Why the buying process matters as much as the data itself
Plenty of organisations buy a list, run a campaign, and only discover compliance gaps when a contact complains to the Information Commissioner's Office (ICO). The penalty for inadequate Article 14 notices, for example, is a standalone enforcement matter under UK GDPR, separate from questions of lawful basis. Getting the process right from the start is not bureaucratic caution; it is the difference between a file you can use confidently and one that creates legal exposure.
The six steps below are sequenced deliberately. Skipping or reordering them is where most mistakes happen. A Manchester-based SaaS firm recently purchased a B2B file, ran a cold email campaign, and received an ICO enquiry three months later because they had never completed their own Legitimate Interests Assessment. The supplier's paperwork was fine; the buyer's was non-existent. That is the pattern this guide is designed to prevent.
The six-step process: from brief to first send
Each step below serves a specific legal or commercial purpose. The table that follows gives a compressed view of the whole sequence.
| Step | Action | Who does it | Typical time | Key output |
|---|---|---|---|---|
| 1 | Clarify targeting criteria | Buyer | 1 day | Written brief to supplier |
| 2 | Verify supplier's lawful basis | Buyer (with supplier evidence) | 1 to 3 days | Supplier's LIA or consent evidence on file |
| 3 | Request free count and sample | Supplier delivers; buyer reviews | 1 to 2 days | Volume, sample records, quality check |
| 4 | Complete buyer's own LIA | Buyer (legal/DPO input) | 2 to 5 days | Signed, dated LIA document |
| 5 | Agree licence terms in writing | Both parties | 1 to 2 days | Signed order or data licence agreement |
| 6 | Post-purchase processing | Buyer | 1 to 2 days | TPS/MPS-washed file; Article 14 notice sent |
Step 1: define your targeting criteria before you speak to any supplier
Vague briefs produce vague counts and slow the whole process. Before contacting a supplier, write down: geography (UK region, county, or postcode sector), industry (UK SIC 2007 codes if possible), company size (employee headcount or turnover bands), job function and seniority level for B2B, or demographic and interest profile for B2C. The more specific the brief, the faster you get a count you can actually use for planning.
For B2B, also decide which channels you need: direct telephone, mobile, business email, LinkedIn URL, or postal. Different channels carry different suppression obligations, so knowing this upfront shapes the licence discussion at Step 5.
Step 2: verify the supplier's lawful basis in writing
Under UK GDPR, as the receiving data controller you cannot simply accept a verbal assurance that the data is "GDPR-compliant." You need written confirmation of the lawful basis under Article 6, and for B2B data you should ask specifically whether the supplier has completed a Legitimate Interests Assessment (LIA) covering the purpose of third-party marketing.
The lawful basis requirements differ sharply by file type:
- B2B files: legitimate interests under Article 6(1)(f) UK GDPR. The supplier should have documented the purpose test (commercial marketing to business contacts), the necessity test (is personal data actually needed for this?), and the balancing test (do individuals' interests override the legitimate interest?). A reputable supplier will share at least a summary of this assessment on request.
- B2C files: consent under Article 6(1)(a) UK GDPR, plus PECR consent for electronic channels. The supplier must be able to confirm how and when individuals opted in, to what categories of marketing, and through which channels. Ask about consent age: if the consent is more than two years old and has not been refreshed, its quality degrades.
If a supplier cannot produce any documentation of lawful basis, walk away. The ICO takes a dim view of data controllers who cannot account for the legal basis underpinning their processing, and you will absorb that risk the moment the file reaches you. See our guide to legitimate interests for B2B data in the UK for a full breakdown of what the assessment should contain.
Step 3: request a free count and sample before committing
Any credible data supplier will run a count against your criteria at no charge. The count tells you whether the volume is worth the spend. A sample of 20 to 50 records lets you check field quality: are job titles formatted consistently, are telephone numbers in the correct UK format, are business email addresses genuine corporate domains rather than generic ones?
A common mistake at this stage is accepting a count without a sample. Volume alone tells you nothing about accuracy. A file with 8,000 Operations Directors in the Midlands is attractive; a file where 30% of the telephone numbers are missing the STD code is not.
Step 4: complete your own Legitimate Interests Assessment
This step trips up more buyers than any other. The supplier's LIA covers the supplier's processing. Your LIA covers yours. As the data controller running the campaign, UK GDPR obliges you to identify and document your own lawful basis independently. You cannot delegate this to the supplier.
An LIA for bought B2B data covers three questions. First, the purpose test: is the marketing purpose legitimate? (Commercial B2B marketing to relevant business contacts almost always passes, provided you are not targeting individuals on manifestly personal matters.) Second, the necessity test: is using personal data necessary for this purpose, or could you achieve the same result with anonymised or aggregated data? Third, the balancing test: weighed against the reasonable expectations of a business contact who works in the role you are targeting, do their privacy interests override yours? For role-based B2B prospecting, the balancing test is typically favourable, provided you respect opt-out requests promptly.
Document all three tests. Date and sign the document. Store it in your records-of-processing register. The ICO's enforcement casebook contains multiple examples of organisations that had a legitimate commercial purpose but could not produce documentation to prove it. See our separate guide to ICO guidance on marketing data for the enforcement context.
Common mistake: skipping the LIA because the supplier did one
Your supplier's Legitimate Interests Assessment only covers their processing activities. You are a separate data controller. Article 6 requires every data controller to identify and document their own lawful basis. One LIA between two organisations is never sufficient.
Step 5: agree licence terms and pricing in writing before receiving the file
Data licence terms set out what you may do with the file, for how long, and across which channels. The main variants are:
- Single-use licence: one campaign deployment, after which the file must be deleted from live systems (suppression records can be retained). Lowest cost per record.
