Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If your business collects, stores or uses customer or employee email addresses, you’re processing personal data. That means UK GDPR rules will almost certainly apply - and there are specific steps you need to take to stay compliant.
In this guide, we’ll answer a core question many small businesses ask: is an email address personal data under UK law? We’ll also cover when you can share or use email addresses (for example, for marketing), what lawful bases might apply, and the practical documentation and processes you should have in place.
Don’t stress - with a clear plan and the right documents, you can use email addresses confidently and lawfully to grow your business.
What Counts As Personal Data Under UK GDPR?
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, personal data is any information relating to an identified or identifiable natural person. Someone is “identifiable” if you can identify them directly or indirectly - for instance by a name, an ID number, location data, an online identifier, or factors specific to their identity.
In plain English: if a piece of information can reasonably be linked to a living person, it’s personal data. That includes obvious items like a name and phone number, and less obvious items like IP addresses or device identifiers when they can be tied to a person.
Once information qualifies as personal data, the UK GDPR’s principles apply. These include lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. Your business needs a lawful basis to process the data and must be open about what you do with it.
Are Email Addresses Personal Data?
Yes - in most cases, email addresses are personal data. If an email address identifies a person directly (e.g. jane.smith@company.co.uk), or can be combined with other information to identify them, it falls under UK GDPR. Even where an address looks generic, context matters.
Personal Email Addresses
- Consumer addresses like jane.smith@gmail.com are clearly personal data.
- They link directly to an individual and are commonly used with other personal identifiers (name, purchase history, device data).
Work Email Addresses
- Business addresses like firstname.lastname@business.co.uk are usually personal data because they identify a specific employee.
- Corporate “role” or “shared” inboxes (e.g. info@, sales@) might not be personal data on their own if no individual can be identified. However, if you can reasonably link messages in that inbox to a specific person (e.g. a sole trader using info@), the content and associated metadata may still constitute personal data.
Special Category Data?
Email addresses are not special category data by themselves (that category covers sensitive topics like health, biometrics or beliefs). But the content of emails can include special category data - handle those with extra care and, where needed, a higher lawful basis or additional safeguards.
Bottom line: treat most email addresses as personal data, plan on applying UK GDPR principles, and build your compliance processes around that assumption.
Sharing Email Addresses Under GDPR: When Is It Lawful?
Sharing email addresses with another business, supplier or platform is “processing” under UK GDPR. You must have a lawful basis and you remain accountable for the data you control, even if another company processes it for you.
Choose A Lawful Basis
Common lawful bases for sharing email addresses include:
- Contract: You need to share data to provide a service the individual asked for (e.g. sending booking notifications via a third-party provider).
- Legitimate interests: Your business has a genuine interest (e.g. fraud prevention, internal analytics, or using a reputable email platform), and sharing is necessary and balanced against the individual’s rights. Do a simple legitimate interests assessment to document your reasoning.
- Consent: The individual has given clear consent (e.g. to share their details with event partners). Consent must be freely given, specific, informed and easy to withdraw.
- Legal obligation: You must share due to a legal requirement (e.g. regulatory reporting or a lawful request from authorities).
Controller–Processor Relationships
If you use an email service provider or marketing platform to store and send emails, they are usually your processor and you are the controller. UK GDPR requires a written Data Processing Agreement with mandatory clauses (e.g. confidentiality, security, subprocessor controls, assistance with data rights, and deletion or return of data at the end of the service).
Controller–Controller Sharing
If you are disclosing email addresses to another independent business for their purposes (for example, a partner brand), each party is a controller. Consider putting a tailored Data Sharing Agreement in place to clarify purposes, lawful bases, transparency responsibilities, security and retention periods.
International Transfers
If email data is accessed or stored outside the UK (or by a provider using overseas servers), treat this as a restricted transfer. You’ll need an appropriate safeguard such as the UK IDTA or the UK addendum to the EU SCCs, and you should assess local laws’ impact on privacy.
Tell People What You Do
Transparency is key. Your Privacy Policy should clearly explain who you share email addresses with, why, the lawful basis, whether data goes overseas, and how long you keep it. This is essential both for compliance and customer trust.
Email Marketing: Consent, Soft Opt-In And B2B Rules
Marketing emails are governed by both UK GDPR and the Privacy and Electronic Communications Regulations (PECR). PECR sets the rules for electronic marketing, including email. The short version: don’t email people marketing unless you can rely on consent or a specific exemption, and always offer an easy opt-out.
