Is a Business Email Address Personal Data Under UK GDPR?
Yes, if it names a person. jane.smith@company.co.uk is personal data; info@company.co.uk usually is not. Here is the simple test, and what it means for cold email.
A question we get a lot: "It's a work email, so GDPR doesn't apply, right?" It is one of the most common and most costly misunderstandings in B2B prospecting. The short answer is that a business email can absolutely be personal data, and whether it is comes down to one simple test.
This is not legal advice. It is an operator's summary of the rules we follow ourselves to keep the Leadistry database compliant.
The simple test
Ask: does the address identify a specific living person?
- jane.smith@acmeltd.co.uk identifies Jane Smith. That is personal data, even though it is a work address used for business.
- info@acmeltd.co.uk or sales@acmeltd.co.uk does not, on its own, identify anyone. That is generally not personal data (it is a company mailbox).
The context of use does not change this. "For business purposes" does not switch off GDPR. If a person can be identified, UK GDPR applies.
Named versus generic addresses
This is why the named-versus-generic distinction matters so much for outreach:
- Named addresses (first name, surname, or initials of a real person) are personal data. You need a lawful basis to process them, and the person has data-protection rights.
- Generic role addresses (info@, hello@, sales@, contact@) are usually company data, not personal data, and are lower risk to hold and contact.
What that means for cold email
If you are emailing a named business address, two sets of rules apply at once:
1. UK GDPR: you need a lawful basis. For B2B prospecting that is normally legitimate interest (Article 6(1)(f)): you have a genuine commercial interest, the processing is necessary for it, and it does not override the person's rights. You should write this down in a short legitimate-interests assessment. 2. PECR: whether you can email without consent depends on whether the organisation is a limited company or a sole trader. We explain that in can you legally email sole traders?.
The person keeps their rights
Because a named business email is personal data, the individual behind it can:
- Object to direct marketing (this is an absolute right, so you must stop), and
- Ask to access, correct or erase the data you hold.
Handling those requests promptly, and keeping a suppression list so a removal sticks, is the core of staying compliant. Leadistry provides a public one-click removal form for exactly this.
Quick checklist
- Named address? Treat it as personal data.
- Generic role address? Usually company data, lower risk.
- Have a lawful basis (legitimate interest) written down for the named data you hold.
- Check whether the company is incorporated before you email cold (see the sole traders guide).
- Give an opt-out in every message and honour objections fast.
Want data that already respects this line? Leadistry delivers named business emails only for incorporated companies, with sole traders and freemail screened out, and a permanent removal route on every record.
Filter 5 million UK companies by SIC code, region and incorporation date, enriched and ready to contact.
Run it on your free 10 →Leadistry maintains a live database of 5 million UK companies, enriched from the Companies House register with verified websites, business emails and social profiles. We write about the craft of finding and reaching the right businesses, first.
See how Leadistry works →