Firmbase
    ← All resources

    GDPR and B2B prospecting in the UK

    Dave Curran·10 min read
    GDPR and B2B prospecting in the UK

    By Dave Curran, Co-Founder, Firmbase | March 2026 | 9 min read

    Most content about GDPR and cold email is written by lawyers for lawyers. It's full of cautious language, hedged statements, and disclaimers.

    Here's what a sales rep actually needs to know about GDPR and B2B cold outreach in the UK, stated directly:

    You can cold email UK businesses. GDPR allows it. You have a legal basis (legitimate interests). You need to follow some basic rules. If you don't, there's actual risk. Here's what matters.

    The core rule: GDPR only applies to personal data

    GDPR regulates how you handle personal data (information about individuals). It doesn't regulate how you handle business data (information about companies).

    An email address like contact@example.com (a generic business address) is not personal data. GDPR doesn't restrict how you use it.

    An email address like john.smith@example.com (a personal business email) could be personal data, depending on context.

    The biggest bucket of your cold outreach - reaching out to a company's generic email address - isn't regulated by GDPR at all.

    B2B is different from B2C

    GDPR is more permissive for B2B than for B2C.

    In B2C, you generally need permission before you email someone.

    In B2B, the rules are looser. If you're reaching out to a business email address at a company, you have more latitude. The person is receiving it in a professional capacity, as an agent of the company.

    The legal basis: legitimate interests

    Even though you can cold email businesses, you still need a legal basis under GDPR. The most common basis for prospecting is "legitimate interests."

    Legitimate interests means: your interest in reaching potential customers outweighs the data subject's interest in not being contacted. For business email addresses, this is straightforward.

    You don't need explicit permission.

    The practical rules for B2B prospecting

    Rule 1: Use work email addresses, not personal ones. Reach out to john@company.com, not john.smith.personal@gmail.com.

    Rule 2: Be clear about who you are and why you're contacting them. Your email should clearly state who you are, what company you're from, why you're reaching out, and how to opt out.

    Rule 3: Provide an easy opt-out mechanism. Include an unsubscribe link. When someone unsubscribes, actually remove them from your list.

    Rule 4: Respect opt-out requests. If someone says "stop contacting me," you have to stop. Non-negotiable.

    What you don't need to do

    You don't need:

    • Pre-permission to cold email businesses
    • An extensive data protection impact assessment
    • A legal review of every cold email

    You just need:

    • To use business email addresses where possible
    • To be clear about who you are
    • An easy opt-out mechanism
    • To respect opt-out requests

    The honest truth about enforcement

    GDPR enforcement is random and usually slow. The ICO prioritises significant breaches.

    A small sales team doing thoughtful, respectful prospecting with clear opt-out mechanisms is unlikely to be a priority. A company doing aggressive list scraping and ignoring opt-outs is a priority.

    Firmbase uses Companies House data and legitimate B2B data sources

    When you prospect with Firmbase, you're using data sources that comply with GDPR.

    Start your free trial at app.firmbase.co/signup

    Disclaimer

    This article is not legal advice. GDPR is complex, and enforcement is evolving. If you have specific questions about your prospecting practices, consult a qualified data protection advisor.

    FAQ

    Is cold email illegal in the UK?

    No. Cold emailing UK businesses is legal under GDPR if you're using a legitimate basis, being transparent about who you are, and respecting opt-outs.

    Do I need GDPR consent before cold emailing?

    For B2B prospecting to business email addresses, no. You don't need explicit opt-in. You have a legitimate basis.

    What if someone reports my cold email as spam?

    Being reported as spam doesn't automatically mean you've violated GDPR. The question is whether you're using legitimate basis and respecting opt-outs.

    Can I cold call instead of email?

    GDPR applies to phone numbers too if they're personal data. But phone calling is actually more heavily regulated in the UK. For B2B prospecting, email is safer than cold calling.

    Author Bio

    Dave Curran is the co-founder of Firmbase, a UK B2B sales intelligence tool. Start your free trial