GDPR and Contacting New Companies: What Accountants Need to Know

You want to contact newly incorporated company directors to introduce your accountancy practice. The data is publicly available from Companies House. But before you write that first letter, you need to understand the rules around GDPR and direct marketing because getting it wrong isn't just a compliance risk, it damages the professional trust you're trying to build.

This guide covers the key principles for UK accountants considering outreach to new company directors using public Companies House data. It covers what GDPR and PECR say about this specific scenario, what you need to document, and which channels have which rules.

The Short Answer

Yes, UK accountants can contact newly incorporated company directors but there are rules, and you need to follow them.

The data itself is public. Anyone can access Companies House records. That's not the issue. The issue is what you do with personal data. Specifically director names, when you used for direct marketing purposes. GDPR applies because you're processing personal data, even though that data was obtained from a public source.

The rest of this guide explains which rules apply, what you need to do before sending your first letter, and how the rules differ depending on whether you're using post, email, or phone.

Companies House Data Is Public But Using It Has Rules

Companies House maintains a public register of UK companies. Director names, registered addresses, SIC codes, and incorporation dates are all part of the publicly available data. Accessing this information is straightforward and entirely lawful. It's designed to be public.

The distinction that matters is between accessing the data and using it for marketing. When you take a director's name from Companies House and use it to send a marketing letter, you're processing personal data for a purpose (direct marketing) that GDPR regulates. The fact that the data came from a public source doesn't exempt you from data protection rules. It just means you didn't need consent to obtain it.

This is the point that trips up most accountants. The data is public, so it feels like it should be free to use however you like. In practice, you need a lawful basis for the marketing use and you need to document that basis.

Lawful Basis: Legitimate Interest

For B2B postal marketing to company directors, the most commonly relied-upon lawful basis under GDPR is legitimate interest. This is one of six lawful bases the regulation provides, and it's the one most relevant to this scenario.

Legitimate interest doesn't mean "I'm interested in contacting them." It means you've assessed that your interest in making contact is balanced against the director's privacy rights, and that the contact is proportionate and reasonably expected given the circumstances.

In practice, this means you need to carry out and document a Legitimate Interest Assessment (LIA). For this specific scenario — an accountancy practice writing to a newly incorporated company director at their registered business address — the assessment is relatively focused. But you do need to do it, and you need to keep a record.

What a Basic LIA Should Cover

A legitimate interest assessment for this type of outreach should address:

• Your purpose — what are you trying to achieve? (Introducing your accountancy services to a newly incorporated company director who may need professional help.)
• Why it's necessary — could you achieve this another way that's less intrusive? (The director hasn't searched for you; proactive contact is the only way to reach them at this stage.)
• The balancing test — does the director's right to privacy outweigh your interest? Consider: the data is from a public register; the contact is at a business address; the communication is professional and relevant to their new obligations; they can opt out easily.
• Safeguards — what are you doing to protect their privacy? (Opt-out mechanism included, suppression list maintained, records of who you've contacted and when.)

This doesn't need to be a lengthy legal document. A clear, honest record of your reasoning is what the ICO expects. The ICO's guidance on legitimate interest provides a template and further detail on what to include.

Postal Mail vs Electronic Communications

GDPR applies to all channels but there's a second layer of regulation, the Privacy and Electronic Communications Regulations (PECR). This applies specifically to electronic communications: email, phone, and text. This is where the rules diverge depending on how you choose to make contact.

Postal Mail

Postal mail has the fewest restrictions for B2B marketing. PECR does not apply to physical post. It only covers electronic communications. This means that if you're sending a letter to a company director at their registered business address, GDPR's legitimate interest basis is generally sufficient.

You must still include a way for the recipient to opt out of future mailings. And you must honour any opt-out requests promptly.

For most accountancy practices, postal mail is the simplest channel from a compliance perspective and it also tends to be the most effective for a professional first introduction.

Email

Email brings PECR into play. For unsolicited B2B marketing emails, the rules are stricter than for post.

The "soft opt-in" exception that allows some B2B emails without explicit consent typically applies when you have an existing business relationship with the recipient. For a first contact with a newly incorporated company director you've never dealt with before, this exception rarely applies.

This doesn't mean you can never email a new company director. But the compliance requirements are higher, and the ICO's expectations around consent and opt-out for electronic marketing are more detailed. If you're considering email as a first-touch channel, review the ICO's guidance on electronic marketing carefully or take specialist advice.

Phone

Phone calls to businesses are permitted under PECR, but you must check the Telephone Preference Service (TPS) register before calling. If the number is registered on TPS, you should not call unless the recipient has specifically consented to calls from your organisation.

There's an important distinction between corporate numbers and individual numbers. A call to a company's main number has different PECR treatment to a call to a director's personal mobile. For most first-contact scenarios with newly incorporated companies, you're unlikely to have a personal mobile number but if you do, treat it as a higher compliance bar.

What You Need to Do Before Sending Your First Letter

Before you contact your first newly incorporated company director, make sure you've completed the following:

• Document your Legitimate Interest Assessment. Record why you believe your outreach is proportionate and balanced against the director's privacy rights. Keep it on file.
• Check your ICO fee status. Most organisations processing personal data need to pay the ICO's data protection fee. Use the ICO's self-assessment tool to check whether you're registered and up to date.
• Prepare an opt-out mechanism. Every letter should include a clear way for the recipient to tell you they don't want further contact. This can be as simple as "If you'd prefer not to receive further correspondence, please let us know at [email/phone]."
• Set up a suppression list. When someone opts out, add them to a list of directors you must not contact again. Check this list before every mailing.
• Keep records of who you contact and when. A simple spreadsheet is enough: director name, company name, date contacted, channel used, any response. This demonstrates that your outreach is organised and accountable, not scattergun.

None of this is especially onerous. For a typical accountancy practice sending a handful of letters each week, these steps add minutes to the process, not hours. But they need to be done and documented before you start.

What to Do If Someone Asks You to Stop

This part is straightforward. If a director asks you not to contact them again, by any means, you must honour that request promptly.

Add them to your suppression list immediately. Do not contact them again. Do not send a follow-up. Do not add them to a different mailing. The suppression list is permanent unless the director actively tells you otherwise.

This isn't just a compliance requirement, it's basic professionalism. An accountant who can't respect a simple opt-out isn't going to inspire confidence in their ability to handle a client's financial affairs.

Where to Get Formal Guidance

This page covers the general principles. For guidance specific to your situation, the following resources are the right starting points:

• ICO guidance on legitimate interest — the most detailed official resource on conducting and documenting a Legitimate Interest Assessment. Available on the ICO website.
• ICO guidance on direct marketing — covers the rules for marketing by post, email, and phone, including the PECR requirements. Available on the ICO website.
• ICO data protection fee self-assessment — check whether your practice needs to pay the annual data protection fee (most do). Available on the ICO website.
• A data protection specialist — if your situation is complex, or if you want formal sign-off on your LIA before starting, a specialist can review your approach and advise on your specific circumstances.

Don't treat this page as the end of your compliance work. Treat it as the beginning. A practical orientation that helps you ask the right questions and take the right steps before you start.

Frequently Asked Questions