- Multi-use or rolling licence (typically 12 months): allows repeated deployment over the licence period for the agreed channel set. Priced at a premium, but cost-effective if you plan three or more campaigns against the same audience.
- Perpetual licence: less common, and worth scrutinising, because data decays. A perpetual licence on a B2B file without a refresh provision is buying a depreciating asset. B2B data decays at roughly 25 to 30% per year as contacts change roles.
The licence should also specify the permitted channels explicitly. If you have licensed email but not telephone, calling those records is outside scope. Get this in writing before the file transfers, not after.
For more detail on evaluating a supplier holistically before committing, see our guide on how to choose a B2B data provider in the UK.
Step 6: mandatory post-purchase processing
Receiving the file is not the end of the compliance process. Two obligations apply before you send a single message.
TPS and MPS suppression wash. The Privacy and Electronic Communications Regulations (PECR) prohibit making unsolicited direct marketing calls to numbers registered with the Telephone Preference Service (TPS), regardless of whether you have a legitimate-interests lawful basis under UK GDPR. TPS and GDPR operate in parallel; a clean GDPR position does not override PECR. Wash the file through the current TPS register before any outbound calling, and through the Mailing Preference Service (MPS) if you are running direct mail to individuals at home addresses. Both washes typically take a few hours via a bureau or automated suppression service.
Article 14 notice. Article 14 of UK GDPR requires that where personal data has been obtained from a source other than the data subject (i.e., you bought the data rather than collecting it directly), you must inform the individuals of your identity, the purposes and lawful basis for processing, any recipients of the data, the data retention period, and their rights (including the right to object to direct marketing). The deadline is one month from obtaining the data, unless your first contact with individuals occurs before that deadline, in which case the Article 14 notice must accompany or precede that first contact.
In practice, for email-channel campaigns, the Article 14 disclosure is typically woven into the first marketing email: a short paragraph or footer block identifying the data source and confirming the right to opt out. For postal or telephone campaigns, the disclosure requirement is met by including it in the first communication. The ICO has published guidance on Article 14 and considers failure to notify a separate, enforceable breach in its own right.
UK GDPR and PECR: the legal framework in brief
Two pieces of legislation govern UK marketing data. They interact rather than one overriding the other.
UK GDPR (the UK's post-Brexit adaptation of the EU General Data Protection Regulation) sets the framework for processing personal data: what lawful basis you need, what individuals' rights are, what documentation you must keep, and how long you may hold data. The Information Commissioner's Office enforces UK GDPR and can issue fines of up to £17.5 million or 4% of global annual turnover.
PECR (the Privacy and Electronic Communications Regulations 2003, as amended) sits alongside UK GDPR and specifically governs electronic marketing: email, SMS, automated calls, and recorded messages to individuals. PECR requires either prior consent or, for business-to-business electronic marketing, a reasonable presumption that the individual would not object. Crucially, PECR also contains the TPS restriction on live voice calls, which applies to both individuals and sole traders regardless of the GDPR position.
A common misconception is that GDPR alone is the relevant law. For telemarketing and email campaigns, PECR is often the higher bar. In our experience, buyers who focus only on GDPR lawful basis and ignore TPS obligations are the ones who generate complaints and ICO enquiries within the first few months of a campaign.
Common mistakes and how to avoid them
The compliance failures we see most often are not complex edge cases. They are predictable gaps that arise when buyers treat data purchase as a purely commercial transaction rather than a regulated one.
| Mistake | Why it creates risk | How to avoid it |
|---|---|---|
| No buyer-side LIA completed | You are processing personal data without documented lawful basis, an independent UK GDPR breach | Complete your own three-part LIA (purpose, necessity, balancing) before campaign launch |
| Skipping TPS suppression wash | PECR breach on every non-consented call; ICO fine risk per campaign, not per record | Run TPS wash within 28 days of campaign launch (TPS register updates monthly) |
| Accepting vague supplier representation on lawful basis | You absorb the supplier's compliance gap the moment you process the data | Request the supplier's LIA summary or consent evidence in writing; store it on file |
| No Article 14 notice sent | Standalone UK GDPR breach enforceable by ICO, separate from campaign compliance | Include Article 14 disclosure in first communication, or send a standalone notice within one month of file receipt |
| Using a single-use licence file for multiple campaigns | Contractual breach and potentially unlawful processing beyond stated purpose | Check licence terms before re-using any file; negotiate multi-use upfront if you plan repeat campaigns |
| Buying B2C data for email campaigns without confirming consent channel coverage | PECR requires consent for email to individuals; consent may cover postal but not email | Ask the supplier specifically which channels the consent record covers before purchasing |
How long does the whole process take?
From the moment you write a targeting brief to the moment you send the first campaign message, one to three weeks is the realistic range. Where it takes three weeks, the delay is almost always in Step 4: a legal or data protection team reviewing and signing off the LIA. Organisations that have an LIA template prepared in advance, with the variable sections pre-scoped for bought-data campaigns, can complete Step 4 in a day rather than five.
The TPS wash at Step 6 is not the bottleneck. Suppression runs are typically same-day via an automated bureau. The Article 14 notice adds no material delay if you build it into the first communication rather than treating it as a separate task.
If your campaign timeline is genuinely tight, the single biggest time-saving is running Steps 2, 3, and 4 in parallel once you have a count in hand. You can draft and internally review your LIA while the supplier prepares the full file; no legal reason requires you to wait for Step 2 to fully resolve before starting Step 4, provided you document any outstanding supplier evidence as a condition precedent to campaign launch.