Disclaimer: This article provides operational guidance based on our understanding of UK data protection law as it applies to B2B sales activities. It is not legal advice. For specific compliance questions, consult a qualified data protection solicitor.
In 2024, the ICO issued £4.4 million in fines related to direct marketing violations - and a growing proportion of enforcement actions targeted B2B communications. The notion that UK GDPR only applies to B2C companies, or that business email addresses are somehow exempt, is a persistent myth that continues to cost UK sales teams money and reputation.
UK GDPR applies to the processing of personal data. A business email address - john.smith@company.co.uk - is personal data. A direct dial phone number is personal data. A LinkedIn profile URL is personal data. The fact that these data points exist in a business context does not change their classification.
This guide covers what UK B2B sales teams need to understand about data protection law in 2026 - without the legal jargon, and with practical emphasis on what it means for day-to-day sales operations.
The Six Lawful Bases: Which Ones Matter for B2B Sales
Under UK GDPR, every instance of processing personal data requires a lawful basis. There are six, but only three are practically relevant for B2B sales teams.
1. Consent. The individual has given clear, affirmative consent to be contacted for a specific purpose. In B2B sales, this typically applies when someone fills in a form on your website, subscribes to your newsletter, or explicitly opts in at an event. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count. Consent can be withdrawn at any time, and you must make withdrawal as easy as giving consent.
2. Legitimate interest. You have a genuine business reason to process the data, and this interest is not overridden by the individual's rights and freedoms. This is the lawful basis most B2B sales teams rely on for outbound prospecting - and the one most frequently misapplied. We will cover it in detail in the next section.
3. Contract. Processing is necessary for the performance of a contract with the individual, or for pre-contractual steps at their request. This applies to existing customers and active prospects who have requested information or a proposal.
The remaining three bases - legal obligation, vital interests, and public task - are rarely relevant for B2B sales activities.
The critical point: you must identify your lawful basis before processing the data, not after. And you must document it. "We thought it was fine" is not a lawful basis.
Legitimate Interest: The Most Used and Most Misunderstood Basis
Legitimate interest is the lawful basis that enables most B2B outbound activity. But it is not a blanket permission to contact anyone with a business email address. It requires a three-part test - the Legitimate Interest Assessment (LIA) - and the ICO expects you to document it.
Part 1: Purpose test. Is there a legitimate interest? For B2B sales, this is usually straightforward - you have a legitimate commercial interest in promoting your products or services to businesses that could benefit from them.
Part 2: Necessity test. Is the processing necessary for that purpose? Could you achieve the same aim with less intrusive means? If you are contacting a senior decision-maker about a product directly relevant to their role, the necessity is clear. If you are mass-emailing every contact in a purchased database, the necessity argument weakens significantly.
Part 3: Balancing test. Does your interest override the individual's rights and freedoms? This is where most B2B teams get into trouble. Factors that strengthen your position: the contact's seniority and professional context, the relevance of your offer to their role, the transparency of your data collection, and the ease of opting out. Factors that weaken it: contacting personal email addresses, processing sensitive categories of data, using data obtained without the individual's knowledge, and failing to provide clear opt-out mechanisms.
The balancing test is not abstract. The ICO expects a documented assessment that considers these factors specifically. If challenged, you need to be able to produce your LIA - not create one retrospectively.
Practical application: A legitimate interest basis reasonably supports contacting a VP of Sales at a mid-market SaaS company about your sales enablement tool, using their corporate email address obtained from their company website, with a clear opt-out in every message. It does not reasonably support mass-emailing 50,000 contacts from a purchased list about a product with no clear relevance to their role.
Email, Phone, and LinkedIn: Different Rules Apply
UK data protection for B2B sales is not governed by UK GDPR alone. The Privacy and Electronic Communications Regulations (PECR) add specific rules for electronic marketing, and they treat different channels differently.
Email and SMS (PECR Regulation 22): For emails sent to individual subscribers (which includes sole traders and some partnerships), you generally need consent. For emails sent to corporate subscribers (limited companies, LLPs, public bodies), you can rely on legitimate interest - provided you identify yourself, provide a valid postal address, and offer an opt-out mechanism in every message. This is the so-called "corporate subscriber" exception, and it is why B2B email outreach to company email addresses is generally permissible without explicit consent.
However, this exception does not mean you can ignore UK GDPR. You still need a lawful basis for processing the personal data (the individual's name and email), even if PECR does not require consent for the electronic communication itself. Both layers apply simultaneously.
Telephone (PECR Regulation 21): You can call corporate subscribers for marketing purposes unless the specific number is registered with the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS). Calling a TPS-registered number for marketing without explicit consent is a specific offence under PECR, separate from any UK GDPR considerations.
As of 2026, TPS registration stands at approximately 5.4 million numbers in the UK. CTPS registration covers an additional 1.2 million corporate numbers. Before making marketing calls, you must screen your calling list against both registers. The screening must be done at least every 28 days - TPS registration can be added at any time.
LinkedIn: LinkedIn messages are governed by LinkedIn's own terms of service, but the underlying data processing (viewing a profile, recording information from it, adding it to your CRM) is still subject to UK GDPR. Automated scraping of LinkedIn data is prohibited by LinkedIn's terms and raises significant GDPR concerns. Manual research and direct messaging through the platform is generally defensible under legitimate interest, provided the outreach is relevant and proportionate.
Buying B2B Contact Data: What You Need to Know
Purchasing contact data from third-party providers is common in UK B2B sales. It is not inherently unlawful, but it carries specific obligations and risks.
