GDPR and B2B Data: What You Can and Can’t Do in the UK

When doing B2B outreach in the UK, you may have wondered what the line is with legal. Is it possible to email a business person without permission? Will you call a company that you have never done business with? The regulations are finer in detail than some may think, and it can cost a lot to be mistaken. The same indecision reflects in contemporary dating, which, in most cases, starts via the internet. Sending an email, requesting a follow, or even locating the email address of someone outside of a social network may seem like a harmless action, but the lines are sometimes not always so easily defined. The attitude of respect, timing, and consent determines the reception of communication, and going beyond the boundaries may easily cause discomfort. 

It is easy in both locations: access does not mean permission. The attitude of realising when outreach is right and when it turns into an intrusion can be everything in establishing trust and keeping credibility, in addition to the consequences that may be faced even after a single interaction.  This guide dissects what the UK GDPR, as well as PECR, actually state regarding B2B data; therefore, you will know precisely where you are.

A Closer Look at the Legal Framework

UK GDPR The bigger picture is only one part of the puzzle, but the actual understanding of the rules can be achieved by looking at the way the rules are framed and implemented. The reason behind the existence of legal structures is to provide direction and not to imprison behaviour unnecessarily. A closer examination of these regulations will show how compliance and pragmatic communication may co-exist.

UK GDPR and PECR: Two Sets of Rules

The UK has a variant of GDPR since leaving the EU, sometimes referred to as the UK GDPR, that goes hand in hand with the Data Protection Act 2018. In the case of direct marketing in particular, you are also required to adhere to the Privacy and Electronic Communications Regulations 2003 (PECR). The two pieces of legislation complement each other. UK GDPR sets the rules on the processing of your personal data. PECR states the requirement of consent to contact a person through electronic means. The two are applicable in the B2B marketing, yet they do not necessarily have the same requirements.

When Does UK GDPR Apply to B2B Data?

UK GDPR is used whenever you are processing personal data. In B2B, that would consist of any information that identifies a person, including the email address of a named contact or the direct phone number. An email address of the company, such as [email protected], will not raise concerns of GDPR, but a business email address with a name will. The data protection regulator at the ICO, the UK, states that the nature of the subscriber is significant. PECR does not apply to the same extent to corporate subscribers, including limited companies, LLPs, and government bodies. Individuals include sole traders and simple partnerships, and the more stringent rules facing consumers will be applied to them.

What You CAN Do

The next step in breaking the rules is to know how to put the rules into practice. The legal system is not there to restrict outreach but to influence it in a responsible and efficacious manner. The emphasis on what is allowed should assist in making compliance an attainable and manageable plan instead of an obstacle.

Email Corporate Subscribers Without Consent

This is one of the greatest differences in the UK B2B marketing: there is no prior permission required to send unsolicited marketing email to a corporate subscriber, provided that the message is pertinent to their job and that they are given an easy opt-out option. It is grounded on Regulation 22 of PECR, and this is what makes B2B email outreach work within the limits of the law. The UK GDPR is, however, applicable. A legal justification to process the personal data of that contact will still be required, and in the majority of cold B2B outreach cases, the justification will be legitimate interests.

The same veneer of responsibility is transferred to online dating, where making contact with a person new is part of the level of experience, yet context and relevance have a role to play. A message that fits the profile of an individual, his/her interests, or interests that he/she mentioned is far more likely to be received well than a generic or intrusive message, and tells First date questions that spark conversation. Introductions might be facilitated by platforms, but there is still a demand for a respectful motive and an effortless method of switching off. Prominent indicators, considerate communication, and awareness of limits assist in making sure that outreach in the beginning is more likely to be welcome than offensive.

Rely on Legitimate Interests for Processing

Legitimate interests are the most commonly used lawful basis for B2B direct marketing in the UK. The ICO is clear that direct marketing can constitute a legitimate interest, provided you carry out a Legitimate Interests Assessment (LIA) before you begin processing.

An LIA is a three-part test:

1. Purpose test: Is there a legitimate interest behind the processing?
2. Necessity test: Is the processing necessary to achieve that purpose?
3. Balancing test: Does your interest override the rights and privacy of the individual?

You don’t have to publish your LIA, but you do need to document it. This is important if the ICO ever asks you to demonstrate compliance.

