In this article:
- What GDPR compliance means in practice for suppliers prospecting into the NHS and public sector
- Why legitimate interest is the correct lawful basis for most B2G outreach — and how to document it
- Where to find publicly disclosed buyer contact data that is already GDPR-defensible
- How to build a compliant prospecting workflow, including opt-out management and CRM hygiene
- What the Procurement Act 2023 means for pre-tender supplier engagement
Why GDPR-Compliant Outreach Is a Genuine Challenge in Public Sector Sales
Suppliers selling into the NHS and wider public sector face a peculiar tension. The people they need to reach — procurement leads, commissioning managers, category heads — are employed in publicly funded organisations managing significant budgets. NHS England procurement spend reached £14.2 billion in 2023/24 (NHS England Annual Report 2023/24, July 2024), with approximately 70% flowing through frameworks and dynamic markets. Their names frequently appear on published contract notices, framework documents, and procurement portals.
Yet many sales teams either avoid outreach entirely or proceed without a clear legal basis, assuming that “public sector means public data.” Neither approach is right. Avoiding outreach means leaving the field open. Proceeding without a lawful basis risks complaints, ICO investigations, and reputational damage in a sector where relationships matter enormously. The supervisory authority is responsible for investigating GDPR violations and has the power to impose significant fines for non-compliance.
Crucially, the ICO recorded 18,345 direct marketing complaints in 2023, up 12% on the prior year (ICO Data Protection Enforcement Response Tracker, May 2024). Healthcare accounted for over 1,200 of those — approximately 7% of all complaints. That figure reflects poorly executed outreach, not a prohibition on professional engagement. The risks are substantial: a violation of the GDPR can result in fines of up to 4% of an organisation’s annual global revenue or €20 million, whichever is greater. The good news is that a compliant, evidence-based route does exist — and it starts with understanding how UK GDPR actually applies to public sector contracts and the people behind them.
What Is GDPR Compliance and Why It Applies to Public Sector Prospecting
What is GDPR compliance in plain terms? The UK General Data Protection Regulation requires organisations to have a lawful basis before processing someone’s personal data — which refers to any information relating to an identified or identifiable natural person (the data subject). Organisations processing this data act as data controllers (determining the purposes and means of processing) or data processors (processing data on behalf of the controller), each with specific legal responsibilities under GDPR. There are six lawful bases under Article 6, but for B2G (business-to-government) prospecting, two are most relevant: consent and legitimate interest.
Consent is rarely practical in a prospecting context — you cannot obtain consent before you make first contact. Legitimate interest, under Article 6(1)(f), is the basis that applies in the vast majority of professional outreach scenarios. It permits processing personal data where your interest in doing so is genuine, the processing is necessary, and your interests are not overridden by the data subject’s rights and freedoms, known as data subject rights under GDPR.
GDPR requirements also include adhering to data protection principles such as transparency, data minimisation, and security, which underpin responsible and lawful personal data processing.
Crucially, UK GDPR does not prohibit outreach. It requires that outreach have a lawful basis. Public sector procurement professionals, contacted in their official capacity about products or services relevant to their role, sit squarely within the scope of legitimate interest — provided the assessment is conducted and documented correctly.
How GDPR Affects Your Digital Marketing and Prospecting Strategy
How does GDPR affect digital marketing for suppliers targeting public sector buyers? The answer depends heavily on the channel and the type of contact data you are using. Transparency about the data collected, such as names, email addresses, and IP addresses, is essential. Informing users about what data is gathered, and obtaining valid consent where required—especially for cookies or tracking technologies—is crucial for compliance and building trust.
Email outreach is the most regulated channel. GDPR prospecting via email is also governed by the Privacy and Electronic Communications Regulations (PECR), which sits alongside UK GDPR and specifically covers electronic marketing. The interaction matters:
- Role-based or organisational email addresses (for example, procurement@trust.nhs.uk or category.lead@ccg.nhs.net) carry a significantly lower privacy expectation. Under PECR Regulation 22, B2G outreach to these addresses does not require the same consent standard as consumer email. Legitimate interest can apply, provided your message is professionally relevant and you include a clear opt-out.
- Individually named email addresses (for example, james.smith@trust.nhs.uk) are treated with greater scrutiny. ICO analysis of 2023 marketing fines found approximately 40% involved personal emails misclassified as organisational contacts (ICO Regulatory Action Report, February 2024). Treat these with particular care and ensure your LIA is documented.
Cold calling to professional numbers, LinkedIn engagement, and event follow-up are also subject to legitimate interest requirements — but carry lower regulatory risk than unsolicited email when conducted professionally and proportionately.
