Is a DPIA mandatory every time you buy a marketing list?

No. A DPIA is mandatory only where processing is 'likely to result in a high risk' to individuals under UK GDPR Article 35. Targeted B2B prospecting to a list of a few thousand named decision-makers typically does not meet that threshold. However, large-scale consumer data buying, automated profiling that could affect individuals materially, or cross-referencing purchased lists against internal behavioural datasets are all scenarios where a DPIA becomes mandatory.

What is the difference between a DPIA and a Legitimate Interests Assessment?

A Legitimate Interests Assessment (LIA) justifies the lawful basis for processing under Article 6(1)(f). It is a three-part balancing test: purpose test, necessity test, and balancing test. A DPIA is a separate, broader document that assesses systemic risk to data subjects across the entire processing activity, required specifically when processing poses a high risk. You may need both: the LIA to confirm your legal ground, and the DPIA to demonstrate you have managed the wider risks.

Does buying a consumer marketing file automatically trigger a DPIA?

Not automatically, but it depends on volume and use. Purchasing a modest suppressed consumer file for a single direct mail campaign is unlikely to be 'large scale' in the ICO's terms. Buying 500,000+ records for multi-channel automated targeting, especially where you then enrich or score them against other datasets, would very likely cross the threshold. The ICO's published list of nine high-risk processing types should be checked before each significant consumer data purchase.

When must you consult the ICO before starting to process?

Prior consultation with the Information Commissioner's Office (ICO) is required under UK GDPR Article 36 where your DPIA concludes that the processing would result in a high residual risk after mitigation measures are applied. In practice this is a high bar: most marketing data users who complete a thorough DPIA can mitigate risks sufficiently through data minimisation, purpose limitation, and access controls, and will not need to formally consult the ICO before proceeding.

How long does a DPIA need to be?

There is no prescribed length. The ICO's template runs to roughly four pages covering: description of processing and its purposes; assessment of necessity and proportionality; identification and assessment of risks; and measures to address those risks. For a standard purchased-data campaign the document should be concise and specific to that project, not a generic company policy. A DPIA for a large consumer data purchase used in automated decision-making might run to ten pages; for targeted B2B prospecting, two to three pages is typically sufficient.

Can you rely on the data supplier's DPIA instead of writing your own?

No. The supplier's DPIA covers their own processing activities (collecting, storing, and supplying the data). Your DPIA must cover your processing: what you are going to do with the data, which channels you will use, how you will profile or score records, how long you will retain them, and how you will handle opt-outs. You are a separate data controller for your use of the data and you own the risk assessment for your campaigns.

When do you need a DPIA for purchased marketing data?

What does Article 35 actually require?

Article 35 of UK GDPR states that where a type of processing is "likely to result in a high risk to the rights and freedoms of natural persons", the data controller must carry out a Data Protection Impact Assessment before the processing begins. Three scenarios trigger a mandatory DPIA under the legislation itself:

Systematic and extensive profiling with significant effects on individuals, including automated decision-making.
Large-scale processing of special-category data (health, ethnicity, political opinions, biometric data, and so on) or personal data relating to criminal convictions.
Systematic monitoring of a publicly accessible area on a large scale.

For marketing data buyers, the first two are the relevant ones. Most B2B prospecting sits outside both: targeting a finance director at a Leeds manufacturer is not "profiling with significant effects", and business contact data is not special-category data. That said, the ICO has extended its list beyond those three statutory scenarios.

The ICO's nine high-risk processing types

The ICO published guidance identifying nine types of processing that will "almost always" require a DPIA. Two are directly relevant to data buyers:

Large-scale profiling where the profiling is used to make decisions that affect individuals, including for targeted advertising or personalised pricing.
Invisible processing where individuals are unlikely to be aware the data is being used, combined with large scale or profiling.

The word "large-scale" is not defined precisely, but the ICO's guidance points to volume, geographic reach, the number of data subjects affected, and the duration of processing as factors. Buying 500,000 UK consumer records and running them through an automated scoring model before triggering personalised email sequences is large-scale profiling. Buying 2,000 B2B records to send a targeted cold email campaign to Operations Directors in the East Midlands is not.

Two other ICO-listed types can catch out data buyers who cross-reference files:

Matching or combining datasets that were collected in different contexts, particularly where individuals would not reasonably expect this to happen.
Processing of data about vulnerable individuals, including children, elderly people, or those in financial difficulty.

If you are buying a financial-distress consumer file and then matching it against your CRM or against third-party behavioural data, you are almost certainly inside the DPIA mandatory zone.

DPIA vs LIA: what is the difference and do you need both?

These two documents are frequently confused because both involve a structured risk assessment of data processing. They serve completely different legal functions.

