Does legitimate interests under UK GDPR Article 6(1)(f) cover named individual contacts at companies, or only role-based addresses?

Both. The ICO's guidance confirms that legitimate interests can apply to named business contacts as well as role-based addresses (such as info@company.co.uk or finance@company.co.uk), provided the contact is clearly acting in a professional capacity and your Legitimate Interests Assessment documents the proportionality of the processing. The key question is whether the individual can reasonably expect to receive business communications relevant to their role, not whether the email contains their personal name.

Do I need a separate Legitimate Interests Assessment for every campaign, or can one LIA cover my B2B prospecting programme?

A single LIA can cover an ongoing prospecting programme, provided the processing purpose, the categories of data, and the target audience remain materially consistent. If you significantly change your targeting (for example, moving from SME finance directors to NHS procurement managers), you should review and update the LIA. Date your LIA clearly and store it with your Record of Processing Activities.

Does legitimate interests apply when contacting sole traders or individual freelancers, not just registered companies?

This is a grey area and the answer depends on context. Where a sole trader or freelancer operates under a business trading name, uses a business email address, and the communication is relevant to their commercial activities, legitimate interests often still applies. However, where the individual is indistinguishable from a consumer (for example, a single-person household with a personal email), you should treat them as a consumer data subject and use consent as your lawful basis instead.

What must I include in a Legitimate Interests Assessment to satisfy the ICO?

The ICO expects an LIA to address three elements: purpose (identify the legitimate interest and confirm it is real and specific), necessity (confirm the processing is the minimum needed to achieve the purpose), and balancing (weigh your interests against the rights and expectations of the individuals). For B2B prospecting, the balancing step should note that recipients are approached in their professional capacity, that the data comes from publicly available sources, that you provide a clear opt-out mechanism, and that you honour any objections promptly.

Does PECR affect whether I can rely on legitimate interests for B2B email marketing?

Yes. The Privacy and Electronic Communications Regulations (PECR) sit alongside UK GDPR and govern electronic direct marketing separately. For B2B email to corporate addresses, PECR allows email marketing where the sender obtained the contact details in the course of a sale or negotiation of a sale, and the marketing relates to similar products or services (the soft opt-in rule). For cold B2B prospecting email to new contacts, you must provide a clear opt-out in every message and honour it promptly. Legitimate interests under UK GDPR is your lawful basis for processing the data; PECR is the separate framework that governs the act of sending the electronic message.

Can I use legitimate interests for telephone outreach to B2B contacts, and does TPS apply?

Yes, legitimate interests is the standard lawful basis for B2B telemarketing under UK GDPR. However, the Telephone Preference Service (TPS) rules still apply. You must screen your dial list against the TPS before calling, unless the individual has given specific consent to receive calls from your organisation despite being TPS-registered. Failure to wash against TPS exposes you to enforcement action from the ICO regardless of whether your UK GDPR basis is sound.

Can you use legitimate interests as the lawful basis for B2B data under UK GDPR?

What does UK GDPR Article 6(1)(f) actually say?

Article 6(1)(f) of UK GDPR states that processing is lawful where it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject." That last clause is critical: the lawful basis is not automatic. It requires you to weigh your interests against those of the individuals whose data you hold.

The Information Commissioner's Office (ICO) breaks this into three sequential questions: Is there a legitimate interest? Is the processing necessary to achieve it? Do those interests override the individual's rights? Answer yes to all three, document your reasoning, and you have a valid basis. Skip any stage or leave the documentation vague, and you are exposed.

For B2B prospecting, the ICO has been explicit in its guidance that organisations pursuing a genuine commercial interest in reaching relevant business contacts can satisfy Article 6(1)(f). The key phrase is "genuine commercial interest": you cannot manufacture a tenuous link to claim the basis applies.

Why does B2B data usually pass the balancing test?

The balancing test is where most legal teams spend their time, and rightly so. For a sole trader or consumer, the test is far harder to pass: the individual may have no reasonable expectation of receiving commercial communications, and their privacy interests tend to be weightier. Corporate contacts are different.

A Finance Director at a manufacturing company with 200 staff can reasonably expect to receive relevant commercial approaches. Their business email address is often publicly listed on the company website, Companies House records, or professional directories. The processing is limited to their professional role, not their private life. That combination significantly shifts the balance towards the controller's interests.

