GDPR and B2B Outreach: What You Can and Cannot Do in 2026

GDPR has been in effect since 2018, and it still confuses the hell out of B2B sales teams. Every year, some new blog post declares that cold email is dead, that you can't contact anyone without explicit consent, or that GDPR has essentially banned outbound sales in Europe. None of that is true.

But the rules are real, and the fines are real. In 2025 alone, European data protection authorities issued over €2 billion in GDPR fines across all sectors. Most of those were against large consumer-facing companies, but smaller B2B companies have been caught too — especially for sending bulk emails without a lawful basis or ignoring opt-out requests.

This guide explains, in plain English, what you can and cannot do when running B2B outreach in the UK and EU under GDPR. No legal jargon, no panic, just practical rules you can follow to keep your outreach compliant without killing your pipeline.

Disclaimer: This is a practical guide written for B2B sales teams, not legal advice. If you're dealing with complex data processing or high-risk scenarios, consult a data protection lawyer. But for standard B2B outreach, the principles below will keep you on solid ground.

Why GDPR Still Confuses B2B Teams

The confusion comes from three places.

First, GDPR was designed primarily for consumer data protection. Most of the high-profile cases involve companies like Meta, Amazon, and TikTok processing consumer data at massive scale. The B2B provisions are there, but they're less prominent in the public conversation, so sales teams hear "GDPR" and panic about their 50-person email campaign.

Second, the rules vary by country. GDPR is the baseline across the EU, but each country has its own ePrivacy rules that sit on top of GDPR and govern electronic communications specifically. The UK has PECR. Germany has the UWG. France has rules around consent. These national rules affect what you can do with email and phone outreach, and they're not always aligned with each other.

Third, vendors use GDPR fear to sell compliance tools. There's an entire industry built around GDPR anxiety — tools that promise to "make you GDPR compliant" by adding consent checkboxes, cookie banners, and data processing agreements. Some of these are useful. But a lot of them solve problems that don't apply to standard B2B outreach.

Let's cut through the noise and look at what GDPR actually says about B2B prospecting.

The Legal Basis for B2B Outreach Under GDPR

Under GDPR, you need a "lawful basis" to process someone's personal data. There are six lawful bases, but the two that matter for B2B outreach are:

1. Legitimate interest (Article 6(1)(f)). This is the legal basis most B2B outreach relies on. It says you can process personal data when you have a legitimate business interest in doing so, as long as that interest isn't overridden by the individual's rights and expectations.

In plain English: you can email a VP of Sales at a software company to tell them about your relevant service, because you have a legitimate interest in growing your business, and the VP of Sales would reasonably expect to receive relevant business communications. That's a legitimate interest.

The key requirements for legitimate interest:

• Relevance. Your outreach must be genuinely relevant to the recipient's role and business. Mass-blasting a list of random emails doesn't meet this bar.
• Proportionality. The data you use should be limited to what's necessary — name, work email, job title, company. You don't need personal phone numbers, home addresses, or personal email addresses for B2B outreach.
• Reasonable expectation. Would the recipient reasonably expect to receive this type of communication? A VP of Sales expects sales-related messages. An employee who listed their email on a public company page expects some business contact. An individual who never shared their details in a business context does not.
• Easy opt-out. Every message must include a clear, simple way to opt out. And you must honour opt-outs immediately.

2. Consent (Article 6(1)(a)). The person has explicitly agreed to receive your communications. This is the gold standard but is rarely practical for cold outreach — by definition, you haven't asked them yet. Consent is more relevant for marketing emails to existing contacts, newsletter sign-ups, and event follow-ups where the person has opted in.

For most B2B outreach, legitimate interest is the correct legal basis. You don't need consent to send a relevant business email to a business person at their work email address.

What You Can Do (With Examples)

Here's what compliant B2B outreach looks like in practice.

Send targeted, relevant emails to business contacts. You can email someone at their work address about a service that's relevant to their role. "Hi Sarah, I work with fintech compliance teams on [specific problem]. Would a 15-minute conversation be useful?" That's legitimate interest in action.

Use publicly available business data. Company websites, LinkedIn profiles (public information), business directories, Companies House filings, industry conference attendee lists (where data sharing is covered in the event's privacy policy) — all of these are legitimate sources for building prospect lists. You're not obtaining data through deception or from private sources.

