Tim Langley is the Co-Founder of Go Live Data, which specialises in marketing data for businesses. Working with well-known household names and many SME’s, here, Tim shares his knowledge on GDPR and direct marketing, advising on what owners and marketeers should consider.

There are various misconceptions around this where people are confused about what you can and cannot do under the GDPR rules. They tend to fall into one of two camps in that they either believe you simply cannot do anything under the rules or, they somehow forget about them completely and do whatever they want.

While it is possible to look after your own data, there are certain things business owners should be aware of and this can vary depending on what the chosen channel of communication is. With several things to consider, outsourcing to a specialist is one way of approaching it, to avoid receiving hefty fines if the correct process is not followed.


Let’s put GDPR into context, which stands for the General Data Protection Regulation. It is European legislation which came into force in May 2018, transcribed into UK legislation when we left the EU and it is European wide. It’s a protection legislation, so it is up to each individual country’s regulator, (which in the UK is the ICO), to decide how to implement it within each jurisdiction, as interpretation may be subtly different within certain countries. Some will have slightly stricter rules around GDPR, whereas others may be a degree lighter as an example. And while the legislation sits under the European Court of Justice, there is still lots of GDPR which needs to be worked through to become case law.


GDPR provides a framework that regulates any company holding data on a European citizen. So, even if you were a company based in South Africa, if you hold data on a European citizen, you need to ensure you’re compliant with the GDPR strictures in Europe. That doesn’t mean that it’s a case of barring multinationals, such as Facebook or Google. It’s unlikely that a European regulator is going to be able to enforce action against a smaller organization outside its jurisdiction and can be compared to GDPR and B2B marketing, given that it’d be very hard to enforce such penalties if GDPR rules have somehow been broken.

Who does it apply to?

When we’re talking about GDPR we should be clear that it ‘absolutely’ applies to UK businesses, even though we are no longer in the EU. However, readers may be interested to hear that to support UK businesses, there has been legislation moving through parliament more recently, that is likely to be kinder to them in their B2B marketing.

The main thing to remember is that as a UK business, if you are aiming to promote your service to European businesses, you will be bound by GDPR, regardless. With this, there is other legislation to consider and that is PECR, which stands for Privacy and Electronic Communications regulation.

Rights of the individual

GDPR is about the rights of the individual in knowing why or how you are storing their data and is it about the action you can take to market to that data. With so many points on GDPR around things including privacy by design and making sure you think carefully about how you store the data, the most important piece of GDPR is what is called the legal basis – which is for controlling the data.

If for example, you are marketing to other businesses using generic data, such as email addresses including info@, that is not covered by GDPR, nor is sending a piece of direct mail addressed to say ‘the director’ of a company. However, by sending direct mail to a named person at that company – is defined as personal data.

Performance of the contract

GDPR defines several legal bases, of which there are there are three keys elements that apply to UK businesses. One is for the performance of the contract. This means you are allowed to hold a person’s details if it is a requirement of the contract. Rarely are you allowed to market to people using that as a legal basis and if you are in possession of personal details, it does not give you the right to then start marketing to them.

Notion of consent

The second, is the notion of consent, which relates to when someone has explicitly agreed freely, to being contacted by your business. And even then, the recipient must be able to withdraw their consent at any given time.

Legitimate interest

The final element, which is most often relied on is direct marketing for legitimate interest. This means that businesses are allowed to market to people in other businesses because GDPR is not about stopping them from effectively marketing their services.

Therefore, the general rule to remember is that businesses should carry out the legitimate interest assessment, to define the basis on which they have a legitimate interest in contacting them.

For example, a PR agency may wish to work with other UK based businesses, somewhere between startups through to £100 million revenue businesses, which could be its definition of a legitimate interest assessment. Providing the data being held meets those criteria, it is conforming to this legitimate interest.

B2B direct marketing

The next piece relates to B2B direct marketing, which is generally much more targeted and precise. Obvious examples of this are email marketing, direct mail, telephone messaging, iPhone telesales and more often nowadays we are finding it is used in the form of outbound social messaging.

One of the most common errors made is thinking it is only possible to do direct marketing with the recipient’s consent. However, providing there is a defined legitimate interest and the recipients are corporate entities, it is perfectly fine to directly market to that data. A corporate entity is defined as being registered at UK Companies House as either a limited company or a Plc.

Business or individual

A sole trader or a partnership on the other hand, is deemed as an individual and this is why it is important to analyse the stored data, regardless of whether the business is big or small.

For example, a company recently asked Go Live Data to assess data consisting of 100,000 records. Out of that number, and by even using unique technology that we have created, we were unable to locate 25,000 of those records, or, see any relationship between them as corporate entities. Highlighting the fact that it was either old data, or, that it related to sole traders. For corporate entities it is possible to use a soft opt-in, which means a business can use ‘legitimate interests’ as a medium for reaching out.

Common misconceptions

GDPR controls your legal basis for holding data. Through PECR, UK businesses can also be fined as it’s concerned with the action being taken with the data. When you are sending an email, doing telesales or sending direct mail, it’s likely to be covered by GDPR and sending the item is likely to be covered by PACA legislation.

A key misconception is when people don’t believe that GDPR relates to them and the other is where B2B marketers believe that if their direct mail activities are outsourced, they avoid liability from any wrongdoing. As a business, if you outsource your marketing, you should be confident that the data being used is correct and legitimate as if it goes wrong, it will be you who the ICS will revert to and not the business you outsourced the marketing to.

Another common mistake is where businesses market to their own database and assume that consent has somehow been granted, when in fact it hasn’t. In Parallel to this, there are those who assume that because they never received consent and therefore do nothing with the data they have.

Cleaning data

On average data decays at a rate of around 30% a year. So regardless of whether you are sticking to the rules of GDPR, if your database is inaccurate, your activities will be a waste of time and it’s vital to ensure that your data is ‘clean’. By working with companies such as Go Live Data, where a member of the team will run a comparison, to discover what is correct and what isn’t correct data to determine which of your records need updating. We will also tell you which companies no longer exist and a range of other important details.

There are a host  of reasons as to why your data would benefit from regular professional cleaning, that is of course unless you’ve chosen to do it yourself, which is time consuming and difficult when done manually. Enriching data is therefore another part of our service, to ‘complete’ the records.


Another key aspect of GDPR is data storage. Most of our customers require Go Live Data to do marketing outreach on their behalf so it is vital that you are confident about who you outsource this marketing function to. They must be fully compliant and have the knowledge and expertise to carry this out this type of work.

Go Live Data is an award-winning company founded in 2020 by Adam Herbert and Tim Langley. It provides best-in-class data solutions’ services to household names, corporation and SME’s. For more information on how Go Live Data can support your business visit www.go-data.com or email Tim Langley on [email protected].

CTO & Co-Founder at Go Live Data | Website | + posts

With over 20 years of IT industry experience, Tim’s in-depth expertise in creativity, innovation and entrepreneurship stems from his many roles as IT Director, Technical Director and several CTO positions, as well as being Founder of not one, but three successful companies within the IT industry.

As Co-Founder and CTO of Go Live Data, which has secured many SME and corporate clients since its’ launch in 2020, Tim is also CEO and Founder of CANDDi, in which he has created the original CANDDi software and set out the technology roadmap to continue the platform's development. Today, he defines the vision, leads the fundraising and drives the team of CANDDi.

Tim’s other specialist knowledge includes early-stage finance and business analysis, and Javascript (Backbone), PHP (Zend), No-SQL and Big Data.