The era of "spray and pray" lead generation is over. If you're still buying email lists off the shelf or cold-calling mobile numbers without checking your legal ground first, you're not just being sloppy. You're gambling with fines that can hit £17.5 million or 4% of global turnover, whichever is higher.
For UK agencies running lead gen campaigns in 2025, compliance isn't optional paperwork. It's the difference between a sustainable business and a letter from the Information Commissioner's Office (ICO) that ruins your year.
This guide breaks down exactly what UK GDPR and PECR actually mean for your day-to-day operations, where the grey areas really are, and how to run effective campaigns without accidentally breaking the law.
Why This Matters More Than Ever
The ICO has stopped issuing warnings. They're issuing fines. In the past 18 months alone, UK businesses have been hit with penalties totalling millions for things like poor consent mechanisms, inadequate suppression lists, and mishandling B2C data under the guise of B2B outreach.
Take HelloFresh. They got fined £140,000 for sending 79 million marketing emails to people who'd unsubscribed or never opted in. The ICO's argument wasn't complicated: if someone says no, that means no. If you keep emailing them anyway, that's a breach.
Compliance is no longer about ticking a box on a privacy policy. It's about building systems that respect the law by default, not as an afterthought.
The Two Laws You Actually Need to Understand
UK lead generation sits at the intersection of two regulations: UK GDPR and PECR (Privacy and Electronic Communications Regulations). They overlap, but they're not the same thing.
UK GDPR governs how you collect, store, and process personal data. It covers everything from when you scrape a contact's name off LinkedIn to how long you keep their details in your CRM.
PECR is more specific. It regulates electronic marketing. That means emails, SMS, automated calls, and fax (yes, fax still exists in some industries). PECR is stricter than GDPR in many ways, especially around consent.
The critical thing to understand is this: you can be GDPR-compliant and still breach PECR. For example, you might have a legitimate interest to process someone's business email under GDPR, but if you send them an unsolicited marketing email without the soft opt-in exception or explicit consent, you've violated PECR.
B2B vs B2C: The Line That Actually Matters
One of the biggest misconceptions in UK lead gen is that B2B emails are exempt from PECR. They're not exempt. They're just treated differently, and the difference is narrower than most people think.
PECR allows unsolicited marketing emails to "corporate subscribers." That means emails sent to a business address like sales@company.co.uk or info@startup.com. But if you're emailing john.smith@company.co.uk, that's an individual subscriber, even if John works at a business. The rules change.
In practice, this means you can cold-email generic business inboxes without prior consent, but only if you're selling something relevant to that organisation's business, and only if they haven't already told you to stop. You also need to include a clear, functioning unsubscribe mechanism in every email.
The gotcha: If you're emailing a named person at a business (even a work email), and they're not an existing customer, you're technically in a grey area. The ICO's guidance suggests treating these emails more like B2C, which means you should either have consent or a very strong legitimate interest case.
Legitimate Interest: The Legal Basis Everyone Misuses
Most agencies rely on "legitimate interest" to justify cold outreach. That's fine, but only if you've actually done the assessment properly. Legitimate interest isn't a free pass. It's a balancing test.
You need to document three things:
- Purpose: Why are you processing this data? "To generate leads" isn't enough. Be specific. "To contact procurement managers at mid-sized manufacturing firms in the West Midlands who may benefit from our ISO certification consulting services" is better.
- Necessity: Could you achieve this purpose without using personal data, or with less intrusive methods? If the answer is yes, you can't use legitimate interest.
- Balancing Test: Does your interest outweigh the individual's right to privacy? If you're scraping mobile numbers off Facebook to cold-call people at home, the answer is no. If you're emailing a publicly listed business development director using their company email, you've got a stronger case.
And here's the critical bit: you need to write this down. If the ICO comes knocking, "we thought it was fine" is not a defence. A documented Legitimate Interest Assessment (LIA) is.
The Suppression List Problem (And How to Solve It)
GDPR gives people the "right to erasure." If someone asks you to delete their data, you have to do it. Except, in lead generation, deleting someone's details creates a new problem: how do you remember not to contact them again if you've deleted their record?
The answer is suppression lists. You're allowed to keep the minimum necessary information (usually just an email address or phone number) to ensure you don't re-contact someone who's opted out. This is considered a legitimate interest under GDPR, because it protects people from unwanted contact.
