Roughly half of UK B2B sales teams have either stopped cold outreach entirely because they believe GDPR prohibits it, or they are doing it with no compliance process at all because they believe B2B is exempt. Both positions are wrong.
UK GDPR applies to B2B prospecting. It does not prohibit it. The regulation provides a lawful basis called legitimate interest that explicitly allows businesses to process personal data for direct marketing purposes - provided they follow the rules. Most outbound teams fail not because the law is against them, but because they do not understand what the law actually requires.
The Legal Position: Legitimate Interest for B2B
Under Article 6(1)(f) of the UK GDPR, processing personal data is lawful when it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."
In plain English: you can contact a business prospect without their prior consent if you have a genuine business reason to do so, and if the contact would reasonably expect to hear from you.
The ICO has confirmed this interpretation repeatedly. Their guidance on direct marketing states that legitimate interest is an appropriate lawful basis for B2B marketing where the recipient would reasonably expect the communication. A Head of Marketing at a SaaS company would reasonably expect to receive emails about marketing tools. They would not reasonably expect emails about industrial welding equipment.
Consent is not required for B2B email prospecting. It is required for B2B telephone marketing if the individual has registered with the TPS (Telephone Preference Service) or CTPS (Corporate Telephone Preference Service), or if they have previously objected to calls from your organisation.
The Five Mistakes Outbound Teams Make
Mistake 1: No Legitimate Interest Assessment
The biggest compliance gap is not the outreach itself - it is the lack of documentation. UK GDPR requires that you conduct a Legitimate Interest Assessment (LIA) before relying on legitimate interest as your lawful basis.
An LIA is a three-part test:
- Purpose test: What is the legitimate interest you are pursuing? (e.g., "Marketing our CRM consulting services to UK B2B companies that use HubSpot or Salesforce")
- Necessity test: Is processing this personal data necessary to achieve that purpose? Could you achieve it without processing personal data? (For direct outreach, the answer is typically yes - you need the person's name and email to contact them.)
- Balancing test: Do the individual's interests, rights, and freedoms override your legitimate interest? Consider: would the person expect this contact? Is the data sensitive? What is the impact on the individual?
Most B2B outbound passes all three tests easily. The problem is that most teams have never written the assessment down. If the ICO asks for your LIA, "we assumed it was fine" is not an acceptable answer.
Mistake 2: No Privacy Notice for Prospects
Under Articles 13 and 14 of UK GDPR, you must inform individuals about how you process their data. For prospects whose data you obtained from a third-party source (LinkedIn, a data provider, a conference list), Article 14 applies - you must provide a privacy notice within one month of obtaining the data, or at the point of first communication, whichever comes first.
In practice, this means your first outreach email should include or link to a privacy notice explaining: who you are, what data you hold, where you got it, why you are contacting them, their right to object, and how to opt out.
A footer link to your website privacy policy is sufficient, provided that policy covers B2B prospecting data specifically - not just website cookies and customer data.
Mistake 3: No Opt-Out Mechanism
Every outreach email must include a clear, functional opt-out mechanism. This is non-negotiable under both UK GDPR (right to object) and PECR (Privacy and Electronic Communications Regulations).
The opt-out must be:
- Easy to find (not buried in small print)
- Easy to use (one click, not "reply with UNSUBSCRIBE in the subject line")
- Processed promptly (within 28 days, though best practice is 48 hours)
- Respected across all channels (if someone opts out of email, do not call them instead)
Crucially, opt-out requests must be honoured permanently, not just for the current campaign. If a prospect unsubscribes, they should never receive outreach from your organisation again unless they explicitly re-consent.
Mistake 4: Using Personal Email Addresses
B2B prospecting under legitimate interest covers business email addresses - addresses at a company domain (name@company.co.uk). It does not straightforwardly extend to personal email addresses (name@gmail.com) even if the person uses that address for business.
The ICO draws a distinction between corporate subscribers and individual subscribers under PECR. Emailing a personal address for marketing purposes without consent is high-risk and likely non-compliant, even if the recipient is a business decision-maker.
Scrub personal email domains from your prospect lists before outreach. If a contact record only has a personal email, either find their business email or exclude them from automated sequences. This is one of the areas where buying contact data carries GDPR risk - cheap data brokers often include personal addresses mixed in with business ones.
Mistake 5: Ignoring TPS and CTPS for Phone Outreach
The Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS) are opt-out registers for individuals and businesses that do not wish to receive unsolicited sales calls.
Before making cold calls, you are legally required to screen your contact list against both registers. Calling a TPS-registered number is a breach of PECR and can result in fines.
CTPS registration covers the company's main switchboard and published numbers. It does not cover direct dials or mobile numbers provided by the individual for business use - but best practice is to screen all numbers, not just switchboard lines.
TPS screening is not a one-off task. People register and de-register continuously, so your suppression list needs refreshing at least monthly. Services like the DMA's TPS screening tool or third-party compliance platforms automate this.
What Good Compliance Looks Like
A GDPR-compliant B2B prospecting operation has these elements in place:
- A documented LIA covering each category of prospect you contact, reviewed annually
- A prospect-specific privacy notice linked in every first-touch email, covering data sources, processing purposes, and rights
- An opt-out mechanism in every email, with a suppression list that prevents re-contact
- TPS/CTPS screening applied to all phone outreach lists monthly
- Business email verification ensuring no personal addresses are included in automated sequences
- Data retention policy specifying how long prospect data is held and when it is deleted (ICO guidance suggests reviewing after 12-24 months)
- Source documentation recording where each prospect's data was obtained, in case of a subject access request
The Common Overreaction
Some UK B2B sales teams have interpreted GDPR as a blanket ban on cold outreach. It is not. The regulation is designed to protect individuals from intrusive processing of their personal data. A relevant, professional email to a business contact at their work address, with a clear opt-out and transparent privacy practices, is exactly the kind of processing the legitimate interest basis was designed to permit.
The teams that get this right treat compliance as a competitive advantage. When a prospect receives a well-targeted, relevant outreach email with a clear privacy notice and easy opt-out, it signals professionalism. When they receive a generic mass email with no unsubscribe link and no explanation of how you got their data, it signals the opposite.
Get the documentation right. Screen your lists. Respect opt-outs. Target relevantly. That is what the law requires, and it is also what good prospecting looks like regardless of regulation.
