Why supplier selection matters more than most buyers realise
Most buying decisions for B2B data come down to price and record count. That is understandable. The catalogue pages look similar, the unit costs are easy to compare, and a file of 50,000 decision-makers feels like 50,000 decision-makers regardless of where it came from. The problem surfaces three months later: a string of TPS complaints, a poor connect rate, or a letter from the ICO asking how you satisfied yourself that the data was lawfully obtained.
Under UK GDPR, the buyer of a data file is a data controller in their own right. You are not an innocent party who simply received a list. The ICO's guidance on buying marketing lists is explicit: you must carry out due diligence on your supplier and be able to demonstrate it. Five questions, asked before you sign, give you that paper trail and filter out the suppliers most likely to cause you a problem.
The five questions to ask every UK B2B data supplier
Question 1: What is the lawful basis for every record, and can I see the documentation?
For B2B marketing data in the UK, the standard answer is legitimate interests under Article 6(1)(f) UK GDPR. A supplier relying on legitimate interests must have completed a Legitimate Interests Assessment (LIA) that covers their own compilation and processing activity, and they should be willing to share it. If a supplier says "our data is consent-based" but cannot produce a consent record or explain the mechanism by which consent was collected, treat that claim sceptically. Genuine consent for B2B cold marketing is rare and expensive to collect at scale.
The LIA must pass the three-part test: purpose test (is the interest legitimate?), necessity test (is data processing necessary for that purpose?), and balancing test (do the interests of data subjects override the supplier's interest?). For B2B prospecting to corporate contacts at named organisations, legitimate interests is a defensible basis provided the supplier has genuine documentation. Ask to see the LIA. A supplier who cannot produce one, or who says "it is internal and confidential," is telling you something important about their compliance posture.
Question 2: Where do the records actually come from?
The answer should name specific, publicly available sources: Companies House filings, corporate websites, published job listings, public industry directories, press releases. That level of specificity matters because it is checkable. You can look up a record from your sample against the stated source and verify it makes sense.
Vague answers ("we compile from multiple third-party sources") are a warning sign. They may indicate that the file has been assembled from other data brokers, passed through several hands, or compiled in ways the supplier would rather not describe. None of those are automatically disqualifying, but they require further investigation. Ask specifically: "Does any element of this file originate from a third-party data broker?" If yes, ask for the name and whether that broker has been audited.
Question 3: How recently was this data refreshed, and what is your refresh cycle?
UK B2B contact data decays at roughly 25-30% per year. A contact who was the Head of Procurement at a manufacturing company in Leeds twelve months ago may have moved employer, changed role, or left the business entirely. Email addresses attached to personal names at corporate domains ([email protected]) are particularly volatile. Mobile numbers are more stable but still move.
Best practice for a credible supplier is a rolling 90-day refresh on telephone and email fields, with company-level data reviewed at least annually. Ask: "When was this specific segment last verified?" and "What is your methodology for identifying dead or changed records?" Telephone verification against a live dialler, bounce processing against real sends, and cross-referencing against Companies House change notifications are all legitimate approaches. A supplier who can only tell you the file was "last compiled in Q3 last year" without further detail is probably selling a static asset.
Question 4: Is TPS and CTPS screening included, and when was it last run?
The Privacy and Electronic Communications Regulations (PECR) prohibit unsolicited direct marketing calls to individuals who have registered with the Telephone Preference Service (TPS) or to corporate numbers registered with the Corporate Telephone Preference Service (CTPS). Screening is not optional and it is not the sole responsibility of the buyer: a supplier delivering a pre-screened file has done half the job, but the screen must be current.
The ICO treats a screen more than 28 days old as insufficient for a new campaign. Ask for the TPS screen date in writing, and confirm whether it is included in the quoted price or charged separately. Some suppliers screen at the point of file creation and then resell the same file for months afterwards; the screen date is the test. If the supplier cannot confirm screening has been carried out at all, do not use the file for telemarketing.
Question 5: Can you provide a free count and a sample before I commit?
Any supplier worth working with will run a free record count against your targeting criteria before you pay anything. You specify the parameters: SIC 2007 code, geography (region, county, postcode sector), job function, seniority level, company size by headcount or turnover. They return a universe figure. That count tells you whether the file is large enough to support your campaign and is your first quality signal: if a supplier offers 80,000 Marketing Directors when the realistic UK universe is closer to 12,000, something does not add up.
A sample (typically 10-25 records for manual review) lets you check name formatting, company accuracy, and whether the job titles match the seniority level you requested. In our experience, even a 25-record sample catches obvious quality issues that a headline count obscures: mismatched job levels, company entries that are trading names rather than the registered entity, or postcodes that do not exist. Suppliers who refuse samples, or who price the sample into the initial order, are worth approaching with caution.
What to look at beyond the five questions
Pricing transparency and minimum order size
B2B data pricing in the UK varies considerably by segment. Decision-maker contacts at small and mid-size businesses typically cost less than director-level contacts at enterprise accounts; telemarketing files (which require more verification work) often cost more per record than postal files. Transparent pricing means a cost-per-thousand or cost-per-record that does not change when you ask for a breakdown. Minimum order sizes vary from 500 records to 5,000 depending on the supplier; ask upfront whether the minimum fits your campaign volume.
