CM Beyer Limited · Company No. 17009212 sales@cmbeyer.co.uk
Privacy Terms Support Contact

HomeNews › UK GDPR and marketing: what you can and cannot do with customer data in 2026

UK GDPR and marketing: what you can and cannot do with customer data in 2026

14 April 2026 Compliance

The UK General Data Protection Regulation governs how businesses collect, store, and use personal data. For marketers, it determines what you can do with customer information — and the penalties for getting it wrong.

UK GDPR vs EU GDPR

Following Brexit, the UK adopted its own version — the UK GDPR — alongside the Data Protection Act 2018. The rules are substantively similar but enforced by the ICO. UK businesses processing EU residents data must comply with both.

The Six Lawful Bases

To process personal data you need a lawful basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests. For marketing, consent and legitimate interests are most relevant.

Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count.

Legitimate interests requires a Legitimate Interests Assessment documenting your interest, the necessity, and the balance against individual rights.

Consent vs Legitimate Interest for Marketing

Cold outreach to people with no prior relationship generally requires consent. Marketing to existing customers about similar services may use legitimate interests — but only with an opt-out at collection and in every communication.

Email and SMS Rules (PECR)

PECR adds rules on top of GDPR for electronic marketing. It requires consent for unsolicited emails with a “soft opt-in” exception for existing customers. See our guide to PECR and cookie consent.

Data Subject Rights

Individuals can access, rectify, erase, restrict, port, and object to processing of their data. Respond within one calendar month. CM Beyer provides a DSAR form for this.

Penalties

Maximum fines: 17.5 million pounds or 4% of global turnover. The ICO has issued significant fines for marketing breaches, particularly unsolicited communications and inadequate consent.

Frequently Asked Questions

Can I email someone who gave me their business card?

Not automatically for marketing. A business card is not marketing consent.

Do I need a privacy policy?

Yes. See CM Beyer Privacy Policy for an example.

Filed under: Compliance

We use cookies to make this website work and to understand how it is used. You can accept all, reject non-essential, or choose what to allow. Cookie Policy | Privacy Policy

Cookie Preferences

Choose which cookies you allow. Essential cookies cannot be disabled as they are required for the website to function. Changes apply to this browser only.

Essential Cookies Always On

Required for the website to function. Handles page navigation, form security tokens, and session management. Cannot be disabled.

Cookie Policy - Essential|Terms - Acceptable Use
Analytics Cookies

Help us understand how visitors use the website. Data is aggregated and anonymous. Used to improve content and performance.

Cookie Policy - Analytics|Privacy Policy - Retention
Preference Cookies

Remember your settings such as cookie consent, region selection, and display options. Without these you may need to re-enter preferences on each visit.

Cookie Policy - Preferences
Marketing Cookies

Used to deliver relevant content and measure effectiveness of communications. We do not currently use third-party advertising cookies.

Cookie Policy - Marketing|Privacy Policy - Legal Basis
CM Beyer Your preferences are stored locally on your device.
Cookie Policy | Privacy Policy | Website Terms | Your Rights

Support

Support Center Submit a Form Contact Page
Quick Message
Knowledge Base · Cookies · Privacy