"Can I just scrape Companies House and email everyone?" The short answer is mostly yes, with conditions, but the conditions matter, and getting them wrong can cost you a £8, 500 ICO fine. This post is a plain-English guide to what UK GDPR and PECR actually require for B2B prospecting in 2026.
This isn't legal advice. It's an operator's summary of the rules we follow ourselves to keep the Leadistry database compliant.
The two laws that matter
UK GDPR (and the Data Protection Act 2018)
UK GDPR governs how you process personal data, anything that can identify a living individual. A director's name, work email, and phone number are all personal data even when used for B2B purposes. So GDPR applies to B2B prospecting whether you like it or not.
UK GDPR allows processing under six "lawful bases". The relevant one for B2B prospecting is Article 6(1)(f), legitimate interest. You can process personal data without consent if:
1. You have a legitimate interest (selling B2B services is a legitimate interest). 2. The processing is necessary for that interest. 3. The interest isn't overridden by the data subject's rights.
To rely on legitimate interest, you must do three things:
- Run a Legitimate Interest Assessment (LIA), a written balancing exercise. Take 20 minutes, document the decision.
- Honour opt-out / objection requests absolutely (Article 21). This is non-negotiable.
- Inform data subjects in your privacy notice that you process under legitimate interest and how to object.
PECR (Privacy and Electronic Communications Regulations)
PECR governs marketing communications specifically. The key distinction PECR draws is between:
- Individual subscribers (consumers, sole traders, some partnerships), direct email/SMS marketing requires prior consent (opt-in).
- Corporate subscribers (limited companies, LLPs, PLCs, government bodies), direct email/SMS marketing is permitted without prior consent, provided you give an opt-out on every message.
Companies House data is overwhelmingly limited companies and LLPs, so direct B2B email to those entities is allowed under PECR, *as long as* you honour opt-outs.
What's legal
If you're prospecting UK limited companies and LLPs, the following is legal under both GDPR and PECR:
1. Sourcing company data from Companies House (it's a public register designed for this). 2. Discovering contact details from public sources (company websites, LinkedIn profiles set to public). 3. Sending direct marketing email to corporate subscribers without prior consent, provided every message has an unsubscribe option. 4. Storing this data, as long as you have an LIA, a privacy notice, and a way to honour subject access / erasure requests.
What's not legal
The lines you can't cross:
1. Marketing to individual subscribers without consent. Sole traders and one-person partnerships are individual subscribers. Their email addresses (`john@johnsmith-plumbing.co.uk`) require opt-in marketing under PECR. Most people get this wrong. 2. Ignoring opt-out / objection requests. Once a director asks to be removed, you must remove them, and not just unsubscribe them, but stop processing their personal data entirely. That's an absolute right under GDPR Article 21. 3. Scraping data from sources that explicitly forbid it. Some platforms (LinkedIn) prohibit scraping in their terms. Doing it anyway opens you up to civil claims separate from GDPR. 4. Manufacturing personal email addresses. Generating `firstname.lastname@company.co.uk` based on a guess isn't sourcing data, it's making it up. ICO doesn't like this and it's the fastest way to draw a complaint. 5. Selling the database to a third party without a separate legal basis.
Practical compliance checklist
If you're running B2B prospecting in the UK, you need:
- [ ] A privacy notice on your website explaining what you collect, why, and the legal basis (legitimate interest).
- [ ] A documented LIA for each kind of processing.
- [ ] An opt-out form that works at the database level, not just an unsubscribe link.
- [ ] A 24-hour opt-out turnaround (legal limit is 30 days but quicker is safer).
- [ ] An audit log of all opt-out / SAR / erasure requests.
- [ ] Email templates with clear sender identification and an unsubscribe link.
- [ ] Distinction in your data between corporate vs individual subscribers so you don't accidentally email a sole trader without consent.
- [ ] Retention rules, re-verify or delete records older than 24 months.
Leadistry's GDPR + PECR posture is built on exactly this checklist.
Common questions
Do I need to ask Companies House for permission?
No. Companies House publishes the register specifically for public re-use. There's no permission step.
What about ICO fines?
The ICO has issued fines in the £5k–£50k range for B2B email mistakes, usually for ignoring opt-outs, marketing to individual subscribers without consent, or having no privacy notice. The fines are designed to be painful for SMEs. Honouring opt-outs is the single biggest thing that keeps you off the ICO's radar.
Can I outsource this?
You can use a tool that handles compliance for you (like Leadistry), but you're still the data controller for the prospect list once it's in your hands. The tool reduces the database-side risk; the email-sending-side risk is yours.
What about the EU?
This post covers UK GDPR + PECR. EU GDPR is broadly identical for B2B prospecting in member states, but ePrivacy implementations vary. If you're prospecting outside the UK, get specific advice for each country.
Bottom line
UK B2B prospecting is legal under UK GDPR + PECR if you:
1. Use a defensible legal basis (legitimate interest). 2. Document an LIA and a privacy notice. 3. Distinguish corporate from individual subscribers. 4. Honour opt-out requests fast and absolutely.
Most companies that get into trouble fail step 4. Get that one right and the rest is paperwork.
This isn't legal advice, get a UK data-protection lawyer to review your specific setup before you go big. But if you're starting out, the Leadistry suppression workflow and our GDPR commitments page show what a working compliance posture looks like in practice.
Leadistry maintains a live database of 5 million UK companies, enriched from the Companies House register with verified websites, business emails and social profiles. We write about the craft of finding and reaching the right businesses, first.
See how Leadistry works →