Why the due-diligence questions matter more than the brochure
Most data enrichment providers look similar from the outside. The website says "verified UK data", the sales deck shows a large record count, and the case studies feature recognisable logos. The real differences surface only when you press for specifics. A provider who answers the six questions below with concrete, written commitments is demonstrably different from one who deflects to generalities. The six questions are not a wish list; they cover the four dimensions where enrichment programmes most commonly fail: compliance, quality, commercial fairness, and security.
Getting this selection wrong is expensive in two directions. A poor match rate wastes the campaign budget that follows. A compliance gap in the provider's data file can expose your organisation to an Information Commissioner's Office (ICO) investigation, particularly if you are using the enriched data for direct marketing under the Privacy and Electronic Communications Regulations (PECR). Taking 30 minutes to ask the right questions upfront is considerably cheaper than either outcome.
The six diligence questions: what good and bad answers look like
The table below summarises each question, the answer you should hear from a credible provider, and the red flags that signal a supplier worth avoiding.
| Question | Good answer | Red flag answer |
|---|---|---|
| 1. What is the lawful basis for your data file? | B2B: legitimate interests under Article 6(1)(f) UK GDPR, compiled from publicly available sources. B2C: consent under Article 6(1)(a) plus PECR consent for electronic channels, sourced from opt-in surveys and lifestyle questionnaires. | Vague references to "industry standard" or "GDPR-compliant" without specifying which lawful basis. Any suggestion that B2C data runs on legitimate interests. Refusal to provide written confirmation. |
| 2. What match rate will you deliver on my file? | A clear range (e.g. 40 to 65 per cent for a typical UK B2B CRM) with an offer to prove it on a pilot of your actual records before you sign anything. | Match rate figures given only as a headline average across all clients, not from your specific file type. Refusal to pilot. Claims of 90 per cent or above match rate on B2B without qualification. |
| 3. How is pricing structured? | Per-match pricing: you pay only for records where the provider successfully appended data. A clear breakdown of price per field type (email, direct-dial, mobile). | Per-record-processed pricing (you pay for every row you submit regardless of match). Bundled flat fees with no transparency on unit cost per match. |
| 4. What is the average age of your data? | Specific figures: for example, "direct-dial numbers verified within the last six months; email addresses verified within the last three months." A stated re-verification cycle. | "Regularly updated" with no dates. No field-level freshness information. Inability to state when the underlying file was last re-verified against live sources. |
| 5. What security certifications do you hold? | ISO 27001, with an active certificate from an accredited certification body. Willing to share the certificate number so you can verify it. GDPR data processing agreement (DPA) offered as standard. | Cyber Essentials only (useful but not sufficient for CRM-scale data transfers). Self-declared compliance with no third-party audit. Reluctance to sign a formal DPA. |
| 6. What is your replacement guarantee? | At least 10 per cent replacement of matched records within 30 to 90 days of delivery, applied automatically on evidence of hard bounces or confirmed inaccuracies. | No guarantee stated. Replacement offered only "case by case". Guarantee capped below 5 per cent. Requirement to prove inaccuracy through an onerous claims process. |
How to structure a pilot: 5,000 to 10,000 records
A pilot is the single most reliable signal of provider quality. It removes the gap between what a supplier claims in a sales conversation and what they actually deliver on your data. The correct pilot size for UK B2B enrichment is 5,000 to 10,000 records: large enough to produce a statistically meaningful match rate, small enough that a paid pilot costs a few hundred pounds rather than thousands.
What to include in your pilot file
Send a representative sample, not your best records. The most common mistake is cherry-picking recently acquired, well-structured contacts for the pilot and then running the full CRM (which is messier and older) only after signing. Your pilot file should include a cross-section of the following:
- Records of different ages: mix contacts from the past 12 months with records that are two to three years old.
- Varying input completeness: some rows with company name, job title, and postcode; others with only a name and an old email address.
- Different seniority levels and sectors, if your CRM spans them.
After the pilot, the number you care about most is not the headline match rate but the usable match rate: matched records where the appended field (direct-dial, email, LinkedIn URL) passes your own quality threshold. See our companion article on understanding data enrichment match rates for the full methodology.
What a pilot does not tell you
A pilot confirms accuracy at a point in time. It does not tell you how the file holds up six months later, which is why the replacement guarantee matters so much as a separate contractual protection. The two work together: the pilot gives you confidence to proceed, and the replacement guarantee covers the inevitable decay that follows delivery.
