Who This Guide Is For
Every B2B data provider claims to be "GDPR compliant." Very few explain what that actually means in practice. If you are a UK B2B team evaluating data providers and trying to separate genuine compliance from marketing language, this guide breaks down what to look for, what to avoid, and how different providers approach UK data protection.
ClientWise is a data operations agency, not a data provider in the traditional sense. We handle GDPR compliance as part of our managed service - screening, documentation, and ongoing monitoring. This guide is written to help you evaluate any provider, including deciding whether a managed approach makes sense for your situation.
What "GDPR Compliant" Actually Means
GDPR compliance for a B2B data provider involves several layers, and most providers only address some of them:
- Lawful basis for processing. Under UK GDPR, you need a lawful basis to process personal data. For B2B prospecting, the most common basis is legitimate interest - the argument that contacting a business professional about a relevant product or service is a reasonable business activity. This is legally valid but requires a documented Legitimate Interest Assessment (LIA).
- Data source transparency. Where did the provider get the data? Web scraping, contributor networks, public records, social media profiles? The lawfulness depends partly on the source. Data scraped from personal social media profiles has a different compliance profile than data sourced from Companies House.
- Data subject rights. Individuals have the right to access, correct, and delete their data. A compliant provider must have mechanisms to honour these requests - not just for their own database, but in a way that cascades to their customers.
- TPS/CTPS screening. For UK telephone data specifically, calling numbers registered on the Telephone Preference Service without specific consent is a separate legal violation under the Privacy and Electronic Communications Regulations (PECR). This is not technically part of GDPR but is inseparable from UK B2B data compliance.
- Data Processing Agreement. Any provider processing personal data on your behalf should offer a DPA that defines responsibilities, security measures, and breach notification procedures.
Quick Comparison of Provider Approaches
| Provider | Lawful basis | TPS screening | Data source transparency | DPA available |
|---|---|---|---|---|
| Cognism | Legitimate interest, documented | Yes, built in | High - explains methodology | Yes |
| ZoomInfo | Legitimate interest, EU instance | No | Moderate - general descriptions | Yes |
| Apollo.io | Legitimate interest | No | Low - community contributed + scraped | Yes |
| Lusha | Legitimate interest | No | Moderate | Yes |
| UK list brokers (varies) | Often claimed, rarely documented | Sometimes | Low - often opaque | Sometimes |
Red Flags When Evaluating Providers
These signals suggest a provider's GDPR compliance is weaker than claimed:
- "We are GDPR compliant" with no further detail. Compliance is a set of specific practices, not a binary state. If a provider cannot explain their lawful basis, data sources, or subject rights process, the claim is marketing.
- No Data Processing Agreement offered. If you ask for a DPA and the provider does not have one ready, they have not taken compliance seriously.
- Cannot explain data provenance. "Where did you get this person's phone number?" is a question you should be able to answer if the ICO asks. If your provider cannot tell you, you cannot answer either.
- No opt-out mechanism. Individuals must be able to request deletion. If the provider has no visible opt-out process - or if opt-out requests do not cascade to customers - there is a gap.
- Selling personal email addresses. B2B data under legitimate interest covers business contact details. Personal email addresses (Gmail, Hotmail, etc.) for business contacts sit in a greyer area, particularly when the individual has not consented to commercial contact at that address.
- No mention of TPS/CTPS for UK phone data. If a provider sells UK phone numbers and does not mention TPS screening, they are either not screening (a compliance gap) or not aware of the requirement (a competence gap).
How Different Providers Handle Compliance
The European-Native Approach (Cognism, Kaspr)
Providers built in Europe tend to have GDPR woven into the product rather than added as a feature. Cognism, headquartered in London, screens UK phone numbers against TPS/CTPS, documents legitimate interest assessments, provides a Do Not Call database, and offers granular opt-out mechanisms. This reflects a compliance-first design philosophy.
Kaspr, based in France, similarly builds GDPR into the core product. European-origin providers generally have a cultural and regulatory proximity to GDPR that shapes product decisions from the start.
The US-Adapted Approach (ZoomInfo, Apollo, Lusha)
US-origin providers adapted their platforms for GDPR after the regulation came into force. ZoomInfo has invested the most, with a separate EU data centre, opt-out mechanisms, and privacy infrastructure. Apollo and Lusha offer GDPR features but with less depth - legitimate interest claims without detailed documentation, and no TPS screening.