Three factors consistently tip the balance in favour of legitimate interests for B2B data:

Professional context. The individual is contacted about products or services relevant to their job function, not their personal life.
Public availability. The contact details come from publicly available sources: the company website, Companies House filings, public job listings, or industry directories. This reduces the privacy intrusion compared to, say, a consumer file built from browsing behaviour.
Proportionality. The data held is limited to what is needed for outreach (name, job title, business email, direct telephone), not sensitive personal data.

In our experience, a well-drafted LIA for a standard B2B prospecting programme is typically two to four pages and takes less than a day to complete once the template is understood. The ICO does not require a specific format, but the three-part structure above is the practical standard.

What must a Legitimate Interests Assessment cover?

The ICO does not mandate a fixed template, but its published guidance and enforcement decisions make clear what a defensible LIA looks like. Three sections are expected.

1. Purpose test

State what you are trying to achieve and confirm it is a real, specific interest rather than a hypothetical one. "We want to market our logistics software to Operations Directors at UK manufacturers with 50 to 500 employees" is specific. "We want to find new customers" is too vague to carry weight in an enforcement conversation.

2. Necessity test

Could you achieve the same purpose with less invasive means? For B2B prospecting, the answer is usually no: paid advertising cannot replicate the precision of targeted outreach to named decision-makers, and generic inbound campaigns would not reach cold prospects who have never encountered your brand. Document that reasoning explicitly.

3. Balancing test

Weigh your interests against the reasonable expectations of the contacts. For the purposes of a B2B LIA, the relevant factors are:

The contacts are approached in their professional, not personal, capacity.
The data is compiled from publicly available sources, with no sensitive categories processed.
Every communication includes a clear, functioning opt-out mechanism.
Opt-out requests are honoured promptly (the ICO's stated expectation is within 30 days, though faster is better practice).
The contact list is kept current, with records removed when contacts leave roles or companies close.

A Manchester-based IT reseller prospecting to IT Managers across the North West is a textbook example of a use case that sails through all three tests. The individuals are reached in their professional role, the data comes from publicly available sources, and the subject matter is directly relevant to their job. Contrast that with cold outreach to personal mobile numbers obtained from an undisclosed source: the balancing test fails immediately.

Legitimate interests vs consent: which should you use for B2B?

A common point of confusion is whether legitimate interests is superior to consent for B2B, or whether you should collect consent from every prospect. The table below sets out the practical difference.

Factor	Legitimate interests (Article 6(1)(f))	Consent (Article 6(1)(a))
Requires individual action before contact	No	Yes
Can be used for cold outreach	Yes, with LIA in place	Only if consent was obtained prior to the contact
Right to object	Yes, must be honoured promptly	Right to withdraw consent at any time
Documentation required	Legitimate Interests Assessment	Consent records (who, when, what they agreed to)
Suitable for purchased B2B data	Yes, if data compiled from publicly available sources	Only if valid consent was captured at source and transferred
Flexibility if purpose changes	Update and re-document the LIA	Must re-obtain consent for materially different purpose

For most UK B2B prospecting programmes, legitimate interests is the correct and practical choice. Consent-based B2B data exists, but the consent must be specific, granular, and freely given. A vague agreement buried in terms and conditions does not meet the UK GDPR standard. Legitimate interests, properly documented, is cleaner and more resilient.

Where legitimate interests does NOT apply: the key exceptions

Sole traders and individual freelancers

UK GDPR protects natural persons, not companies. A Ltd company or a PLC does not have GDPR rights. But a sole trader operating under their own name (John Smith trading as John Smith Consulting) is a natural person, and their business email is also their personal data. The ICO's position is that this depends on context: where the sole trader presents themselves in a clearly commercial capacity, legitimate interests may still apply. Where the line is blurred, use consent.

Special category data

Article 9 of UK GDPR imposes additional conditions on processing special category data (health, ethnicity, religion, trade union membership, and others). If your B2B targeting involves inferring any of these (for example, targeting NHS clinicians and including health-condition inferences in the record), legitimate interests under Article 6 alone is insufficient. You need an additional condition under Article 9.

When your interest is not genuine

The ICO has taken enforcement action against organisations that claimed legitimate interests while, in practice, running operations with no real commercial rationale or with disproportionate targeting. The 2020 enforcement action against Experian's credit reference marketing division is the most cited example of the ICO scrutinising a claimed legitimate interests basis at scale. The lesson: document your LIA before you process, keep it updated, and make sure the purpose stated in the document matches what you actually do.

