GDPR and B2B prospecting in the UK
By Dave Curran, Co-Founder, Firmbase | March 2026 | 9 min read
Most content about GDPR and cold email is written by lawyers for lawyers. It's full of cautious language, hedged statements, and disclaimers. If you read it expecting clarity, you're frustrated by the end.
Here's what a sales rep actually needs to know about GDPR and B2B cold outreach in the UK, stated directly:
You can cold email UK businesses. GDPR allows it. You have a legal basis (legitimate interests). You need to follow some basic rules. If you don't, there's actual risk. Here's what matters.
The core rule: GDPR only applies to personal data
This is the crucial bit most people misunderstand. GDPR regulates how you handle personal data (information about individuals). It doesn't regulate how you handle business data (information about companies).
An email address like contact@example.com (a generic business address) is not personal data. It's a business contact point. GDPR doesn't restrict how you use it.
An email address like john.smith@example.com (a personal business email) could be personal data, depending on context.
Why does this matter? Because the biggest bucket of your cold outreach - reaching out to a company's generic email address or switchboard number - isn't regulated by GDPR at all. You can do it freely.
B2B is different from B2C
GDPR is more permissive for B2B than for B2C.
In B2C (business to consumer), you generally need permission before you email someone. You need them to opt in. You need a clear legal basis.
In B2B (business to business), the rules are looser. If you're reaching out to a business email address at a company, you have more latitude.
Why? Because the person at the other end is receiving it in a professional capacity, as an agent of the company. They're not receiving it as a private individual.
The legal basis: legitimate interests
Even though you can cold email businesses, you still need a legal basis under GDPR. The most common basis for prospecting is "legitimate interests."
Legitimate interests means: your interest in reaching potential customers outweighs the data subject's interest in not being contacted.
For business email addresses, this is straightforward. You have a legitimate business interest (finding customers). The person receiving it is at their workplace receiving it in a professional capacity. The balance tips in your favour.
You don't need explicit permission.
The practical rules for B2B prospecting
Rule 1: Use work email addresses, not personal ones
If you're prospecting, reach out to john@company.com (business email), not john.smith.personal@gmail.com (personal email found via LinkedIn).
Business emails are fair game. Personal emails found outside the company context are riskier legally.
Rule 2: Be clear about who you are and why you're contacting them
Your email should clearly state:
- Who you are
- What company you're from
- Why you're reaching out
- How to opt out
This is basic courtesy and GDPR compliance rolled into one. If you're sending a personalised cold email with real context, you're probably doing this already.
Rule 3: Provide an easy opt-out mechanism
At the minimum: include an unsubscribe link in emails. Make it functional. When someone unsubscribes, actually remove them from your list.
If someone says "stop contacting me," you have to stop. This is non-negotiable.
Rule 4: Don't email personal data if you don't have to
If you can reach people through company contact addresses or switchboard numbers, do that instead of digging up personal emails.
This isn't a legal requirement - it's a good practice that keeps you on the safe side.
Rule 5: Soft opt-in for existing customers
If someone has been a customer or engaged with you in business before, you can email them even if they haven't explicitly opted in. This is "soft opt-in."
The caveat: if they tell you to stop, you must stop immediately.
What you don't need to do
You don't need:
- Pre-permission to cold email businesses
- An extensive data protection impact assessment
- A legal review of every cold email
- A GDPR compliance officer's approval to prospect
You just need:
- To use business email addresses where possible
- To be clear about who you are and why you're contacting them
- An easy opt-out mechanism
- To respect opt-out requests
That's it.
Real risks to take seriously
Most cold outreach isn't going to trigger GDPR issues. But there are scenarios where you're genuinely crossing a line:
Scenario 1: Buying email lists from dubious sources
If you buy a list of personal emails scraped from the web without consent, and those people have complained about your company, and you're contacted by a data protection authority - that's a problem.
Most B2B sales teams don't do this. If you're using reputable data sources (Companies House, LinkedIn, legitimate data vendors), you're fine.
Scenario 2: Continuing to email after someone opts out
If someone unsubscribes and you keep emailing, that's a violation. This is actually enforced.