Use Publicly Available Data (With Caveats)

B2B outreach may be made using data provided by Companies House, business directories, LinkedIn, or company websites, but not unconditionally. The ICO has been clear that just because data is publicly available does not mean that you are not subject to data protection. This will still require you to have a legitimate reason, and you will still be required to adhere to PECR. A lot of companies that partner with outbound marketing vendors, such as The Lead Generation Company, will often rely on third-party B2B data. In those cases, it’s your responsibility to verify that the data was sourced lawfully and that the provider can demonstrate a lawful basis for their own processing.

Make Live Marketing Calls to Corporate Subscribers

You are allowed to make live outbound marketing calls to corporate subscribers without prior permission, but have to first screen the number against the Telephone Preference Service (TPS) and Corporate TPS (CTPS). When the number is registered, you can not make a call unless that organisation has given specific permission to be called by you. UK GDPR will also apply to the processing in the event that, during the call, you are processing personal data such as the address of a named person.

What You CAN’T Do

Respecting opt-out requests isn’t optional; it’s the baseline. Ignore them, and you’re not just bending rules, you’re breaking trust.

Ignore Opt-Out Requests

You must provide the means of unsubscribing easily and plainly on each marketing email. This is even though, even if you had permission to send it in the first place, especially as multimodal tech continues to expand, how and where users engage with content. The moment that a person has already said no, the communication should cease, and the request should be recorded accordingly. In cases where the businesses have regular outreach, it is beneficial to keep a suppression list of those who have already opted out or have already complained of being contacted again in the future.

Send Automated Marketing Calls Without Consent

This is a hard line under PECR. Automated marketing calls always require explicit consent, regardless of even if you’re contacting a corporate or individual subscriber. This consent must be freely given, specific, informed, and unambiguous. The ICO has no tolerance here and has fined organisations hundreds of thousands of pounds for making automated calls without it.

Contact Sole Traders and Partnerships Without Consent

As stated earlier, sole traders and simple partnerships are considered individuals in PECR. Just as you would with a consumer, you will have to get their prior permission before you send them unsolicited marketing e-mails or texts. This snares many B2B businesses, especially those that focus on small businesses or self-employed professionals.

Use Data You Can’t Account For

If you’re using or purchasing a third-party data list, you need to do due diligence on the source. You must be able to demonstrate that the data was collected lawfully. If you can’t, you’re taking on the compliance risk yourself. The ICO can and does take enforcement action against organisations that use poorly sourced data.

The Cost of Getting It Wrong

The fines for not following are enormous. Under UK GDPR, the amount of fines that can be imposed by ICO is up to £17.5 million or 4% of your overall yearly global turnover, whichever is greater. In PECR, fines may run up to £500,000 and may also be imposed on individual directors. In 2024, the ICO fined a total of 18, with 15 of them relating to PECR violations. This is becoming enforced: over the first six months of 2025 alone, the ICO imposed fines worth approximately £5.6 million, which is approximately two times the total of 2024. Not to mention the reputational loss that would be associated with a publicly imposed ICO action, in addition to the financial risk.

A Practical Checklist

B2B outreach is not impossible in the UK GDPR and PECR. They establish the guidelines for doing it right. Ask yourself before you make any outreach campaign: There is the same thinking when it comes to dating space; it is not that hard to make the outreach, but to make it wisely, that is the difference. You can determine the reception of your first message by taking a moment to think before you send it. Does the approach apply to who they become and what they have shared? Does it not encroach upon their space and provide them with a comfortable means of replying, or not replying at all? By pausing to reflect on these, there is a high likelihood of the interactions being intentional, respectful, and much more likely to result in a positive relationship than an embarrassing mistake.

• Have I identified a lawful basis for processing the personal data I’m using?
• Have I completed and documented a Legitimate Interests Assessment if relying on that basis?
• Am I contacting corporate subscribers or individuals? The rules differ.
• Does every email include a clear opt-out option?
• Have I screened phone numbers against the TPS and CTPS?
• Can I demonstrate that my data was sourced lawfully?
• Do I have a suppression list in place for anyone who has previously opted out?

Getting these basics right will keep you on the right side of the ICO and protect your business from unnecessary risk. 

This article is for informational purposes only and does not constitute legal advice. For specific guidance on your situation, consult a qualified data protection professional.