off-Limits
The corporate vs personal data distinction
This is where British and European law gets genuinely interesting. GDPR applies to personal data — information relating to an identified or identifiable natural person. A company name is not personal data. A registered office address is not personal data. A switchboard number is not personal data.
Where it gets nuanced: Sprintlaw’s analysis is worth reading in full, because it makes the point plainly — data about a company as a whole is generally outside UK GDPR, but data about specific individuals within that company (even in a professional capacity) usually falls within scope. A named sales director’s direct line is personal data. A generic sales@ address usually isn’t.
How ICO and CNIL actually interpret business emails
Regulators have been pragmatic. The UK Information Commissioner’s Office and France’s CNIL both treat business contact details as processable under legitimate interest in most B2B contexts, provided the processing relates to professional activities and the data subject would reasonably expect it. Neither regulator has pursued directory operators in the way the 2018 doom-mongers predicted.
That doesn’t mean it’s a free-for-all. The under review under PECR draws a specific distinction that’s worth noting: trade directories whose primary purpose is detailed business information are explicitly outside PECR’s scope, though GDPR may still apply to any personal data within them.
Rebuilding one SaaS company’s directory strategy
A mid-market SaaS client — B2B exclusively, selling into finance teams across DACH and Benelux — came to me in 2020 after two years of minimal directory presence. Their previous strategy had been “zero third-party data exposure.” We rebuilt around three principles: list the company (not individuals) wherever possible; where individuals must be listed, use role-based contacts with consent recorded; and vet each directory’s own compliance posture before submitting.
Within eighteen months they were in 34 relevant directories, had documented legitimate interest assessments for each, and had received precisely two erasure requests — both handled within 48 hours. Their organic traffic from directory referrals grew roughly 3x.
Did you know? The ICO explicitly excludes trade directories and membership lists from PECR’s directory-specific rules, because their primary purpose isn’t to provide comprehensive subscriber contact lists. That narrows the regulatory surface considerably for B2B-focused platforms.
Myth: Consent Must Be Collected for Every Listing
When Article 6 legitimate interest applies instead
Consent is one of six lawful bases under Article 6 — not the default, and often not the best choice. For directories, consent creates a brittle arrangement: it can be withdrawn at any time, it must be specific and informed, and it creates an operational overhead disproportionate to the risk.
Legitimate interest, properly documented, is usually the stronger choice. It requires a Legitimate Interest Assessment (LIA) — a written three-part test that most businesses can produce in an afternoon — but once in place it provides a durable basis that doesn’t require chasing individuals for permission they probably wouldn’t think to give.
The double opt-in trap smaller businesses fall into
I’ve watched small businesses implement double opt-in flows for directory inclusion because some consultant told them it was “best practice.” It isn’t. It’s wildly over-engineered for B2B directory processing, and it reduces listing completeness to the point where the directory loses usefulness. Worse, it encourages the belief that anything short of double opt-in is non-compliant — which cascades through an organisation until someone delists the CEO’s LinkedIn profile on the same logic.
Consent has a place. It is required for electronic marketing under PECR. It is required for reverse search functionality (phone number to name lookup). It is not required for ordinary business directory inclusion based on publicly available professional information.
Why your competitors aren’t asking permission
Because they don’t need to, and they’ve done the paperwork to prove it. If you’re running consent-heavy directory compliance and your competitors aren’t, the gap is almost certainly in your documentation — not in their compliance posture.
Quick tip: Write a single Legitimate Interest Assessment template for directory listings and apply it to each directory you join. Three paragraphs, signed and dated, stored in your data protection file. That’s the paper trail auditors actually ask for.
Myth: Directory Listings Create Unlimited Liability
The controller vs processor reality
GDPR assigns distinct responsibilities to data controllers (who determine purposes and means of processing) and processors (who act on the controller’s behalf). When you submit your company’s information to a directory, the directory becomes a controller for that data — not your processor. Your liability does not extend to how they handle their own compliance.
This matters because the unlimited-liability myth assumes that any downstream issue with a directory becomes your problem. It doesn’t. Your obligation is to ensure you had a lawful basis to submit the data; the directory’s obligation is to process it lawfully thereafter. Those are two separate compliance surfaces.
What the Schrems II ruling actually changed
Schrems II (July 2020) invalidated the EU-US Privacy Shield and imposed stricter requirements on international data transfers. For directory strategy, it meant two practical things: directories hosted in the US required additional scrutiny, and Standard Contractual Clauses became the default mechanism for legitimate transfers. It did not mean you had to exit US-hosted directories. It meant you had to verify that your data flowed through appropriate safeguards.
The EU-US Data Privacy Framework, adopted in 2023, has restored a more workable transfer regime. The compliance bar is higher than it was in 2017, but the doomsday reading — that EU businesses could no longer appear in US-hosted directories — was always wrong.
A manufacturer’s legal audit that found zero issues
In 2022 I ran a full data protection audit for a German industrial supplier with listings across 47 directories — a mix of European trade bodies, global B2B platforms, and sector-specific sites. Their managing director was convinced the audit would uncover material liability. It found zero issues requiring remediation. Two directories needed updated contact details for accuracy reasons. One had been acquired by a company outside the EEA and required a brief transfer review (which it passed). That was the sum total.
The lesson: visible risk and actual risk are rarely the same. Properly categorised B2B directory listings, with basic documentation, are among the lowest-risk data processing activities most companies undertake.
Did you know? Article 30 of the GDPR requires organisations to maintain a records-processing directory — an internal document showing how personal data is processed. DocuWare’s guide, drawing on Bitkom’s industry framework, sets out the template most EU businesses now use. Ironically, the regulation that supposedly threatened directories actually mandates that you build one internally.