How PECR interacts with legitimate interests

UK GDPR and the Privacy and Electronic Communications Regulations (PECR) run in parallel. UK GDPR governs the processing of personal data; PECR governs the act of sending electronic direct marketing messages (email, SMS, automated calls). You must satisfy both frameworks simultaneously.

For B2B email to corporate addresses, PECR Regulation 22 allows unsolicited email marketing provided you include a valid address and a functioning opt-out in every message. This is sometimes called the "B2B email exemption," though that label slightly overstates it: there is no blanket exemption, only a lower threshold than for consumer email. Regulation 22 explicitly applies to "individual subscribers," which the ICO interprets as sole traders and some partnerships but not Ltd companies. For Ltd company contacts, the PECR threshold is lower and legitimate interests under UK GDPR is the primary framework that governs.

For telephone outreach, Regulation 21 prohibits calls to numbers registered with the Telephone Preference Service (TPS) without prior consent. This applies regardless of whether the contact is B2B or B2C. The TPS wash is mandatory before every dial campaign, and the suppression file must be no older than 28 days at the point of calling.

Practical steps before using a B2B data file

A Hertfordshire-based accountancy software firm preparing a B2B outreach campaign to Finance Directors at UK SMEs should work through the following before the first email or call goes out.

Write and date the LIA. One document covering purpose, necessity, and balancing. Store it in your Record of Processing Activities (ROPA) under UK GDPR Article 30.
Check the data source. B2B data compiled under legitimate interests from public sources (Companies House, corporate websites, public directories) is appropriate for your LIA to reference. Data of unknown provenance or sourced from non-public channels weakens the LIA's balancing argument.
Prepare the Privacy Notice. Your privacy notice should describe legitimate interests as the lawful basis for B2B prospecting and explain the right to object. Include a direct link to the objection/unsubscribe mechanism in every communication.
TPS wash for telephone numbers. Before any dial campaign, screen every telephone number against the TPS register. If your campaign includes mobile numbers for B2B contacts, include those in the wash: mobile TPS registration is valid and enforceable.
Set up suppression management. Every opt-out or objection received must be logged in a suppression file and applied within 30 days at the latest. Best practice is within five working days. Sending to a suppressed contact a second time is an enforcement risk.
Set a data retention policy. The ICO expects you to hold contact data only as long as it remains relevant to the stated purpose. For B2B prospecting, 24 months from the last meaningful engagement is a commonly adopted standard, though your LIA should state whatever period you have chosen and justify it.

What happens after your LIA is complete?

Writing the LIA is the start, not the finish. The ICO's accountability principle under UK GDPR Article 5(2) requires you to demonstrate compliance on an ongoing basis, not just at the point the data is purchased. That means keeping the LIA current as your processing changes, and storing it where it can be produced quickly if the ICO requests it.

Three ongoing obligations are worth noting explicitly.

Responding to the right to object

Under UK GDPR Article 21, individuals have an absolute right to object to processing based on legitimate interests. "Absolute" means you cannot refuse it. You must stop processing the contact's data for that purpose, unless you can demonstrate compelling legitimate grounds that override their interests. In practice, for a B2B prospecting programme, compelling grounds will almost never exist: if someone objects, suppress them.

The right to object must be communicated clearly in your privacy notice and in every marketing communication. An unsubscribe link that only opts someone out of your email list is not sufficient if you also hold their mobile number for telemarketing. The objection covers all processing for the purpose stated in your LIA, not just the specific channel through which they objected.

Keeping the data accurate

The accuracy principle under Article 5(1)(d) requires that personal data is kept accurate and, where necessary, up to date. For B2B contact data, job titles and direct telephone numbers can decay quickly: studies suggest that around 25-30% of B2B contact records become inaccurate within twelve months as people change roles, companies restructure, or individuals leave the workforce. A B2B data file that has not been refreshed in two years carries a real accuracy risk. Where possible, work with a supplier whose file is actively maintained rather than a static list sold and re-sold without updates.

Updating the LIA when your processing changes

If you originally wrote your LIA for email outreach to Operations Directors in manufacturing, and you now want to add direct mail to the same audience, you need to review whether the LIA still holds for that additional channel. Postal outreach has a different privacy footprint from email: it reveals the recipient's workplace address to whoever handles the post. That is usually still proportionate for B2B, but the LIA should say so explicitly. Treat each material change in purpose, channel, or data category as a trigger to update the document.