Pricing that is only available on request, or that requires you to speak to a senior account manager before a number is given, is not inherently suspicious but it does slow your evaluation process. Push for a written quote with per-record pricing visible before you agree to a call.
Licence terms: one-time versus subscription
Most UK B2B data is supplied under one of two licence structures, and the difference in long-term cost is substantial. Under a one-time use licence, you may contact each record once (or a defined number of times) within a set window, typically six to twelve months. You do not get replacement records if emails bounce or numbers prove invalid. A subscription licence costs more initially but gives you refreshed records at agreed intervals, usually quarterly, which significantly reduces decay. If you are running a persistent prospecting programme rather than a one-off campaign, a subscription model almost always delivers better economics over a 12-month horizon.
Check also: can you load the data into your CRM? Some licences restrict data to campaign use only and prohibit CRM import. That restriction is legitimate but it affects your workflow and should be agreed before purchase.
Delivery format and CRM compatibility
UK data suppliers typically deliver by CSV or Excel. Ask whether fields are standardised (given name, family name, job title, direct dial, mobile, business email, company, registered address, postcode, Companies House number where available, SIC 2007 code, headcount band). Inconsistent field naming causes import problems that consume more time than the data purchase itself. If you are using Salesforce, HubSpot, or Microsoft Dynamics, it is worth asking whether the supplier has a standard import template for your CRM.
Replacement guarantees
What happens when records prove to be inaccurate? A hard-bounced email, a number that rings to someone who has never worked at that company, a Director who left the business two years ago. Credible suppliers will replace confirmed bad records up to an agreed percentage of the file (often 10-15%) at no additional charge, provided you can evidence the failure within a defined period (typically 30-90 days of delivery). Get the replacement policy in writing before you pay. "We stand behind our data quality" is not a contractual commitment.
Supplier due diligence: the checklist
The table below summarises the minimum checks to document before purchasing B2B data from any UK supplier. Keep a copy of your completed checks; it is your defence if a data-subject complaint reaches the ICO.
| Due-diligence area | What to ask or check | Acceptable answer | Red flag |
|---|---|---|---|
| Lawful basis | "What is your lawful basis for holding and supplying this data?" | Legitimate interests with a documented LIA available on request | Cannot name a basis, or claims consent without evidence |
| Source of records | "Where do your records originate? Name the specific sources." | Named publicly available sources: Companies House, corporate web, public directories | Vague ("multiple third-party sources") or refuses to answer |
| Data refresh cycle | "When was this segment last verified? What is your methodology?" | Rolling verification, 90 days or less; named methodology | Static file, no verification cycle, or cannot confirm date |
| TPS/CTPS screening | "Is TPS/CTPS screening included? What is the screen date?" | Included as standard, screen date within 28 days of your campaign | Not screened, charged extra, or screen date unknown |
| Free count and sample | "Can you run a free count and provide a 25-record sample?" | Yes, free of charge before commitment | Refuses sample, or only offers sample as part of paid order |
| Licence terms | "Is this one-time use or a subscription? Can I load into CRM?" | Clearly documented in writing before purchase | Verbal only, or terms only visible in small print post-payment |
| Replacement policy | "What is your replacement guarantee for inaccurate records?" | Written guarantee, defined percentage and timeframe | No written policy, or replacements at additional charge |
| ICO registration | Check the supplier's ICO registration number on ico.org.uk | Active registration as a data controller under their trading name | No registration found, or expired registration |
What a bad supplier looks like in practice
Certain patterns recur in suppliers that generate complaints. Not every pattern is diagnostic on its own, but two or more in combination should prompt serious concern.
Warning signs to watch for
- Cannot name the lawful basis for their data without prompting, or gives a different answer to different questions.
- Prices seem unusually low relative to the claimed volume and quality (10,000 verified C-suite contacts for £50 should raise an eyebrow).
- Pushes to close the sale before you have seen a sample or a count.
- Terms of business place all compliance liability on the buyer with no supplier warranty on data accuracy or provenance.
- Cannot or will not confirm TPS screening in writing.
- Offers data for markets and geographies that seem implausibly broad for the price point.
- No ICO registration, or registered under a name that does not match the trading name on the invoice.
A supplier who ticks several of the above boxes may still deliver records that work for a short-term campaign. The issue is that they are unlikely to be able to withstand scrutiny if a data-subject complaint escalates. The ICO's enforcement record includes fines against buyers who failed to carry out basic checks on their suppliers, not just against the suppliers themselves.
What the ICO expects from data buyers
The ICO's guidance on direct marketing and buying lists is not ambiguous. Purchasing data from a third-party supplier does not transfer responsibility for that data's lawfulness to the supplier. As a data controller, you are responsible for the processing you carry out, which includes the initial decision to use a purchased file.
The practical expectation is documented due diligence: a written record that you asked the five questions above, what answers you received, and how you satisfied yourself those answers were credible. A short email thread asking for the LIA and TPS screen date, and receiving confirmation, is sufficient for most ICO purposes. Fifteen minutes of administration protects you against a complaint that could otherwise cost considerably more than the data purchase itself.
There is no requirement to audit the supplier's premises or conduct an independent technical review. The ICO distinguishes between reasonable checks appropriate to the risk level and full-scale third-party audits. For a one-off B2B campaign of standard scope, the five-question framework above and a written record of responses constitutes reasonable due diligence.