How to avoid violating GDPR when using lead lists?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've got a shiny new lead list and you're terrified. That's healthy paranoia. GDPR doesn't care who sold you the data. It cares that you have a lawful basis to use it. Here's how to vet a list and protect yourself.

Ask the vendor hard questions. How'd they collect this data? Was consent obtained for third-party marketing? Can they prove it with documentation? A reputable vendor will happily provide consent records or explain their lawful basis. If they evade the question or get cagey, that's a red flag. Walk away. Sketchy sourcing is a liability you don't need.

Don't rely on their basis alone. Even if the vendor says they got consent, you can't just trust that. You need your own lawful basis. If you're relying on "legitimate interest," you've got to document why. Run your own assessment: Do you have a genuine business reason for contacting them? Is your interest balanced against their privacy expectations? Save that analysis. Regulators will ask for it.

Be transparent in your first email. When you reach out, explain where you got their data and why you're contacting them. This isn't optional. GDPR's Article 14 requires you to provide a privacy notice on first contact if data wasn't given directly by the person. They need to know you've got their info, why you have it, and how they can object or ask for deletion.

Honor their rights immediately. If someone asks what data you hold on them, you've got 30 days to respond. If they ask for deletion ("right to be forgotten"), you delete them. If they object to processing, you stop. These aren't bureaucratic inconveniences. They're legal obligations. Slow responses and ignored requests are violations.

Check list quality. Outdated lists damage your deliverability and create GDPR risk simultaneously. Old data's inaccurate. You're sending to addresses that don't exist or belong to people who've forgotten they were ever on a list. Purchased lists are notorious for containing spamtraps and invalid addresses. Before you send, run the list through email validation to catch dead weight.

Document everything. Keep vendor contracts, consent records, your legitimate interest assessment, and any validation reports. If a regulator asks, you need proof that you did your homework. Documentation turns a violation into a "we took reasonable steps."

Next step. Before purchasing any list, request documentation from the vendor about data sourcing and consent. Get it in writing. Then work through your own legitimate interest assessment based on your actual business needs.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Audit purchased lead lists for GDPR compliance

I want to use a purchased lead list but I'm scared of GDPR violations. What specific questions should I ask my lead list provider/broker about data sourcing and consent? What documentation do I need to keep? What's a red flag that tells me a list isn't GDPR-safe?

Edit the yellow boxes, then send to the AI of your choice.