Legitimate interest is the lawful basis under UK GDPR that most B2B sales teams rely on for outbound prospecting - allowing organisations to process personal data without explicit consent where they can demonstrate a genuine business need, necessity, and a balance of rights that does not override the individual's interests or freedoms.
Disclaimer: This page provides operational guidance based on common B2B data practices. It is not legal advice. For specific compliance questions, consult a qualified data protection solicitor or your organisation's Data Protection Officer.
Why It Matters for B2B Scale-Ups
If you run outbound sales in the UK, you need a lawful basis for processing the personal data of your prospects. Under UK GDPR, there are six lawful bases. For B2B prospecting, legitimate interest is the one that applies in nearly every case.
Consent - which many teams assume is required - is impractical for outbound. You cannot obtain consent from someone before you contact them for the first time. That is the entire point of outbound: reaching people who have not yet engaged with your company.
Legitimate interest fills this gap, but it is not a blanket permission. The ICO (Information Commissioner's Office) requires that you can demonstrate your reasoning through a structured assessment. Getting this right means your outbound programme operates on solid legal footing. Getting it wrong means you are processing data unlawfully - regardless of whether anyone complains.
For UK scale-ups running outbound at volume, this is not an abstract compliance exercise. It determines whether your prospecting data is legally usable and whether your outreach practices could withstand an ICO investigation.
Examples
The three-part test in practice. A SaaS company selling compliance software wants to email CFOs at UK financial services firms. Their legitimate interest assessment documents: (1) Purpose - they have a genuine interest in marketing their product to a relevant audience. (2) Necessity - email is the least intrusive way to reach these prospects, as the alternative (cold calling) is more disruptive. (3) Balancing - the data processed is limited to business contact details, the recipients would reasonably expect to receive relevant B2B communications, and an opt-out mechanism is provided in every email.
Documenting the Legitimate Interest Assessment (LIA). A B2B agency sources 5,000 prospect records for a client campaign. Before processing, they complete a written LIA covering: the specific purpose of processing, why legitimate interest applies over other bases, the necessity test, the balancing test including reasonable expectations, and the safeguards in place (data minimisation, easy opt-out, retention limits). This document is retained in case of an ICO enquiry.
When legitimate interest does not apply. A company purchases a list of personal email addresses (Gmail, Outlook) for B2B outreach. Personal email addresses carry a higher expectation of privacy than business email addresses. The balancing test is much harder to pass, and most legal advisors would recommend against relying on legitimate interest for processing personal email addresses in a B2B context.
Common Misconceptions
"Legitimate interest means we can email anyone." It does not. Legitimate interest requires a documented assessment for each processing activity, and the balancing test must demonstrate that the individual's rights do not override your business interest. Bulk emailing purchased lists of personal addresses without a documented LIA is not legitimate interest - it is non-compliance.
"We do not need to tell people where we got their data." Under Article 14 of UK GDPR, when you collect personal data from a source other than the individual (which includes every purchased or scraped list), you must inform them within one month. This privacy notice must include the source of their data, your lawful basis, and their rights. Many B2B teams skip this. The obligation exists regardless.
"PECR does not apply to B2B." The Privacy and Electronic Communications Regulations have specific carve-outs for B2B email. You can email a corporate subscriber (a company email address) without prior consent, provided you identify yourself, the message is relevant to their professional role, and you offer an opt-out. However, sole traders and partnerships are treated as individuals under PECR, not corporate subscribers. This distinction trips up many B2B teams.
How ClientWise Applies This
Every prospecting dataset we build is sourced and processed under a documented legitimate interest basis. We do not buy bulk lists from data brokers and relabel them. We source contacts from verified, transparent origins and document the lawful basis for each processing activity.
Our approach includes: sourcing only business email addresses (not personal), documenting a Legitimate Interest Assessment for each campaign, screening against TPS/CTPS registers for telephone data, including clear source attribution so your privacy notice obligations are straightforward, and applying retention limits so data is not held indefinitely.
For teams building their own data assets, we provide the operational framework that keeps prospecting compliant - not through legal advice, but through data practices that align with ICO guidance. Read more about this in our guides on UK GDPR and B2B sales and GDPR-compliant B2B prospecting, or explore our GDPR-compliant prospecting solution.