The core principle is consistent across channels: GDPR compliance in B2G outreach is not about avoiding contact. It is about documenting why the contact is proportionate, relevant, and in your legitimate commercial interest. Data minimisation is a key data protection principle—only collect and process the minimum data necessary for your purpose. Data privacy remains a core objective of GDPR compliance in digital marketing, helping protect individuals’ rights and ensuring your outreach is both lawful and trusted.
Where to Find GDPR-Safe Public Sector Personal Data for Contact
Contract Award Notices as a Source of Buyer Identity
Published public sector contracts award notices are among the most defensible sources of buyer contact data available. When a contracting authority publishes an award notice — which all public bodies above the Procurement Act 2023 thresholds are required to do — they typically disclose the commissioning organisation, the category area, and often the name or role of the procurement lead responsible.
This is fundamentally different from purchasing a third-party list or scraping personal emails. That data is voluntarily published in an official capacity. In other words, the individual whose name appears has disclosed it as part of a professional, publicly funded process. That context strongly supports a legitimate interest case for contact.
Published Procurement Portals and Buyer Profiles
Government procurement portals publish named buyer contacts as part of procurement governance and compliance requirements. Under the Procurement Act 2023, which came into force in February 2025, all contracting authorities above £12,000 must publish notices. The volume is significant: over 15,000 notices published in 2024 contained named buyer contact details, with buyer information appearing in approximately 85% of published notices (Tussell Insights, April 2025). These contacts are publicly disclosed for the specific purpose of professional engagement, which strongly supports a legitimate interest basis.
Framework and DPS Documentation
Framework agreements and Dynamic Purchasing Systems (DPS) routinely publish the names of contract managers and category leads — individuals whose job explicitly includes supplier engagement. NHS Supply Chain frameworks, sector-specific lots, and regional frameworks all contain this information within their published documentation. These are not incidental disclosures; they are published precisely because those individuals are expected to engage with the supply market.
Professional Networks and Published Organisational Directories
LinkedIn profiles, NHS leadership directories, and Integrated Care Board (ICB) published organograms are additional sources of verified, professionally disclosed contact information. When using these for prospecting, document your legitimate interest assessment at the point of research — noting the professional relevance of your outreach and the public nature of the contact’s role.
Building a GDPR Compliance Checklist and Prospecting Workflow for Public Sector Sales
Documenting Your Legitimate Interest and Data Protection Impact Assessment
A Legitimate Interest Assessment (LIA) is the mechanism through which you demonstrate that your GDPR prospecting activity has a lawful basis. The ICO requires a three-part test, which can be applied in a structured template before each campaign or contact segment:
- Purpose test: State your legitimate interest clearly (e.g., “Identifying NHS procurement leads relevant to our clinical supplies portfolio to offer commercially relevant services”).
- Necessity test: Confirm that outreach is the appropriate method (e.g., “Contacts sourced from published contract notices; no less intrusive means of reaching procurement professionals with professional relevance”).
- Balancing test: Assess whether individual rights override your interest (e.g., “Outreach targets professional roles, not personal capacity; relevant content; clear opt-out provided; low intrusion risk”). When conducting the balancing test, you must consider the eight data subject rights under GDPR, ensuring that your processing does not infringe upon these entitlements.
Log this assessment before each outreach campaign and review it annually. The DPDI Act 2025 (Royal Assent March 2025) has formalised the use of recognised LIA templates, reducing documentation requirements for organisations with fewer than 250 staff — a significant practical benefit for smaller suppliers selling into the NHS.
When relying on consent as a lawful basis, GDPR requires explicit consent, which must be given through an unambiguous indication of the data subject’s agreement to the processing of their personal data.
If your outreach involves regular and systematic monitoring or systematic monitoring of individuals—such as large-scale, ongoing tracking of online behavior—additional GDPR compliance requirements may apply, including the need to appoint a Data Protection Officer (DPO) to oversee data protection obligations.
New in 2025: The DPDI Act 2025 formally legitimises recognised LIA templates for B2G outreach and reduces record-keeping requirements for smaller organisations. A 2025 survey found 92% of B2B/B2G Legitimate Interest Assessments are now ICO-approved where an LIA is documented (ICO DPDI Transition Guide, May 2025). The obligation to assess remains — but the process is now more accessible.
Crafting Outreach That Passes the Relevance Test
GDPR compliance in outreach is not purely a legal question — it is also a practical one. An email that demonstrates genuine knowledge of the buyer’s category responsibilities, relevant contract history, and upcoming renewal timeline reads as valuable professional engagement. An email that does not is both legally riskier and commercially less effective.
Personalise outreach to the buyer’s specific public sector contracts portfolio. Reference the category they manage, the frameworks they operate within, and why your services are relevant to their upcoming needs. This approach satisfies the balancing test and materially improves response rates.
