Most data purchases in the UK go fine. The supplier is ICO-registered, produces documentation without being asked, and the records arrive in good order. But a minority of vendors operating in this market cut corners on compliance, recycle aged lists, or simply do not understand the legal framework they are operating within. Knowing the warning signs before you sign anything can save you from an ICO investigation, a wasted campaign budget, or both.
The ten red flags below are drawn from real patterns in enforcement cases, buyer complaints, and the ICO's published guidance. They are not hypothetical risks. The two-strike rule at the end gives you a practical decision framework for borderline situations.
What are the ten red flags when buying UK data?
Work through this list during your initial supplier conversation. Most of these questions can be asked in a single call or email before you request counts.
Red flag 1: no lawful basis documented in writing
Every UK data supplier processing personal data must be able to state, clearly and in writing, which lawful basis under UK GDPR Article 6 applies to their file. For B2B data compiled under legitimate interests from public sources, that means Article 6(1)(f). For a B2C consumer file built from opt-in responses, it means Article 6(1)(a). Verbal assurances are not sufficient. If a supplier says "we're GDPR compliant" but cannot produce a written record of their Article 6 basis, their processing documentation is incomplete, and so is your due diligence if you proceed.
Ask specifically: "Can you provide written confirmation of the lawful basis under UK GDPR Article 6 for this file?" A reputable supplier will send it the same day.
Red flag 2: claims that legitimate interests covers B2C consumer electronic marketing
This one matters enough to be its own category. The Privacy and Electronic Communications Regulations (PECR) require prior consent for electronic direct marketing to individual consumers, full stop. UK GDPR's legitimate interests ground does not override PECR. A supplier claiming their consumer email file is lawful under legitimate interests is factually wrong about UK law, and any campaign you run on that basis is an enforcement risk. The ICO has been unambiguous on this point in every guidance update since 2018.
For business-to-business email to corporate addresses, the position is more nuanced (sole traders and partnerships are treated as individuals for PECR purposes), but for consumer files the rule is clear. See our guide to ICO guidance on marketing data for a fuller breakdown of the consent/legitimate-interests boundary.
Red flag 3: refusal to provide a free count or sample
Every serious UK data supplier will run a free count against your targeting criteria before you commit a penny. Most will also provide a small anonymised sample (typically 50 to 200 records with email addresses partially masked) so you can inspect field completeness, format, and record quality. Refusal to do either is unusual enough to be a warning sign. It may indicate the supplier does not have the volume they are claiming, or that the records would not survive inspection. Read more about what to check in a B2B data sample evaluation.
Red flag 4: pricing significantly below the UK market range
Verified, actively maintained UK B2B data typically runs at £150 to £500 per 1,000 records depending on contact depth, job function specificity, and direct-dial inclusion. Consumer data with email and telephone costs £50 to £200 per 1,000. Quotes substantially below the floor of these ranges almost always reflect one of three things: records that have not been refreshed in years and carry a high decay rate, sourcing that would not withstand legal scrutiny, or outright fabricated data.
Cheap data is not a bargain. If 40% of the records are stale, you have paid full price for 60% of what you needed, and you have exposed yourself to suppression failures and PECR complaints in the process.
Red flag 5: vague or evasive answers about data sourcing
You are entitled to know where the data came from. For B2B files, legitimate sourcing typically includes Companies House filings, corporate websites, public job listings, and public industry directories. For B2C consumer files, legitimate sourcing is opt-in channels such as consumer surveys, prize-draw entry forms, or lifestyle questionnaires where individuals explicitly consented to third-party marketing. A supplier who responds with "we have our methods" or "we can't share our sources for commercial reasons" is hiding something material. Sourcing is not a trade secret; it is a compliance requirement.
Red flag 6: no security accreditations
ISO 27001 is the standard most used to demonstrate information security management in the UK data industry. Cyber Essentials Plus is the government-backed baseline. A supplier handling personal data at any scale should hold at least one of these, or be able to explain an equivalent control framework in writing. No accreditation and no credible substitute is a risk you are taking on. Under UK GDPR Article 28, when you use a data supplier you are effectively entering a controller-to-controller relationship, and you have an obligation to satisfy yourself that the supplier applies adequate technical and organisational measures.
Red flag 7: no replacement guarantee for undeliverables
A supplier confident in their data quality will offer to replace or credit records that fail basic quality checks on delivery, typically postal undeliverables above an agreed threshold (often 5%) or email hard-bounces above 3 to 5%. No replacement guarantee means the supplier either knows the bounce rate will be high and does not want to absorb the cost, or has not thought seriously about quality assurance at all. Either way, the risk transfers entirely to you.
Red flag 8: no Article 14 guidance for the buyer
UK GDPR Article 14 requires that individuals whose data has been obtained from a source other than themselves are informed of the fact within one month of the data being obtained, or at the point of first contact at the latest. As a buyer, you are responsible for sending this notice; but a good supplier makes it easy by providing a template or at minimum a clear statement of what information you are required to include. If your prospective supplier has never heard of Article 14 or cannot explain what you need to do, their compliance expertise is insufficient. Our guide to choosing a B2B data provider covers the due diligence questions in full.
Red flag 9: pressure-sale tactics
Artificial urgency ("this price is only available until Friday", "we only have 5,000 records left at this spec") is a standard manipulation tactic, and it has no place in a compliant data transaction. A reputable supplier knows that a buyer who feels rushed into a decision is more likely to skip due diligence, which creates liability for both parties. If you are being pressured to sign before you have received documentation, that pressure is itself a reason to pause. It is also worth asking why a supplier is so keen to close quickly: sometimes it is because they know the file would not pass scrutiny.