Dimension	Legitimate Interests Assessment (LIA)	Data Protection Impact Assessment (DPIA)
Legal basis	UK GDPR Article 6(1)(f)	UK GDPR Article 35
Purpose	Establishes lawful basis for processing under legitimate interests	Identifies, assesses, and mitigates risks to data subjects from the processing activity
Structure	Three-part test: purpose, necessity, balancing	Four sections: description of processing, necessity and proportionality, risks, mitigation measures
When required	Every time you rely on legitimate interests as your lawful basis	Only when processing is likely to result in high risk to individuals
Output	Documented decision that legitimate interests is justified and not overridden by individuals' rights	Documented risk register with mitigations applied; residual risk assessment
Must it be shared with the ICO?	No, retained internally as evidence of compliance	Not routinely, unless residual risk is high (triggers Article 36 prior consultation)
Applies to B2C consent-based data?	No (consent is the lawful basis, not legitimate interests)	Yes, if processing scale or nature triggers Article 35

A data buyer relying on legitimate interests for B2B processing should always complete an LIA. You can read more about that process in our guide to using legitimate interests as the lawful basis for B2B data under UK GDPR. The DPIA question is separate: it is triggered by the risk profile of the processing, not the lawful basis. You can run a DPIA on consent-based processing if it is high-risk, and you can run B2B legitimate-interests processing without a DPIA if the risk level is modest.

How to structure a DPIA for a data purchase

The ICO provides a template that covers four main areas. Applying it specifically to a purchased-data scenario looks like this:

Section 1: Description of the processing

Be concrete: name the data supplier, describe the file (field set, volume, suppression history), specify the channels you intend to use (direct mail, telephone, email), state the campaign objective, and identify who within your organisation will access the data. Vague descriptions ("we will use the data for marketing purposes") will not satisfy an ICO review.

Section 2: Necessity and proportionality

Could you achieve your campaign goal with less data? If you are buying 100,000 records but your campaign can only practically reach 20,000, buying 100,000 is disproportionate. Document why you need the fields you have requested: a telemarketing campaign needs telephone numbers and TPS suppression status; it does not need date of birth or home ownership data unless those are genuine targeting criteria.

Section 3: Risk identification

Work through the risks to data subjects. For a consumer data purchase, the relevant risks typically include: the data being used for purposes beyond what was consented to at source, the data being retained longer than necessary, inaccurate data causing individuals to receive irrelevant or distressing communications, and data breaches exposing personal contact details. For a B2B file the risk profile is lower, but still worth documenting: reputational harm to an individual if contact details are used improperly, risk of targeting individuals who have since left the relevant role.

Section 4: Mitigation measures

This is the section that turns a DPIA from a bureaucratic exercise into a genuinely useful compliance tool. For each risk identified, document what you will actually do: TPS/MPS suppression before any telephone or direct mail use, a defined retention period and deletion schedule, access controls limiting who can export the file, a process for handling opt-out requests within 28 days, and confirmation that you have contractual assurances from the supplier about the file's provenance.

Residual risk and Article 36

If your DPIA concludes that significant risks remain after all mitigation measures are applied, UK GDPR Article 36 requires you to consult the ICO before the processing starts. This is not a sign-off process: the ICO will assess whether the processing can proceed at all, and can prohibit it. In practice, reaching this point in a marketing-data context suggests the processing design needs to change, not just the paperwork.

How the DPIA requirement changes your B2C consumer data buying process

B2C consumer data buying is where the DPIA obligation bites hardest, for two reasons. First, consumer records are personal data about private individuals who may be unaware their details are held by third-party data brokers. Second, the volumes involved in consumer campaigns routinely push past any sensible interpretation of "large scale".

In practical terms, before committing to a large consumer data purchase you should answer five questions:

Does the volume, combined with the intended processing, constitute large-scale profiling? If the answer is yes or uncertain, a DPIA is mandatory before you sign the data licence.
Are you combining this file with any other dataset (CRM, behavioural, third-party)? Matching or combining datasets across different collection contexts is a DPIA trigger in its own right.
Does the file include any special-category proxies? Financial-distress indicators, health-interest categories, and household vulnerability flags can constitute special-category data, or at minimum warrant heightened caution.
Does the supplier provide confirmation of the consent basis for each record, including which categories of marketing each individual opted into? Without this, the field-level consent documentation your DPIA needs to reference does not exist.
Do you have a data retention and deletion process in place before the file arrives? A DPIA that records "records will be deleted after 12 months" is only credible if your CRM actually enforces that.

A useful side effect of completing a DPIA before a consumer data purchase is that it forces a genuine conversation with your data supplier about data quality, provenance, and consent documentation. Suppliers who cannot answer specific questions about their collection methodology are telling you something important about the quality of what they are selling.

When is a DPIA just good practice rather than mandatory?

The ICO's position is that even where a DPIA is not strictly mandatory, completing one is good practice for any processing that carries some degree of privacy risk. For B2B prospecting to purchased lists, that means a documented DPIA (even a short one) is worth completing before any significant campaign, for two reasons.

First, it creates a contemporaneous record that you considered the privacy implications of your processing before it happened. If a data subject or the ICO later questions your compliance, a completed DPIA is evidence of a systematic approach rather than an ad hoc decision. Second, the process itself often surfaces practical issues: you discover that your CRM does not have a field to record the suppression date, or that your team has no process for handling a Subject Access Request from a purchased-list contact.

In our experience, organisations that treat the DPIA as a genuine risk-management exercise rather than a box-ticking form tend to run cleaner, better-targeted campaigns. The discipline of documenting why you need each data field has a useful side effect: you stop buying fields you do not use, which reduces both cost and risk.

For a B2B campaign targeting a few hundred or few thousand named contacts, a two-page DPIA covering the four sections above is entirely proportionate. There is no requirement for a lengthy document when the risk profile is genuinely low.