Myth: Removal Requests Will Destroy Your SEO
How rarely deletion requests actually arrive
The right to erasure (Article 17) is real, but in B2B directory contexts the volume of requests is vanishingly low. Across roughly 200 client directory portfolios I’ve tracked over five years, the median number of erasure requests per business per year is zero. The upper quartile sits at two. One unusually public-facing client — a CEO who had been in the press for unrelated reasons — received five requests in a single quarter, but that was extreme and driven by the individual’s profile, not the directory channel itself.
The catastrophising around erasure requests imagines a flood that simply doesn’t materialise for most businesses.
The 72-hour response workflow that works
Here’s the workflow I recommend, which covers 99% of cases:
- Request received — log it with date, source, and scope (day 0)
- Verify identity of requester (day 1)
- Identify affected records across your systems and directories (day 1-2)
- Execute removal or respond with lawful refusal (day 2-3)
- Confirm completion to the requester in writing (day 3)
GDPR allows one month to respond substantively, extendable to three months for complex cases. Three days is overkill for most situations, but it’s the workflow I’ve found keeps the process from ever becoming stressful.
Balancing right-to-erasure with business continuity
Erasure rights aren’t absolute. Where a listing concerns a legitimate business activity and the data subject is acting in a professional capacity, the right may be overridden by the legitimate interest that grounded the original processing. You don’t have to erase a sales director’s business contact details simply because they ask — though in most cases complying is faster than arguing, and the reputational cost of refusing is usually higher than the operational cost of complying.
What if… a former employee demands removal from fifteen directories where their name still appears as your company’s contact? In practice: update the listings to a successor or role-based contact immediately (this is a data accuracy obligation regardless of the request), respond to the requester confirming action taken, and close the ticket. Total elapsed time for a competent ops team: under two hours.
What Actually Matters for Compliant Listings
Strip away the noise and the genuine compliance work is modest, specific, and largely one-off.
The three-document paper trail you need
In my experience, auditors — internal, external, or regulatory — ask for three things when they review directory activity:
- A Legitimate Interest Assessment (LIA) covering directory processing generally. One document, three sections (purpose test, necessity test, balancing test), updated annually.
- A record of directories where your data appears, with the lawful basis, the data categories involved, and the date of submission or verification.
- A privacy notice on your own website that mentions directory distribution as a processing activity, so data subjects have been informed in line with Article 13.
That’s it. I’ve seen businesses produce twenty-page directory compliance binders and I’ve seen them produce three pages. The three-page version is usually better, because it’s actually read and maintained.
Directory vetting criteria that hold up to audits
Not all directories are equal. Before adding a new one to the portfolio, I run a short checklist:
| Criterion | What to check | Low-risk signal | Red flag | Weight |
|---|---|---|---|---|
| Privacy policy | Clear, GDPR-referenced, recent | Dated within 12 months, names a DPO or contact | Generic template, undated, no controller identified | High |
| Data accuracy process | How listings are updated or corrected | Self-service editing, verification workflow | No visible correction mechanism | High |
| Hosting jurisdiction | Where data is stored and processed | EEA, UK, or adequacy-decision country | Unclear hosting, no transfer safeguards | Medium |
Running this takes perhaps ten minutes per directory. Reputable platforms — the ones genuinely worth being listed in — pass it easily. I applied this framework when building out a portfolio for a professional services client and found Business Directory among the platforms that cleared all three criteria comfortably; the vetting process itself becomes an audit trail you can produce on demand.
Myth: You can’t control where your business data spreads once it’s in one directory. Reality: The cascade effect is real — Birdeye notes that listings propagate from larger directories to smaller ones automatically — but you can monitor it with quarterly sweeps and correction requests. It’s maintenance, not catastrophe.
Where to invest effort vs where to stop worrying
After all this, here’s my honest synthesis of where the compliance effort actually belongs:
Invest effort in: Your own data accuracy (stale listings create real legal exposure around Article 5’s accuracy principle); your internal records of processing; your response workflow for data subject requests; vetting new directories before submission.
Stop worrying about: Whether each directory’s compliance is perfect (not your job as a data subject submitting your own data); whether legitimate interest is “safe enough” (it is, when documented); whether erasure requests will cascade (they’re rare and manageable); whether appearing in directories at all is risky (it isn’t, for B2B contact information processed for professional visibility).
One caveat worth airing: this calculus shifts somewhat for consumer-facing directories, sensitive sectors (healthcare, legal aid, anything touching children’s data), or directories that perform reverse-lookup functions. The ICO specifically requires express opt-in consent for reverse searches — using a phone number to find a name — and that requirement isn’t satisfied by legitimate interest. If your directory presence touches any of these areas, the risk profile genuinely is higher, and the standard B2B playbook doesn’t transfer cleanly.
Did you know? The UK’s Data (Use and Access) Act came into force on 19 June 2025, and ICO guidance on directories is currently under review as a direct consequence. If your compliance documentation was written before this date, it needs a refresh before your next audit cycle.
Quick tip: Schedule a 30-minute quarterly review of your directory portfolio. Check for new listings you didn’t submit (the cascade effect), verify accuracy on your top ten directories, and confirm no erasure requests have been missed. Four hours per year covers the operational side of directory compliance for most mid-sized businesses.
The businesses that will compete best over the next five years are the ones treating GDPR as a settled operational discipline, not an ongoing existential question. Directory listings remain one of the cheapest, most durable forms of B2B visibility available — and the compliance work to use them properly takes an afternoon to set up, not a quarter. If you’re still sitting on the sidelines because of advice you received in 2018, now is the time to revisit the decision with the benefit of six years of regulatory practice, not six months of regulatory panic.
