Compliance

GDPR for lead generation

How UK GDPR and the Data Protection Act 2018 apply to B2B borrower-intent data — legitimate interest, controller obligations, and the public-data carve-out.

Important. This is general operator-level context, not legal advice. Lenders should commission a formal Legitimate Interest Assessment (LIA) and DPIA from qualified counsel before launching outreach.

Definition

GDPR for lead generation refers to the application of UK GDPR (the retained EU General Data Protection Regulation) and the Data Protection Act 2018 to B2B lead-generation activities — specifically the processing of personal data on company directors and decision-makers for sales outreach by lenders, vendors, and intermediaries.

Why B2B lead-gen is in scope

UK GDPR applies whenever personal data is processed, regardless of B2B or B2C context. Director names, work email addresses, direct phone numbers, and behavioural data about specific individuals are personal data — and processing them for outreach is in scope. The B2B context does not exempt you; it only changes which lawful basis is most appropriate.

The lawful basis: legitimate interest

For B2B borrower-intent processing by an FCA-regulated lender, the typical lawful basis is Article 6(1)(f) — legitimate interest. This requires a documented Legitimate Interest Assessment (LIA) with three tests:

  1. Purpose test. What is the legitimate interest? (Helping qualified businesses access working capital is a recognised commercial interest.)
  2. Necessity test. Is the processing necessary to that purpose? (Yes — without sourcing data on companies likely to need finance, the lender cannot deliver its service.)
  3. Balancing test. Does the interest override the data subject's rights and freedoms? (For B2B directors processed in their professional capacity using public-by-statute data, balanced in favour of processing, provided opt-out is available.)

The public-data dimension

UK Companies House data is public-by-statute under the Companies Act 2006. Data subjects (directors) have a reasonable expectation that their professional details will be publicly available and processed for commercial purposes including outreach. This strengthens the balancing test in favour of legitimate-interest processing.

Controller obligations

Anyone processing personal data for outreach acts as a data controller (or joint controller) and must:

  • Maintain a documented LIA
  • Publish a privacy notice covering the processing
  • Provide a clear opt-out (right to object, Article 21)
  • Honour subject access requests (Article 15)
  • Document data retention periods
  • Notify breaches to the ICO within 72 hours
  • Register with the ICO as a data controller (annual fee from £40)

PECR — the other regulation

The Privacy and Electronic Communications Regulations (PECR) apply separately to electronic marketing. Key points:

  • Cold B2B email to corporate addresses (e.g. director@ltdcompany.co.uk) is generally permitted without prior consent, provided opt-out is honoured.
  • Cold B2B email to sole traders, partnerships, and individuals requires either consent or the "soft opt-in" exemption (existing customer + similar product).
  • Cold B2B telephone marketing must respect the Corporate Telephone Preference Service (CTPS).

Related

Frequently asked

Is B2B lead generation exempt from UK GDPR?

No. UK GDPR applies whenever personal data is processed, including directors' work contacts.

What lawful basis applies to B2B outreach?

Typically legitimate interest (Article 6(1)(f)), supported by a documented LIA.

Can I use Companies House data without consent?

Yes, where legitimate interest applies and the necessity and balancing tests are met. Companies House public-by-statute status strengthens the assessment.