Every data provider you’ve looked at says the same thing: “fully GDPR compliant.” It’s on the pricing page, the sample CSV, the cold email they sent you. And almost none of them will show you what that claim rests on.

Here’s why compliant B2B data suddenly matters more than it did two years ago. The Data (Use and Access) Act 2025 raised the maximum fine for breaking the UK’s electronic marketing rules from £500,000 to £17.5 million or 4% of global turnover — a 35-fold increase. The regulator was already active at the old cap: 49 fines totalling £4.63 million since March 2022, most of them for exactly the thing SMEs do every week — buying a list and emailing it.

The good news: the actual rules for B2B marketing in the UK are more permissive than most vendors’ scare copy suggests, and more specific than their reassurance copy admits. This guide walks through what the law actually says, in plain English.

One note before we start: this is practical guidance for business owners, not legal advice. If you’re making decisions with real money or real risk attached, speak to a data protection professional.

Compliant B2B Data Means Two Laws, Not One

When a vendor says “GDPR compliant,” they’re answering half the question. UK marketing data sits under two separate laws, and you need to satisfy both.

UK GDPR governs the data itself. A business contact’s name, their direct email, their mobile number — that’s personal data, even in a work context. Processing it requires a lawful basis, and the person keeps their rights: to know where you got their data, to see it, to object.

PECR — the Privacy and Electronic Communications Regulations — governs the channel. It sets the rules for marketing by email, SMS and phone, and it applies regardless of whether the data itself was lawfully obtained.

This split is why “GDPR compliant data” can still get you fined. The data can be accurate, lawfully sourced and beautifully documented — and if you email the wrong category of recipient without consent, you’ve breached PECR anyway. Nearly every ICO marketing fine is a PECR fine, not a GDPR one.

The Rule That Decides Everything: Corporate Subscribers vs Sole Traders

PECR’s consent rule for marketing email has one distinction that does most of the work in B2B, and it’s the one vendors explain least.

Corporate subscribers — limited companies, limited liability partnerships, Scottish partnerships and government bodies — are outside PECR’s consent requirement. The ICO’s own B2B marketing guidance is direct about it: you can send unsolicited marketing emails to corporate bodies without consent.

Sole traders and ordinary partnerships are treated as individuals. To email or text them, you need their consent — or a “soft opt-in,” which only applies to your own existing customers. A bought list cannot give you either.

Think about what that means for a typical B2B marketing list of trades or local services. Restaurants, plumbers, cleaning firms, care agencies — a large share of them are sole traders. A CSV of 5,000 “UK businesses” is really two lists mixed together: companies you can lawfully email cold, and individuals you mostly can’t. If your provider can’t tell you which rows are which — or hasn’t checked — the compliance risk is sitting in your outbox, not theirs.

Two rules apply to everyone you email, corporate or not: you must not disguise who the message is from, and you must include a working way to opt out. And once anyone opts out, keeping a suppression list and screening every new list against it isn’t just good practice — it’s what makes the absolute right to object (more on that below) workable.

Legitimate Interest Is Not a Blank Cheque

On the UK GDPR side, almost every B2B data provider relies on legitimate interests as the lawful basis. That’s reasonable — the law even backs it now. The Data (Use and Access) Act 2025 added wording to UK GDPR confirming that direct marketing may be a legitimate interest.

Note the “may be.” Direct marketing did not become automatically lawful. What the law requires is a legitimate interests assessment — a documented three-part test:

1. Purpose. Is there a genuine interest? Finding customers for your business qualifies.

2. Necessity. Is the processing necessary for that purpose? Contacting a restaurant about pest control is necessary for selling pest control. Emailing the same restaurant about cryptocurrency is not.

3. Balancing. Would the person reasonably expect this contact, and does your interest override theirs? A company director hearing from a relevant supplier at their business address: reasonable expectation. A sole trader’s personal mobile scraped from a Facebook group: not.

The assessment itself is a page of written reasoning, not a legal filing. But it has to exist before you use the data — and if the ICO ever asks, “our data provider handles compliance” is not an answer. You’re the one doing the processing.

One more thing sits on top of all of this: the right to object to direct marketing is absolute. No balancing test, no exceptions. Someone says stop, you stop — permanently, via that suppression list.

Buying a List Doesn’t Buy You Compliance

Here’s the part most buyers get wrong, and the pattern behind most ICO fines: when you buy data, you become the data controller. The seller’s compliance was their obligation. Yours starts fresh the moment the CSV lands — and you cannot inherit their lawful basis or outsource your liability to them.

The ICO expects buyers to do active due diligence, not collect reassurances. In practice that means asking any provider:

When and how was this data collected? A record compiled three years ago and resold ever since is a different product from one verified last month — legally and commercially.

What were people told at collection? If the provider claims consent, that consent must name your organisation or a tightly defined category — a generic tick-box for “marketing from selected third parties” doesn’t meet the standard.

Can you trace each record to a source? Not “our proprietary database.” An actual origin you could put in a privacy notice.