Send follow-up emails. If someone doesn't respond to your first email, you can follow up — within reason. Two to three follow-ups over 2–3 weeks is generally acceptable. Twelve follow-ups over six months is not. Use common sense: would you find this volume annoying if you received it?

Connect on LinkedIn and send messages. LinkedIn outreach falls under LinkedIn's own terms of service, but the GDPR principles still apply. Keep it relevant, professional, and don't spam. LinkedIn's own platform rules are actually stricter than GDPR in many cases.

Contact someone who visited your website (with proper disclosure). If you use intent data or website visitor identification, you can contact prospects who've shown interest — as long as your privacy policy discloses this tracking and there's a legitimate interest basis for the outreach.

Buy B2B data from compliant providers. You can purchase prospect lists from data providers (ZoomInfo, Apollo, Cognism, etc.) as long as the provider has a lawful basis for the data they sell. Reputable providers document their compliance. Ask for their data processing agreement and check that they maintain opt-out lists.

If you're concerned about making sure your messaging is both compliant and effective, our guide on email deliverability in 2026 covers the technical side of keeping emails out of spam folders.

What You Cannot Do

Here's where teams get into trouble.

Ignore opt-out requests. This is the biggest compliance risk for B2B teams. When someone asks to be removed from your list — whether by replying "unsubscribe," clicking an unsubscribe link, or sending you a formal request — you must honour it promptly (within 30 days under GDPR, but ideally within 48 hours). Continuing to email someone who's opted out is a clear violation and the most common complaint that triggers regulatory action.

Use personal email addresses for cold outreach. Emailing someone's gmail.com or outlook.com address for business prospecting is problematic. GDPR treats personal email addresses differently from work email addresses. Stick to business domains.

Collect data without a purpose. You can't scrape thousands of email addresses "just in case" you might use them someday. GDPR requires that you have a specific, defined purpose for processing personal data. Build lists for specific campaigns with specific targeting criteria.

Fail to disclose how you got their data. If someone asks "How did you get my email address?" you need to have a clear answer. "From LinkedIn," "From your company's website," or "From [Data Provider] which sources publicly available business data" are all acceptable. "I don't know" or "I bought a list" (from an unknown, non-compliant source) are not.

Process data without a privacy policy. Your company must have a privacy policy that explains what data you collect, why, how you use it, and how people can opt out or request deletion. This policy should be accessible on your website. If you don't have one, fix that today.

Send automated marketing emails without consent in certain countries. This is where it gets nuanced. Under GDPR, legitimate interest can cover one-to-one sales emails. But automated bulk marketing emails (newsletters, promotional blasts) typically require consent under ePrivacy rules. The line between "sales outreach" and "marketing email" matters. Personalised, one-to-one emails about relevant topics are sales outreach. Batch-and-blast promotional emails are marketing. Treat them differently.

Transfer data outside the EU/UK without safeguards. If you're storing prospect data on servers in the US or sharing it with US-based tools, you need appropriate safeguards (Standard Contractual Clauses or equivalent). Most reputable SaaS tools already have these in place, but check.

How to Stay Compliant Without Killing Your Pipeline

Compliance doesn't mean you stop doing outreach. It means you do it thoughtfully. Here's a practical checklist:

• Use work email addresses only. Never cold email personal addresses.
• Make every email relevant. Personalise. Reference their role, industry, or a specific challenge. Generic mass emails are both non-compliant and ineffective.
• Include an opt-out in every email. A simple line at the bottom: "If you'd rather not hear from me, just reply and I'll remove you." Works fine.
• Honour opt-outs immediately. Build a suppression list and check it before every campaign. This is non-negotiable.
• Document your lawful basis. For each campaign, note: who you're targeting, why it's relevant, where you got the data, and what your legitimate interest is. Keep this documentation — if someone complains, you need to show your reasoning.
• Keep a data source log. For each list or data provider you use, document what data they provide, their compliance certifications, and whether they maintain opt-out lists.
• Limit follow-ups. 2–3 follow-ups is reasonable. More than that without a reply starts to look like harassment, not sales.
• Delete old data. If a prospect hasn't engaged with any of your outreach in 12 months, delete their data unless you have another lawful basis for keeping it. GDPR requires that you don't retain personal data longer than necessary.

If all of this feels like a lot, working with a compliant lead gen partner can take the compliance burden off your plate. Good partners handle data sourcing, opt-out management, and documentation as part of the service.