Red flag 10: reluctance to put warranties in the licence agreement
The data licence agreement is where a supplier's confidence in their product becomes legally binding. A reputable supplier will warrant that the data was compiled lawfully, that the lawful basis stated is accurate, that the data is current to within a specified period, and that the buyer has the right to use it for the stated purposes. Reluctance to include these warranties, or insistence on diluted language such as "to the best of our knowledge", is a significant red flag. It signals that the supplier does not want to be held accountable for the quality or legality of what they are selling.
Red flag reference table
The table below summarises each red flag, what it typically signals about the supplier, and the buyer-side risk if you proceed.
| Red flag | What it signals | Buyer-side risk |
|---|---|---|
| No written lawful basis | Incomplete processing documentation; possible non-registration with ICO | Shared liability under UK GDPR; ICO investigation risk |
| Legitimate interests claimed for B2C consumer electronic marketing | Fundamental misunderstanding or disregard of PECR | Direct PECR enforcement against the buyer as sender |
| Refusal of free count or sample | Supplier lacks claimed volume, or data would not survive inspection | Wasted spend; high bounce or suppression failure rates |
| Price significantly below market | Aged records, dubious sourcing, or fabricated data | High decay, suppression failures, campaign waste |
| Vague sourcing answers | Sourcing would not withstand ICO scrutiny | Receiving data with no valid lawful basis; enforcement liability |
| No ISO 27001 or equivalent | Inadequate information security controls | Data breach risk; failure to meet Article 28 obligations |
| No replacement guarantee | Supplier expects high undeliverable rate | Overpaying for poor-quality records; no recourse |
| No Article 14 guidance | Supplier has not thought through buyer compliance obligations | Buyer fails Article 14 notice duty; ICO complaint risk |
| Pressure-sale tactics | Supplier wants to close before buyer does due diligence | Buying without adequate documentation; rushed compliance |
| Warranties refused or heavily diluted | Supplier not confident in legality or quality of their file | No legal recourse if data proves non-compliant or inaccurate |
What does ICO enforcement tell us about buyer liability?
Buyers sometimes assume that if a supplier compiled the data unlawfully, the liability sits entirely with the supplier. The ICO's published enforcement record does not support this view. In several cases the ICO has issued fines or enforcement notices to organisations that purchased and used consumer data where the circumstances of acquisition should have prompted due diligence questions. The regulator's position, set out in its direct marketing guidance, is that a buyer who fails to take reasonable steps to verify that data was compiled with a valid lawful basis cannot rely on ignorance as a defence.
The ICO has also noted that very low purchase prices, inability to identify the original source of consent, and lack of supplier documentation are all indicators that should have given a buyer pause. Organisations fined in this context have included a financial services firm that purchased and cold-called consumer records from a broker who could not produce consent records, and a debt management company that purchased leads where the consent language was too vague to cover the specific marketing activity undertaken.
The practical lesson is straightforward: your due diligence is part of your own compliance programme, not an optional extra. If a supplier triggers red flags and you proceed anyway, the ICO will ask what steps you took to satisfy yourself the data was lawful. "The price was attractive" is not an answer.
How does the two-strike rule work in practice?
The two-strike rule is a practical heuristic, not a legal standard. A single red flag might have a benign explanation: a small specialist broker may not yet have achieved ISO 27001, but can demonstrate equivalent controls through their own written security policy and Cyber Essentials. A new supplier might not have a polished Article 14 template but understands the obligation and will work with you on it. Context matters.
Two or more red flags in combination is different. It indicates a pattern rather than a gap. A supplier who both refuses to provide a sample and is evasive about sourcing is not just running a lean operation; they are withholding two categories of information that any compliant supplier should be able to produce. A supplier who both refuses to warrant their data and quotes a price 70% below market has made their risk profile clear.
In our experience, buyers who push past two-strike situations rarely end up satisfied. The records underperform, the documentation turns out to be inadequate under scrutiny, or the supplier disappears when problems arise. The sunk cost of a cancelled negotiation is trivial compared with the cost of an ICO enforcement investigation, a suppression failure across 50,000 consumer records, or a campaign that generates formal complaints.
How do you walk away from a supplier professionally?
Keep it brief and factual. You do not owe a supplier a detailed critique of their compliance posture. A short written message is enough: "Following our conversations, we have been unable to obtain the documentation we require to complete our due diligence, and we will not be proceeding with this purchase." No further explanation is necessary.
If you have submitted a purchase order but no contract is signed, withdraw it in writing, citing unresolved due diligence questions. If a deposit has changed hands and the supplier refuses to return it despite documented failure to provide basic compliance information, note that refusal in your procurement records. It is relevant evidence if a dispute arises later, and it is itself a further signal about how the supplier conducts business.
Keep a record of your due diligence process regardless of whether the purchase proceeds. The ICO expects organisations to be able to demonstrate the steps they took. A short file note recording the questions asked, the responses received (or not received), and the decision reached takes ten minutes and could matter significantly if questions arise eighteen months down the line.
Before your next data purchase
Ask the supplier these four questions before you do anything else: What is the lawful basis under UK GDPR Article 6 for this file? Can you provide a free count and an anonymised sample? What does your licence agreement warrant about data quality and legality? Can you provide an Article 14 notice template for buyer use? If you get confident, specific written answers to all four, you are already past the majority of risk scenarios described in this article.