CM Beyer North America LLC · Casper WY 82609 contact@cmbeyer.com
CM Beyer North America
CM Beyer
Home About CMB Insight CMB Amplify CMB Core News Support Contact
Get in Touch
HomeNewsCompliance › UK GDPR and marketing: what you can and cannot do with customer data in 2026

UK GDPR and marketing: what you can and cannot do with customer data in 2026

April 14, 2026

Compliance

The UK General Data Protection Regulation governs how businesses collect, store, and use personal data. For marketers, it determines what you can do with customer information — and the penalties for getting it wrong.

UK GDPR vs EU GDPR

Following Brexit, the UK adopted its own version — the UK GDPR — alongside the Data Protection Act 2018. The rules are substantively similar but enforced by the ICO. UK businesses processing EU residents data must comply with both.

The Six Lawful Bases

To process personal data you need a lawful basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests. For marketing, consent and legitimate interests are most relevant.

Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count.

Legitimate interests requires a Legitimate Interests Assessment documenting your interest, the necessity, and the balance against individual rights.

Consent vs Legitimate Interest for Marketing

Cold outreach to people with no prior relationship generally requires consent. Marketing to existing customers about similar services may use legitimate interests — but only with an opt-out at collection and in every communication.

Email and SMS Rules (PECR)

PECR adds rules on top of GDPR for electronic marketing. It requires consent for unsolicited emails with a “soft opt-in” exception for existing customers. See our guide to PECR and cookie consent.

Data Subject Rights

Individuals can access, rectify, erase, restrict, port, and object to processing of their data. Respond within one calendar month. CM Beyer provides a DSAR form for this.

Penalties

Maximum fines: 17.5 million pounds or 4% of global turnover. The ICO has issued significant fines for marketing breaches, particularly unsolicited communications and inadequate consent.

Frequently Asked Questions

Can I email someone who gave me their business card?

Not automatically for marketing. A business card is not marketing consent.

Do I need a privacy policy?

Yes. See CM Beyer Privacy Policy for an example.

Filed under:Compliance
← Back to news

More articles

May 18, 2026CM Beyer selects Hostinger as new web hosting and digital infrastructure partnerMay 14, 2026Site outage 12–14 May: what happened and our apologyMay 12, 2026Why we don’t run content marketingMay 11, 2026On apprenticeships and entry-level hiringMay 9, 2026Notes on the UK SME consulting market in spring 2026

Read more articles on the CM Beyer Limited news page.

Want to work with us?

Get in touch to discuss how CM Beyer can support your business.

Contact us

Support

Support Center Submit a Form Contact Page
Quick Message
Knowledge Base · Cookies · Privacy