Due diligence on the supplier. You must verify that the data provider collected the data lawfully and has a basis for sharing it with you. Ask for their privacy policy, their data collection methodology, and their approach to consent and legitimate interest. If they cannot provide clear answers, the data is a liability.
Your own lawful basis. The supplier having a lawful basis for sharing does not automatically give you a lawful basis for using the data. You need your own - typically legitimate interest - documented through an LIA that considers the data source, the relevance of your outreach, and the individual's reasonable expectations.
Transparency obligations. Under UK GDPR Article 14, when you obtain personal data from a source other than the individual, you must inform them within one month (or at the point of first communication, if sooner). Your first outreach email must therefore include: who you are, where you obtained their data, what you intend to do with it, their right to object, and how to opt out.
Practical risk assessment. The ICO has signalled increasing attention to data brokers and third-party data supply chains. Companies that cannot demonstrate end-to-end compliance - from collection to processing to communication - face growing regulatory risk. The cheapest data is rarely the most compliant.
ICO Enforcement: What Has Actually Happened
Understanding enforcement patterns helps calibrate your compliance investment. Here is what the ICO has actually done in the B2B marketing space:
Monetary penalties: The ICO has issued penalties ranging from £10,000 to £500,000 for PECR violations related to unsolicited marketing. While the largest fines have targeted B2C companies, B2B enforcement actions have increased since 2023.
Enforcement notices: More common than fines, enforcement notices require companies to change their practices within a specified timeframe. Non-compliance with an enforcement notice escalates to criminal proceedings.
Reprimands and warnings: The ICO frequently issues formal reprimands for less severe violations, which are published and can damage commercial reputation.
Patterns to note: The ICO consistently targets three behaviours: failure to screen against TPS/CTPS before marketing calls, failure to honour opt-out requests promptly (the legal requirement is 28 days, but best practice is 48 hours), and inability to demonstrate a lawful basis when challenged.
The practical takeaway: the ICO is unlikely to pursue a company that makes a good-faith effort at compliance and has documented its reasoning. It actively pursues companies that ignore the rules entirely or cannot demonstrate any compliance effort.
A Practical Compliance Checklist for B2B Sales Teams
This is not exhaustive, but it covers the operational essentials:
- Document your lawful basis for each data source. Purchased lists, website forms, event attendees, and LinkedIn research each need a documented basis.
- Conduct and record a Legitimate Interest Assessment. Template this - it does not need to be lengthy, but it must exist and be specific to your processing activities.
- Screen calling lists against TPS and CTPS every 28 days. Use an accredited screening service. Keep records of screening dates and results.
- Include required information in every outreach. Your identity, postal address, data source (if obtained from a third party), and a clear opt-out mechanism.
- Process opt-outs within 48 hours. Maintain a suppression list that is checked before every outreach campaign. Never delete opt-out records - suppress them.
- Review data retention quarterly. Data you no longer have a purpose for should be deleted or anonymised. "We might use it someday" is not a valid retention justification.
- Train your team annually. Every SDR, AE, and marketing person who handles personal data should understand the basics. Document the training.
- Maintain a Record of Processing Activities (ROPA). UK GDPR Article 30 requires organisations with 250+ employees or those processing sensitive data to maintain this. In practice, every B2B company should have one.
Need help building compliant prospecting processes? Our GDPR-compliant prospecting service combines data sourcing, enrichment, and compliance verification - so your pipeline is built on a solid legal foundation from the start.
Common Mistakes That Create Risk
Based on our experience working with UK B2B teams, these are the most frequent compliance gaps:
Treating "B2B" as a blanket exemption. The corporate subscriber exception under PECR is narrow and specific. It applies to electronic marketing to corporate email addresses. It does not exempt you from UK GDPR obligations, and it does not apply to sole traders, partnerships, or personal email addresses used in a business context.
Failing to separate consent from legitimate interest. If you ask for consent (e.g., a checkbox on a form) and the person does not give it, you cannot then fall back to legitimate interest to contact them anyway. The act of asking for consent and being refused creates a strong signal that the individual does not want to be contacted.
No suppression list management. Deleting contacts who opt out - rather than adding them to a suppression list - means they can be re-imported from a purchased list and contacted again. This is both a compliance failure and a reputational risk.
Ignoring data source documentation. When the ICO asks "where did you get this person's data?", you need a specific, verifiable answer - not "probably from a list we bought two years ago."
Over-relying on "soft opt-in." The soft opt-in (PECR Regulation 22(3)) allows marketing to existing customers about similar products without consent. It applies to individual subscribers and requires that you gave them an opt-out opportunity at the point of data collection. It does not apply to prospects you have never done business with.
What Changes in 2026
The UK Data Protection and Digital Information Bill, expected to receive Royal Assent in 2026, introduces several changes relevant to B2B sales:
Legitimate interest clarification. The bill explicitly recognises direct marketing as a legitimate interest, provided it passes the balancing test. This is a codification of existing ICO guidance rather than a new permission, but it provides clearer legal ground for B2B outreach.
Cookie consent simplification. Website tracking consent requirements are being streamlined, which affects how B2B marketing teams collect data through web forms and analytics.
Reduced ROPA requirements. The requirement for maintaining Records of Processing Activities may be relaxed for smaller organisations, though best practice will remain unchanged.
These changes do not fundamentally alter the compliance landscape for B2B sales. The core principles - lawful basis, transparency, proportionality, and individual rights - remain intact. Teams that are compliant today will remain compliant under the updated framework.
For specific guidance on GDPR-compliant prospecting processes, including practical workflows and template language, see our dedicated prospecting guide.
If someone from the ICO asked you today to show your Legitimate Interest Assessment for outbound sales activity, how confident would you be in what you could produce?