Scenario 3: Using personal data without legitimate basis
If you're emailing someone's personal email address that you found via reverse engineering or data brokers, specifically because you know they individually have a need for your product, and they've asked you to stop - you're in grey territory.
Again, most business prospecting doesn't land here.
The international angle
If you're a UK company, GDPR applies to you regardless of where your customers are.
If you're a US company reaching out to UK contacts, GDPR applies.
If you're selling to US companies but reaching out to their UK employees, GDPR applies.
This is why understanding the rules matters - they're not optional just because you're not a UK company.
The honest truth about enforcement
GDPR enforcement is random and usually slow. The ICO (Information Commissioner's Office, the UK data protection authority) processes thousands of complaints and prioritises significant breaches.
A small sales team doing thoughtful, respectful prospecting with clear opt-out mechanisms is unlikely to be a priority.
A company doing aggressive list scraping, ignoring opt-outs, and selling personal data is a priority.
This doesn't mean the rules don't matter. It means if you're being reasonable and respectful, you're almost certainly fine.
What this means for your prospecting
Do this:
- Cold email business addresses (company@domain.com, contact@domain.com)
- Include who you are and why you're reaching out
- Include an unsubscribe link and actually honour unsubscribes
- Keep your contact lists clean
- Use reputable data sources
Don't do this:
- Cold email personal email addresses scraped from LinkedIn
- Ignore unsubscribe requests
- Buy email lists from shady data brokers
- Continue emailing after someone opts out
- Misrepresent your identity or company
The grey area:
- Personalised cold email to work addresses using public data (this is usually fine, but respect opt-outs)
- Soft opt-in for previous contacts (fine, but stop if they ask)
Firmbase uses Companies House data and legitimate B2B data sources - no personal data scraping, no shadow lists
When you prospect with Firmbase, you're using data sources that comply with GDPR and are actually useful for identifying buying signals.
Start your free trial and prospect with confidence.
Disclaimer
This article is not legal advice. GDPR is complex, and enforcement is evolving. If you have specific questions about your prospecting practices, consult a qualified data protection or legal advisor. The Firmbase team are not lawyers, and this guide is general information, not legal counsel.
FAQ
Q: Is cold email illegal in the UK?
A: No. Cold emailing UK businesses is legal under GDPR if you're using a legitimate basis (which you are, via legitimate interests), being transparent about who you are, and respecting opt-outs.
Q: Do I need GDPR consent before cold emailing?
A: For B2B prospecting to business email addresses, no. You don't need explicit opt-in. You have a legitimate basis.
Q: What if someone reports my cold email as spam?
A: Being reported as spam doesn't automatically mean you've violated GDPR. The question is whether you're using legitimate basis and respecting opt-outs. If you are, you're fine.
Q: Can I cold call instead of email to avoid GDPR issues?
A: GDPR applies to phone numbers too if they're personal data. But phone calling is actually more heavily regulated in the UK. For B2B prospecting, email is safer than cold calling.
Q: What if I'm selling to EU companies?
A: GDPR applies across the EU. The same rules hold.
Q: How long should I keep email data?
A: Only as long as you need it for your prospecting purpose. If someone doesn't respond to three emails, delete their contact info. You don't need to keep data indefinitely.
Q: Is LinkedIn's Terms of Service the same as GDPR?
A: No. LinkedIn has its own ToS that forbids scraping. GDPR is legal regulation. You need to comply with both. (Don't scrape LinkedIn emails.)
Author Bio
Dave Curran is the co-founder of Firmbase, a UK B2B sales intelligence tool that helps sales teams find, prioritise, and reach the right accounts without needing a RevOps team to make it work. Before Firmbase, Dave co-founded Love Mondays (acquired by Glassdoor, where he went on to serve as VP of Product) and Openvolt. He writes about UK B2B sales, prospecting, and go-to-market strategy.
Firmbase helps UK B2B sales teams discover their complete account universe, prioritise based on real buying signals, and reach out with genuine relevance - without the complexity of enterprise tools. Start your free trial