Pricing transparency: per-match versus per-record-supplied
Pricing structure is one area where buyer education is genuinely low, and some suppliers exploit that. The key distinction is between paying per matched record versus paying per record submitted. Suppose you send 10,000 records and the provider matches 5,000 of them. Under per-match pricing, you pay for 5,000. Under per-record-supplied pricing, you pay for 10,000, whether or not the unmatched 5,000 are of any use to you.
Per-record-supplied pricing is not inherently dishonest, but it does misalign incentives: the provider has no financial stake in improving match performance because they are paid either way. Per-match pricing puts the provider's revenue directly in proportion to the quality of their file. In our experience, per-match is the fairer structure for the buyer, and it is the one you should push for in any enrichment contract of meaningful scale.
Expect rough UK market pricing (2026) for B2B enrichment to fall in the range of £0.15 to £0.60 per matched record for core fields (email, direct-dial), with premium fields such as verified mobile or LinkedIn URL at the higher end. Volume discounts typically kick in above 25,000 matched records. These figures vary by sector and file quality; your pilot gives you the negotiating position to secure a better rate based on actual match performance.
Security standards: what ISO 27001 actually means
ISO 27001 is the international standard for information security management systems, published by the International Organisation for Standardisation and independently audited by accredited certification bodies. It requires the holder to systematically identify information security risks, implement controls, and undergo regular surveillance audits. For a data enrichment provider, it means the organisation has formal procedures for how your CRM file is received, stored, processed, and deleted after delivery.
Cyber Essentials Plus, administered by the National Cyber Security Centre, is a useful baseline that covers five technical controls (firewalls, secure configuration, access control, malware protection, patch management). It is worth having, but it is a shallower framework than ISO 27001 and does not address the organisational processes around data handling that matter most when you are transferring a CRM file.
When a provider claims ISO 27001, ask for the certificate reference number and the name of the certification body. You can verify UK-issued certificates directly through the United Kingdom Accreditation Service (UKAS) at ukas.com. A provider who cannot give you a certificate number to check is not certified, whatever their website says.
Alongside the security certification, require a signed data processing agreement (DPA) before any file transfer. Under UK GDPR Article 28, you are the data controller and the enrichment provider is a data processor; a DPA is legally required, not optional. Any provider who presents this as burdensome or unusual should be treated as a risk.
Replacement guarantees: what the contract should say
A replacement guarantee is the provider's commitment to substitute records that prove inaccurate after delivery. The practical mechanics matter as much as the percentage. A guarantee that requires you to submit a detailed claims form, wait 60 days for review, and then prove inaccuracy through bounce logs and call records is functionally worse than a 5 per cent guarantee with a simple email request. Before signing, check three things:
- The threshold: 10 per cent of matched records is a reasonable starting point. If you are buying mobile numbers or direct-dials, push for 15 per cent given the higher decay rate on those fields.
- The claims window: 30 to 90 days from delivery is standard. Check whether the clock starts from delivery or from first use; for large programmes where you deploy the data in phases, the distinction matters.
- The replacement mechanism: ideally, replacements are drawn from the same segment as the original records (same sector, seniority, or geography). A provider who replaces a bounced Operations Director record with any available record is not really honouring the spirit of the guarantee.
Providers confident in their file quality will agree to these terms without significant negotiation. Those who push back hard on all three points are telling you something important about what they expect the bounce rate to be.
Common red flags: a summary checklist
The six questions above generate a lot of signals. The red flags below are the ones that should cause you to stop the conversation rather than continue to negotiate.
Stop-the-process red flags
- The provider cannot state the lawful basis for their file in writing, or conflates consent and legitimate interests across B2B and B2C.
- No pilot option before a bulk contract, or the pilot requires you to sign a volume commitment first.
- Match rate figures are cited only from marketing materials, not from a test run on your actual file.
- No ISO 27001 certificate, and no willingness to sign a data processing agreement.
- Pricing is per-record-supplied with no per-match alternative offered.
- No replacement guarantee, or a guarantee capped below 5 per cent with an onerous claims process.
- Pressure to sign within a short deadline before you have completed due diligence.
None of the above flags on their own necessarily means the data is bad. A single yellow flag is worth a follow-up question; multiple flags together indicate a supplier whose commercial model depends on buyers not asking hard questions. That is not the kind of dependency you want in a data supply relationship.
For a broader view of how to evaluate a B2B data supplier from the ground up, including SIC code targeting and file structure questions, see our guide on how to choose a B2B data provider in the UK.