Prospect data and UK GDPR: what you can hold and why
UK law does not ban B2B cold email or the prospect lists behind it. PECR permits unsolicited marketing email to corporate subscribers provided you identify yourself and offer a working opt-out, and UK GDPR lets you hold business-contact data under legitimate interest — if you can articulate that interest, keep the data proportionate, and honour objections promptly. This is not legal advice; it is the working understanding we operate under, and the rules can change.
What do PECR and UK GDPR each govern?
Two regimes apply to a prospect database, and conflating them causes most of the confusion.
PECR governs the sending: electronic marketing messages. For B2B, the key distinction is corporate subscribers — limited companies, LLPs, partnerships in Scotland, government bodies — versus individual subscribers such as sole traders, whose addresses are treated more like consumer ones. Cold email to corporate subscribers is generally permitted without prior consent, provided you say who you are and give a straightforward way to opt out.
UK GDPR governs the holding: a named person's work email is still personal data, so building a list of named contacts means processing personal data and needing a lawful basis. For prospecting, that basis is typically legitimate interest, not consent. This split matters for how you build the list in the first place — the sourcing and verification stages in the B2B Database Building Guide are where compliance is won or lost, because data you should not hold is data you should not have collected.
What does legitimate interest actually require?
It is a claimed basis, not a free pass, and the standard expectation is that you can evidence a three-part assessment:
- Purpose: a real commercial interest — introducing a relevant service to businesses that plausibly need it.
- Necessity: the processing is needed for that purpose, and you hold no more than the purpose requires.
- Balance: your interest does not override the individual's. Relevance does the heavy lifting here: a marketing director receiving a targeted, work-related email is a modest intrusion; a scraped list blasted indiscriminately is harder to defend.
Commonly recommended practice is to write this assessment down once, keep it with your records, and let it discipline your data collection. If a field does not serve the stated purpose, do not hold it.
What data can you defensibly hold?
The proportionality test cuts in your favour if you stay business-shaped: name, job title, company, work email, company phone, firm size, sector, and the public signals that establish relevance — hiring activity, filings at Companies House, published news. It cuts against you when the data turns personal: home addresses, personal mobiles, inferred characteristics, or anything scraped that a reasonable professional would be surprised to find on a vendor's spreadsheet.
There is a practical bonus: the same restraint that keeps you compliant keeps campaigns manageable. Every extra attribute tempts another micro-split, and over-sliced segmentation degrades both your statistics and your defensibility at the same time.
How do you run the list compliantly, step by step?
The mechanism we install:
- When a list is built, record its source and the date — provenance is the first thing anyone asks about.
- When contacts are loaded, every email carries your identity, a physical or registered address, and a one-step opt-out.
- When someone opts out or objects, the address moves to a suppression list the same day — suppressed, not deleted, so it can never be re-added by the next import.
- When a contact shows no engagement across a full sequence and a reasonable window, they are queued for refresh or removal rather than held indefinitely.
- When a quarter ends, the database gets a retention pass: stale records verified, unjustifiable fields dropped, the suppression list checked against new imports.
Fold this into your normal quality routine and it costs almost nothing; treat it as a separate legal chore and it will be skipped. The pre-send checks in scoring list quality before you send are the natural place to bolt it on — a list audit that checks bounce risk can check provenance in the same pass.
Does compliance make outbound slower?
Marginally at setup, and it pays that back. A right-sized, well-sourced, suppressed-and-refreshed list bounces less, lands better, and produces replies from people who plausibly want the conversation. And when those replies arrive, the compliance question ends and the speed question begins — contact rates fall away sharply within minutes, so the effort you saved by not hoarding indefensible data is better spent answering interested humans quickly.
None of the above is legal advice. For edge cases — sole traders, mixed B2C lists, international sending — take proper counsel. For the standard case of UK firms emailing UK limited companies, the rules are workable: identify yourself, offer the exit, hold what you can justify, and keep records that prove it.
Next step: the Growth System Audit — £450, seven days, credited against any build — maps where your growth system leaks and what to build first.
Total Format builds the systems UK B2B service firms grow on — AI-powered outbound, automation, and reporting — so growth stops depending on the founder's time.
Map your growth system. The £450 audit takes seven days and is credited against any build.
BOOK THE AUDIT