But here's where it gets messy in practice. Most CRMs (Salesforce, HubSpot, Pipedrive) don't separate suppression data from marketing data cleanly. If someone requests deletion, you can't just hit delete. You need to:
- Remove all personal data except the email address or phone number
- Mark the contact as suppressed
- Ensure your email automation respects that suppression flag forever
- Document the request and your response in case of audit
Most agencies don't do this properly. They either delete everything (and risk re-contacting people) or keep everything (and breach GDPR). Neither is acceptable.
Cold Calling: Still Legal, Barely
Cold calling is not illegal in the UK, but it's heavily restricted. For B2C, you can only call people who've opted in or who you have an existing customer relationship with (soft opt-in). For B2B, the rules are slightly looser, but only slightly.
If you're calling a business landline, you're generally fine as long as the company hasn't registered with the Corporate Telephone Preference Service (CTPS). If they're on the CTPS list and you call them anyway, that's a breach.
If you're calling a mobile, even if it's a business mobile, treat it like B2C unless you're certain it's a corporate number. That means you need consent or an existing relationship. The safest approach: don't cold-call mobiles.
What to Do If a Client Hands You a Dodgy List
This happens all the time. A client wants you to run a campaign and hands over a spreadsheet of 10,000 contacts they "got from a vendor" or "scraped from LinkedIn." They say it's fine. It's not.
Under GDPR, if you process that data, you're a data processor. Your client is the data controller. If the data was obtained illegally, both of you are liable. Saying "the client gave it to me" is not a defence.
What you need:
- Written confirmation from the client that the data was obtained lawfully
- Details of the legal basis for processing (consent, legitimate interest, etc.)
- A Data Processing Agreement (DPA) that clearly defines responsibilities
- Contractual indemnities that protect you if the client lied
If the client can't or won't provide this, walk away. The fine will cost more than the contract is worth.
How to Actually Stay Compliant (Without Killing Your Campaigns)
Compliance doesn't mean stopping all outbound activity. It means doing it properly. Here's what that looks like in practice:
- Audit your data sources: Know where every contact came from. If you can't explain the origin of a phone number or email address, don't use it.
- Document your legal basis: For every campaign, write down why you're allowed to contact these people. Is it consent? Legitimate interest? Existing customer relationship? Don't guess.
- Respect opt-outs immediately: If someone unsubscribes, suppress them within 24 hours across all systems. This includes email, phone, and any third-party platforms you use.
- Check suppression lists: Before sending any campaign, cross-reference your list against the TPS (Telephone Preference Service), CTPS, and your internal suppression database.
- Include clear unsubscribe options: Every email needs a one-click unsubscribe link. Every call script needs an opt-out offer. Every SMS needs STOP instructions.
- Train your team: Everyone who touches customer data needs to understand GDPR and PECR basics. "I didn't know" is not a defence the ICO accepts.
- Use a proper CRM: Free tools and spreadsheets don't cut it. You need a system that can handle suppression, track consent, and log data processing activities.
The Penalties Are Real
The ICO can fine you up to £17.5 million or 4% of annual global turnover, whichever is higher. For most agencies, that's business-ending money.
But fines aren't the only risk. A single GDPR complaint can trigger an investigation that takes months, costs thousands in legal fees, and destroys your reputation. Your clients will ask questions. Your prospects will see the headlines. Your team will spend weeks pulling together documentation instead of doing their actual jobs.
Prevention is cheaper than cure.
What to Do Next
If you're running lead gen campaigns right now and you're not 100% confident you're compliant, start here:
- Conduct a data audit. Find out what personal data you're holding, where it came from, and what legal basis you have for using it.
- Write a Legitimate Interest Assessment for any outbound campaigns that rely on it.
- Set up a proper suppression process in your CRM.
- Check your email templates, call scripts, and SMS messages for compliant unsubscribe mechanisms.
- Get a Data Processing Agreement in place with every client.
None of this is optional. The ICO is getting more aggressive, the fines are getting bigger, and the "we didn't know" defence stopped working years ago.
If you need help getting your lead gen operations compliant without gutting your conversion rates, book a call. We'll walk through your current setup and show you exactly where the risks are.