Which records are sole traders? Given the PECR rule above, a provider who hasn’t separated corporate from individual subscribers hasn’t done the one piece of analysis that matters for email marketing.

The enforcement record shows what happens when nobody asks. In January 2024 the ICO fined HelloFresh £140,000 for 80.9 million marketing messages sent in breach of PECR — and that was a household brand with a legal team, under the old £500,000 cap. The typical fine in the ICO’s marketing enforcement runs to five or six figures, and the new cap moves the ceiling to £17.5 million.

There’s also a duty most list buyers have never heard of: when you get someone’s data from a third party, UK GDPR requires you to tell them where you got it — at the latest, in your first communication. If you can’t name the source, you can’t comply. Which brings us to the question underneath all of this.

Why the Data Source Decides Your Risk

Run the due diligence questions above against the two ways B2B data actually gets built, and the compliance gap becomes obvious.

Scraped / resold database Public-register data
Provenance Unknown — aggregated, merged, resold Named statutory register, checkable by anyone
“Where did you get my details?” No honest answer available “The public register at Companies House”
Freshness Verified once, at point of sale — if at all Registers update continuously, by law
Reasonable expectation of contact Weak — person never surfaced their details for this Stronger — details published for business transparency

UK public registers exist because Parliament decided this information should be open. Companies House publishes every company, director and registered office as free, open data. The Food Standards Agency publishes every food hygiene inspection. The CQC publishes every registered care provider. A record built from these sources answers the ICO’s due diligence questions by construction: you know exactly where it came from, when it was updated, and you can say so in your privacy notice — because the source is a government register, not a guess.

Signal data goes one step further on the balancing test. A trigger event — a failed hygiene inspection, a new care-home registration — is itself the evidence of relevance. You’re not arguing that a restaurant owner might hypothetically want pest control someday; the public record shows why they need it this week. That’s a materially easier legitimate-interests case than “this email address was in a database we bought.”

To be clear about the limits: publicly available does not mean free-for-all. Register data is still personal data where it identifies people. You still need the lawful basis, the assessment, the source disclosure and the suppression list. The difference is that with register-sourced data those duties are satisfiable — with a scraped database, several of them aren’t.

A Compliance Checklist Before You Buy B2B Data

Seven checks, in the order that catches problems fastest:

1. Ask for the source of each record. A named register or publication beats “proprietary database” every time. If they won’t say, walk away — the same test we apply in our comparison of UK B2B data providers.

2. Ask for their ICO registration number. Every legitimate UK data business has one. Hesitation is your answer.

3. Ask how corporate subscribers and sole traders are separated. This determines who you can email cold. A provider who doesn’t know the split doesn’t know their own data.

4. Write your legitimate interests assessment. One page, three tests, dated before your first send. Ours took an afternoon.

5. Name your data source in your first message. It satisfies the transparency duty and, oddly, improves replies — “I saw your registration on the public register” reads as research, not spam.

6. Include identity and opt-out in every send. Real sender, real address, working unsubscribe. This applies to corporate recipients too.

7. Keep a suppression list forever. Objections are absolute and don’t expire. Screen every new purchase against it — especially if you’re buying a B2B email database, where recycled records make repeat contact with past objectors likely.

None of this is onerous. It’s an afternoon of setup and a habit of asking providers questions they should be able to answer instantly. The businesses that get fined aren’t the ones who did this imperfectly — they’re the ones who never asked at all.

Compliant B2B Data: Quick Answers

Can I email UK businesses without consent?
Corporate bodies — limited companies, LLPs, Scottish partnerships, government bodies — yes, under PECR. Sole traders and ordinary partnerships — no, they’re treated as individuals and need consent or a soft opt-in. Everyone gets identity disclosure and an opt-out, and UK GDPR still governs any personal data involved.

Is Companies House data compliant to use for marketing?
It has the strongest provenance available — published by law, traceable, continuously updated. But public availability doesn’t remove your UK GDPR duties: you still need a lawful basis, a documented assessment, source disclosure and objection handling.

What is a legitimate interests assessment?
The ICO’s three-part test — purpose, necessity, balancing — written down before you rely on legitimate interests. A short document, but a mandatory one.

What if someone objects?
You stop. The right to object to direct marketing is absolute — no balancing test, no exceptions, no expiry.

If you’ve read this far, you now know more about compliant B2B data than most providers will volunteer. The practical takeaway is simple: compliance isn’t a badge a vendor gives you — it’s a property of where the data came from and what you do with it. Data traced to public registers, filtered for the corporate/sole-trader split, delivered fresh, lets you do everything above and evidence it.

That’s how we build every list we sell — from profession-filtered email lists built on Companies House records to trigger signals from FSA and CQC registers. Ask us the seven questions above; we’ll answer all of them in writing, with a free sample so you can check the data yourself before paying anything.

This article is general guidance for UK businesses, not legal advice. For decisions about your specific circumstances, consult a data protection specialist or see the ICO’s direct marketing guidance.