Cold email and UK GDPR: the legitimate-interest case
UK GDPR does not prohibit B2B cold email. Emailing a named person at a company involves processing their personal data, which requires a lawful basis — and for business-to-business prospecting, the commonly relied-upon basis is legitimate interest under Article 6(1)(f), not consent. That basis is workable but conditional: it obliges you to run a balancing test, be transparent, honour objections, and keep your data handling proportionate. What follows is how the argument fits together — and it is not legal advice.
Why does UK GDPR apply to B2B email at all?
Because a work email address that identifies a person — jane.smith@company.co.uk, or a LinkedIn-sourced name and role — is personal data, even in a business context. The moment you collect it, store it, enrich it or email it, you're processing personal data and UK GDPR applies. (Generic addresses like info@ generally identify no individual, so they sit largely outside this analysis, though PECR still governs the sending itself.)
What UK GDPR demands is not consent but a lawful basis — one of six, of which consent is only one. For cold outreach, consent is obviously unavailable in advance; the basis that fits is legitimate interest. This sits alongside the deliverability engineering in the Cold Email Deliverability guide as part of the same infrastructure layer: the unglamorous groundwork that decides whether the campaign should exist at all.
What is the legitimate-interest basis, mechanically?
Article 6(1)(f) permits processing that is necessary for your legitimate interests, provided those interests aren't overridden by the individual's rights and interests. The ICO frames this as a three-part test, and running it is the mechanism. When you identify the interest — here, marketing relevant services to businesses, which EU and UK guidance has long recognised as capable of being legitimate — then you have the purpose leg. When you show necessity — that emailing named decision-makers is a proportionate way to pursue it, with no less intrusive means achieving the same end — then you have the necessity leg. When you run the balancing exercise — would this person reasonably expect a relevant business approach at their work address, and is the intrusion minimal? — then, if the answer favours you, the basis holds. When you write that reasoning down as a Legitimate Interests Assessment (LIA), then you hold the evidence that you did the thinking, which is what accountability under UK GDPR means in practice.
The balancing leg is where targeting quality becomes a legal argument. A finance director receiving a relevant note about outbound systems at her work address is a modest, expectable intrusion; the same email to her personal Gmail, or a scattergun blast to 10,000 irrelevant contacts, tilts the balance the other way. Precision isn't just commercially sensible — it's load-bearing in the assessment.
What duties come with relying on legitimate interest?
Four main ones, none onerous if built in from the start:
- Transparency. People have a right to know you're processing their data. In practice: identify yourself honestly in the email, link a privacy notice explaining what you hold and why, and say where the data came from if asked.
- The right to object. For direct marketing this right is absolute — when someone objects, you stop, no balancing. Operationally that means a working opt-out honoured immediately and a suppression list that persists across campaigns.
- Data minimisation and retention. Hold what you need for prospecting — name, role, company, work contact — and no more, and don't warehouse it indefinitely.
- Accuracy. Stale data is a compliance issue as well as a bounce-rate issue; verification and refresh serve both masters.
Note how closely these duties track deliverability best practice. The infrastructure separation argued in why you don't send cold email from your main ESP makes suppression and consent boundaries cleaner too — permission marketing and legitimate-interest prospecting live in different systems with different rules.
Where do firms actually get this wrong?
Rarely by sending cold email at all; usually by the surrounding hygiene. Buying lists of unknown provenance with no way to evidence the source. No LIA anywhere on file. Opt-outs handled manually and forgotten. Emailing sole traders as if they were companies (they get stronger protection — see the PECR piece). Continuing to email someone who objected. Each of these is a process failure, and each is designable-out with the same systems thinking that runs the rest of the outbound machine.
The honest framing: UK GDPR compliance for B2B cold email is a moderate, one-time engineering cost plus light ongoing discipline. It is not a reason to avoid outbound, and it is not a formality to ignore. Firms whose growth currently hangs on referrals sometimes cite "GDPR" as the reason they never built outbound — usually it's an unexamined assumption doing the work, the same pattern as the five signs your growth depends entirely on you.
Do the assessment, wire in the duties, keep the paperwork. Then get on with the campaign. (Again: not legal advice — for edge cases, ask a data-protection professional.)
Next step: the Growth System Audit — £450, seven days, credited against any build — maps where your growth system leaks and what to build first.
Total Format builds the systems UK B2B service firms grow on — AI-powered outbound, automation, and reporting — so growth stops depending on the founder's time.
Map your growth system. The £450 audit takes seven days and is credited against any build.
BOOK THE AUDIT