Country-Specific Notes: UK, Germany, France, Ireland

GDPR is the baseline, but these countries have additional rules that affect B2B outreach.

United Kingdom

Post-Brexit, the UK has its own version of GDPR (UK GDPR) enforced by the ICO. The rules are nearly identical to EU GDPR for B2B outreach. The key addition is PECR (Privacy and Electronic Communications Regulations), which governs electronic marketing. Under PECR, B2B emails can be sent under a "soft opt-in" or legitimate interest basis. The UK is generally considered one of the more permissive environments for B2B cold email, as long as you include an opt-out and honour it.

Germany

Germany is the strictest country in Europe for outreach. The UWG (Unfair Competition Act) essentially requires consent for all commercial emails — even B2B. In practice, this means cold email to German business contacts carries more risk than in other EU countries. Many compliance experts recommend focusing on LinkedIn outreach and phone calls for German prospects, or obtaining some form of prior interaction (event attendance, content download) before emailing. If you do email, keep it highly relevant, personalised, and limited in volume.

France

France's CNIL (data protection authority) has taken a moderate position on B2B outreach. Cold B2B emails are permitted under legitimate interest if the message is relevant to the recipient's professional role, you obtained the email from a professional source, and you include an opt-out mechanism. The CNIL has specifically stated that B2B prospecting emails don't require prior consent, as long as the content is relevant to the person's work. But they enforce opt-out obligations strictly.

Ireland

Ireland's DPC (Data Protection Commission) follows EU GDPR closely. For B2B email, Ireland's ePrivacy regulations (SI 336/2011) allow unsolicited commercial emails to business contacts where the sender has a legitimate interest. The practical requirements align with standard GDPR: relevance, opt-out, and data sourcing transparency. Ireland's DPC has been more focused on large tech company compliance than B2B sales outreach, but the rules still apply.

Frequently Asked Questions

Do I need consent to send a cold B2B email?

In most EU/UK countries, no — you can rely on legitimate interest for relevant, targeted, one-to-one B2B outreach. The exception is Germany, where the UWG effectively requires consent for commercial emails. For all other countries, make sure the email is relevant to the recipient's professional role, you have a clear opt-out, and you can explain how you obtained their contact information.

Can I use LinkedIn data for email outreach?

You can use publicly visible LinkedIn information (name, job title, company) to identify prospects and personalise outreach. However, LinkedIn's terms of service prohibit automated scraping of their platform. Manual research is fine. Tools that scrape LinkedIn at scale without API access violate LinkedIn's terms and could also raise GDPR concerns about how the data was obtained. Use LinkedIn data responsibly, and consider LinkedIn Sales Navigator for compliant data access.

What happens if someone reports me to a data protection authority?

If someone files a complaint, the relevant DPA (Data Protection Authority) will typically investigate. For minor B2B outreach complaints (like failure to honour an opt-out), the usual outcome is a warning and instruction to fix the issue. For systematic violations (ignoring hundreds of opt-out requests, bulk emailing personal addresses), fines can follow. The maximum GDPR fine is 4% of annual turnover or €20 million, whichever is higher — but this is reserved for serious violations. Small B2B companies are far more likely to receive warnings than fines, as long as they respond quickly and fix the problem.

Do I need a Data Protection Officer (DPO)?

Most small B2B companies don't need a formal DPO. GDPR requires a DPO if you're a public authority, if your core activities involve large-scale systematic monitoring, or if you process special category data at scale. Standard B2B outreach doesn't trigger these requirements. That said, someone on your team should own data protection responsibility — understanding the rules, handling opt-out requests, and maintaining documentation.

How does GDPR apply to AI-generated outreach?

The same rules apply regardless of whether a human or AI writes the email. The lawful basis requirement, opt-out obligation, and data protection principles don't change because AI is involved. However, if you're using AI to make decisions that significantly affect individuals (like automated profiling that determines whether someone receives outreach), additional GDPR provisions around automated decision-making may apply. For standard AI-assisted email personalisation, the normal legitimate interest basis is sufficient.

Should I add a GDPR disclaimer to my outreach emails?

A brief, human-readable line explaining why you're reaching out and how to opt out is good practice. Something like: "I'm reaching out because your role at [Company] seems relevant to what we do. If you'd rather not hear from me, just let me know and I'll remove you from my list." Avoid long legal disclaimers — they look like spam triggers and don't add compliance value. Your website privacy policy should cover the detailed legal requirements.