Consent
Consent must be opt-in, specific, informed and unambiguous. Pre-ticked boxes won’t cut it. If you rely on consent, keep a record of who consented, when, how and what they were told.
Soft Opt-In For Existing Customers
PECR allows the “soft opt-in” for your own customers. You can market by email without fresh consent if:
- You obtained the email during a sale (or negotiation for a sale) of your products or services.
- You’re marketing your own similar products or services.
- You gave the recipient the chance to opt out at the time you collected the email and in every message.
Make sure every marketing email includes a clear unsubscribe link. For deeper detail on the rules, it’s worth reviewing the UK’s email marketing laws and how the soft opt-in works in practice.
Corporate Subscribers And B2B Emails
PECR is more permissive when emailing “corporate subscribers” (e.g. info@company.co.uk addresses used by a limited company). However, if your email identifies or targets a specific individual (like jane.smith@company.co.uk), you are still processing personal data under UK GDPR - so transparency, lawful basis (often legitimate interests) and opt-out remain important.
List Purchases And Third-Party Leads
Buying email lists is high risk. It’s hard to establish compliant consent or a lawful basis, and complaints can lead to enforcement. If you do use third-party leads, do robust due diligence on how details were collected and ensure your own PECR and UK GDPR obligations (including opt-outs and transparency) are met.
Collecting, Storing And Securing Email Addresses: A Compliance Checklist
Once you accept that email addresses are personal data, it’s time to put practical protections in place. Here’s a simple checklist you can action straight away.
1) Be Clear And Transparent
- Publish an up-to-date, plain-English Privacy Policy covering what email addresses you collect, purposes, lawful bases, who you share with, international transfers, retention and rights.
- On forms, include concise privacy notices (e.g. why you’re collecting email and how it will be used).
2) Pick The Right Lawful Basis
- For transactional emails: contract is often appropriate.
- For account management and security: legitimate interests may be suitable.
- For marketing: consent or the soft opt-in (plus PECR compliance) depending on the scenario.
3) Get Your Contracts Right
- Put a robust Data Processing Agreement in place with your email provider and other processors.
- When sharing with another independent business, use a Data Sharing Agreement to allocate responsibilities.
4) Implement Security Controls
- Enable MFA on email and marketing platforms.
- Use role-based access and least privilege.
- Encrypt data at rest and in transit where possible.
- Train staff to spot phishing and handle data safely.
5) Respect Storage Limitation
- Set clear data retention periods for email lists (e.g. inactive subscribers removed after X months).
- Regularly cleanse and suppress outdated or unsubscribed contacts.
6) Honour Data Rights And Opt-Outs
- Build processes to respond to a Subject Access Request within the one-month deadline.
- Make unsubscribe links one-click and effective across all systems.
7) Cover Web Collection Touchpoints
- If your website uses tracking for sign-up funnels, have a compliant Cookie Policy and set your consent banner correctly for non-essential cookies.
8) Document And Demonstrate Compliance
- Keep records of processing activities for your email systems (what you collect, why and where it’s stored).
- Record consent logs and legitimate interests assessments.
- Make sure you’re paying the ICO fee if required (check any relevant ICO fee exemptions).
9) Plan For Incidents
- Create a breach response plan so you can act quickly if email addresses are exposed, including when to notify the ICO and affected individuals.
Key Takeaways
- Email addresses are generally personal data under UK GDPR because they identify or can identify a person. Treat them accordingly.
- When sharing email addresses (e.g. with platforms or partners), pick a lawful basis, be transparent, and put the right contract in place - typically a Data Processing Agreement for processors or a Data Sharing Agreement for controller-to-controller disclosures.
- Marketing emails are governed by PECR as well as UK GDPR: rely on consent or the “soft opt-in” (where available), follow the email marketing laws, and include an easy opt-out in every message.
- Be transparent with a clear Privacy Policy, keep accurate consent records, and implement strong security and access controls on your email systems.
- Set and follow sensible data retention periods for your contact lists, and be ready to respond to a Subject Access Request within legal timeframes.
- If you’re unsure which rules apply in your situation (for example, B2B marketing vs consumer marketing, international transfers, or consent wording), it’s wise to get tailored advice before you hit “send.”
If you’d like help getting your email compliance right - from drafting a Privacy Policy and DPA to checking your marketing practices - you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