This is not necessarily disqualifying. But it means the compliance burden shifts partly to you: you need to screen phone numbers yourself, document your own legitimate interest assessment, and verify that the data you are using meets UK standards. For more detail, see our guide on UK vs US data providers.
The Broker Approach (Varies)
UK list brokers range from fully compliant operations to businesses selling repackaged, poorly sourced data with minimal GDPR consideration. The variability is extreme. Some brokers provide TPS-screened, Companies House-verified, recently refreshed data with full documentation. Others sell bulk lists with no provenance and a disclaimer that shifts all liability to the buyer. See our UK GDPR for B2B sales guide for more on evaluating data sources.
What Genuine Compliance Looks Like
A properly compliant approach to UK B2B data involves:
- Documented Legitimate Interest Assessment - a written record of why contacting each category of data subject serves a legitimate business interest, balanced against their rights and expectations.
- TPS/CTPS screening - every UK phone number checked against the register before use, refreshed at least monthly.
- Data source documentation - a clear record of where each contact's data originated, accessible if requested by the ICO or the data subject.
- Active opt-out management - a suppression list that prevents re-contact of individuals who have opted out, maintained across all data sources.
- Retention policy - a defined period after which unused contact data is deleted or re-verified, in line with the data minimisation principle.
- Regular auditing - periodic review of data quality, source compliance, and consent status.
ClientWise builds all of this into our managed data operations. For teams using GDPR-compliant prospecting, we handle screening, documentation, and monitoring as part of the service rather than as a separate compliance project.
Decision Framework
- Does your team do outbound calling? If yes, TPS/CTPS screening is legally required. Choose a provider that includes it or add screening to your workflow.
- Can you document your lawful basis? If an individual asks how you got their data and why you are contacting them, you need a clear answer. Ensure your provider supports this.
- What is your risk tolerance? The ICO has not aggressively enforced against B2B data use, but the regulatory trend is toward stricter enforcement. Building compliance now is cheaper than remediation later.
- Do you have internal compliance resources? If yes, a self-serve provider plus internal screening works. If no, a managed service that handles compliance as part of the data operations removes the burden.
Frequently Asked Questions
Is it legal to buy B2B data in the UK?
Yes. Buying and using B2B contact data is legal under UK GDPR, provided you have a lawful basis (typically legitimate interest) and comply with PECR regulations for electronic communications. The legality depends on how the data was collected and how you use it, not the act of purchasing itself.
What happens if the ICO investigates my data practices?
The ICO typically starts with an inquiry requesting documentation of your lawful basis, data sources, and compliance processes. Having a documented LIA, TPS screening records, and a DPA with your provider demonstrates good faith. Fines are reserved for serious or repeated violations, but the reputational risk of an investigation affects sales relationships.
Does legitimate interest cover cold emailing in the UK?
For B2B-to-B2B email (corporate email addresses about relevant business services), legitimate interest is generally accepted as a lawful basis. For emails to sole traders or partnerships, the rules are stricter and closer to B2C requirements. Always include an unsubscribe mechanism.
How often should TPS/CTPS screening be refreshed?
The TPS register updates monthly. Best practice is to screen before every calling campaign and maintain a monthly screening schedule for your active calling database. Numbers can be added to TPS at any time, so screening done six months ago is not sufficient.
Can a data provider guarantee GDPR compliance?
No. Compliance is a shared responsibility between the data controller (you) and the data processor (the provider). A good provider gives you the tools and documentation to be compliant, but the ultimate responsibility for how you use the data sits with your organisation.
Frequently Asked Questions
- Is it legal to buy B2B data in the UK?
- Yes, provided you have a lawful basis (typically legitimate interest) and comply with PECR regulations. The legality depends on how the data was collected and how you use it.
- What happens if the ICO investigates my data practices?
- The ICO starts with an inquiry requesting documentation. Having a documented LIA, TPS screening records, and a DPA demonstrates good faith. Fines are for serious or repeated violations.
- Does legitimate interest cover cold emailing in the UK?
- For B2B corporate email about relevant business services, generally yes. For sole traders or partnerships, rules are stricter. Always include an unsubscribe mechanism.
- How often should TPS/CTPS screening be refreshed?
- The TPS register updates monthly. Screen before every calling campaign and maintain monthly screening for your active calling database.
- Can a data provider guarantee GDPR compliance?
- No. Compliance is shared between controller (you) and processor (provider). A good provider gives tools and documentation, but ultimate responsibility sits with your organisation.