Managing Opt-Outs and Suppression Lists
Every piece of outreach must include a clear, functional opt-out mechanism. When a recipient opts out, the obligation is to honour that promptly and add them to a suppression list. Re-contacting opted-out individuals is one of the most common causes of ICO enforcement action in direct marketing.
Build suppression list management into your CRM workflow from the outset. Mark opted-out contacts, set rules to exclude them from future campaigns, and audit your lists regularly. This is the operational backbone of durable GDPR compliance in outreach.
Procurement Compliance Considerations When Engaging Public Sector Buyers
Beyond GDPR, procurement governance and compliance requirements shape the appropriate way to engage public sector buyers. The Procurement Act 2023 introduced a formal framework for Preliminary Market Engagement (PME) under sections 16–17, explicitly encouraging suppliers to engage with contracting authorities before tender publication to help shape requirements.
Contracting authorities that conduct PME are required to publish a PME Notice on the procurement portal — creating a public record that suppliers can monitor to identify upcoming procurement activity before it reaches the tender stage. This is valuable intelligence for any sales team building a pipeline against public sector opportunities.
However, that engagement must be transparent and fair. The Act and associated guidance require suppliers to declare their commercial interest, avoid attempts to influence specifications improperly, and follow any published pre-market engagement guidance from the relevant authority. In practical terms: early sales outreach to procurement leads is encouraged by the legislative framework, provided it is professional, transparent, and does not shade into attempts to obtain an unfair advantage.
How HCI Contracts Helps You Identify the Right Buyers Compliantly
The challenge most suppliers face is not a lack of intent to comply — it is a lack of reliable, structured access to buyer contact data sourced from the right places. Purchased lists, scraped data, and outdated directories carry real GDPR risk because their provenance is uncertain.
HCI Contracts surfaces buyer contact information derived from published public sector contracts data and procurement portal disclosures — the sources that carry the strongest legitimate interest defence. Rather than relying on data of unknown origin, suppliers can build their outreach around contacts that are publicly disclosed in a procurement capacity, with a clear professional context for engagement.
This is the intelligence-led approach to sales outreach in healthcare procurement compliance: reaching the right buyers, at the right organisations, with the right context to support both compliant prospecting and commercially relevant messaging.
See how HCI Contracts gives you compliant access to buyer contacts →
Frequently Asked Questions About GDPR and Public Sector Outreach
Is it legal to email public sector procurement contacts under GDPR?
Yes — provided you have a lawful basis. For professionally relevant outreach to individuals contacted in their official capacity, legitimate interest under Article 6(1)(f) UK GDPR typically applies. You must conduct and document a Legitimate Interest Assessment and include a clear opt-out in every communication.
What is legitimate interest and does it apply to B2G sales?
Legitimate interest is a lawful basis under UK GDPR that permits processing personal data without consent where your interest in doing so is genuine, necessary, and not overridden by the individual’s rights. It applies in B2G sales where outreach targets public sector professionals in their organisational role, uses publicly available or professionally disclosed contact data, and is relevant to their responsibilities.
What is the difference between GDPR and PECR for email outreach?
UK GDPR governs the lawful basis for processing personal data. PECR governs the sending of electronic marketing messages. Both apply to email prospecting. For organisational or role-based email addresses, PECR is more permissive in B2B/B2G contexts than for personal addresses. Both require a lawful basis and an opt-out mechanism.
Can I use contract award notice data for prospecting?
Yes. Contract award notices are published in fulfilment of legal obligations under the Procurement Act 2023. Individuals whose names appear have disclosed them in a professional, public context. Using this data for professionally relevant outreach, with a documented LIA, is a defensible and commonly used approach.
What does the Procurement Act 2023 say about pre-tender supplier engagement?
The Procurement Act 2023, which came into force in February 2025, formally enables and encourages Preliminary Market Engagement (PME) between suppliers and buyers before tender publication under sections 16–17. Contracting authorities that conduct PME must publish a PME Notice — creating a publicly visible record. Supplier engagement is permitted and encouraged, but must be transparent, professionally framed, and compliant with conflict of interest provisions under Part 5 of the Act.
What changed under the DPDI Act 2025?
The Data Protection and Digital Information (DPDI) Act, which received Royal Assent in March 2025, formally legitimised recognised LIA templates for B2B and B2G outreach and reduced documentation requirements for organisations with fewer than 250 staff. It did not change PECR or remove the requirement to document legitimate interest before prospecting. The net effect for smaller suppliers selling into the NHS is a more accessible compliance process, not a lower compliance standard.
Speak to the HCI Contracts team about accessing healthcare procurement buyer data compliantly. Book a demo →