Third‑Party Data Collection: Your UK GDPR To‑Do List

If you run a business in the UK, you probably know that data is everywhere. Whether you're building marketing lists, onboarding new clients, or expanding into new markets, you might sometimes find yourself collecting personal information not directly from customers, but from third-party sources. That’s where the UK GDPR comes into play. Getting it right isn’t just about ticking boxes – it’s about building trust and staying on the right side of the law. The stakes are high: from hefty penalties to reputational damage, your business can’t afford to get this wrong. So, what does the law actually say about collecting someone’s data from a third party? In this guide, we’ll walk you through what you need to know, what you need to do, and how to set up solid legal foundations - right from day one. Let’s get started!

What Is Third‑Party Data Collection Under the UK GDPR?

Third-party data collection is when you obtain someone’s personal information from any source other than the individual themselves. Common scenarios include:

• Buying or renting marketing lists
• Getting referrals through business partners
• Collecting client data supplied by another company

Under the UK GDPR (the General Data Protection Regulation as retained and amended in UK law), businesses are subject to strict obligations when collecting personal data this way. These requirements underpin fairness, transparency, and – crucially – the rights of the individuals whose data you hold. If your business processes any personal information, even just basic details like names or email addresses, it’s vital you understand these rules. Whether you’re already collecting third-party data or just thinking about it, keep reading for everything you need to stay compliant and protect your business.

Why Does It Matter? The Legal Risks And Your Reputation

Ignoring the rules around third-party data collection can quickly land you in hot water. Key risks include:

• Regulatory fines – The UK Information Commissioner’s Office (ICO) can impose penalties for GDPR breaches
• Loss of trust with customers and partners
• Potential civil claims if individuals’ rights are infringed
• Damage to your brand’s reputation

These aren’t abstract risks. Businesses have faced high-profile ICO investigations over unlawful third-party data use, especially around direct marketing and lack of transparency. That’s why you want robust compliance from the get-go.

What Information Must You Give Individuals If You Collect Data From Third Parties?

One of the cornerstones of the UK GDPR is the right to be informed. Whenever you collect an individual’s data from a third party, you must tell them:

• The source of their data. Who gave you their information, and where did you get it?
• The categories of personal data you obtained. For example: name, address, purchase history, marketing preferences.
• The purposes for which you’ll use their data. This could be for marketing, providing services, fraud prevention, etc.
• Your lawful basis for processing their data. You need a valid reason under GDPR (such as consent or legitimate interests).
• Your identity and contact details. Individuals should know who holds their data and how to reach you.
• Their data protection rights. For example, how to access or correct their data, or request deletion.

This information is usually provided via an updated Privacy Policy or bespoke notice sent directly to the individual.

When And How Do You Provide This Notification?

Timing is everything. The notification requirements under the UK GDPR are strict:

• Generally, you must inform people within one month of obtaining their data from a third party.
• If you plan to contact the individual sooner (such as for email marketing), provide the information when you first contact them.
• If you intend to disclose the data to someone else, give the notice at the latest when you disclose it.

Example: Let’s say you purchase a list of prospective clients from a data broker for email marketing. Before you send out your marketing emails, you must first inform everyone on that list:

• Where you got their details from
• What information you have
• Your reasons for using their data

Only then can you start contacting them, and you must provide an easy way for them to exercise their rights (such as opting out). It’s your responsibility to ensure this process is followed every time you collect and use third-party data.

Are There Any Exceptions To The Notification Requirement?

The UK GDPR recognises that there may be situations where providing individual notifications isn’t practical or necessary – but these exceptions are strictly limited and carefully policed. You may not have to notify individuals if:

• The person already has the required information. For example, if you and the third party have jointly explained how the data will be used.
• Providing the notification would involve “disproportionate effort.” This could apply if you hold contact details for thousands of people with no way to reach them individually, but you must use alternative public notices in this case.
• Notification is legally prohibited. Such as where disclosure is restricted by law, or in the context of certain investigations.
• The data must remain confidential due to legal or professional obligations.

If you rely on any of these exceptions, you must:

• Carefully record and document your reasoning
• Be prepared to justify your decision if challenged
• Consider whether a “public notice” would still be appropriate where direct notification isn’t possible

Crucially, don’t just take the third party’s word for it. The responsibility is on you as the data controller to independently verify compliance and keep a record of your process.

What Are Your Key Compliance Steps For Third‑Party Data Collection?

Here’s your practical to-do list to get third-party data collection right and avoid falling foul of the UK GDPR:

1. Audit & Map Your Data Flows Work out where personal data comes from and how it’s used throughout your business. Include all third-party sources – from purchased lists to supplier or partner referrals. You might find our guide to protecting customer information a helpful starting point.
2. Update Privacy Notices & Documents Make sure your Privacy Policy covers third-party sources and includes everything individuals need to know. If you buy data from another company, check they didn’t already provide all the required info; if not, you’ll need to do so yourself.
3. Provide Notification Promptly Don’t delay. Give disclosure to new individuals within one month – or earlier, before you use their data for things like marketing or sharing with others.
4. Document Your Process Keep clear records showing you’ve met your notification duties. If you’re relying on an exception, write down your reasoning and any alternative steps you took (like public notices).
5. Review & Manage Third Party Relationships If you work with suppliers or partners who collect data on your behalf, ensure your contracts include the right terms. Our guide to contractor agreements explains how to protect-yourself when third parties handle data for you.
6. Train Your Team Make sure staff know what to look out for. If you outsource functions (like marketing or lead generation), ensure everyone understands their obligations around data obtained from others.
7. Get Specialist Advice When Needed Data protection law is complex and the right approach can vary. For trickier cases or large-scale list buying, it pays to get help from specialists. We often advise businesses on how to handle third-party data safely and lawfully.

“Can I Just Trust the Third Party’s Documentation?”

This is a recurring question. Maybe you’ve purchased a list that came with a statement like, “We’ve informed everyone and obtained their consent.” While that’s helpful, you can’t rely solely on what a third party claims. As the data controller, you must carry out your own due diligence and be able to demonstrate compliance. If asked, you should be able to show that everyone whose data you’ve collected has been properly notified, or justify any exceptions with evidence. That means keeping:

• Copies of any notifications you issue
• Records of how you received the data and what information accompanied it
• Any agreements you have with data suppliers regarding compliance guarantees
• Evidence of follow-up steps where needed

It helps to have robust contract terms with data suppliers. For more on negotiating these, check out our tips for negotiation support from a lawyer.

What About Direct Marketing?

Direct marketing is a common area for third-party data collection – and also a minefield for compliance issues. The rules are stricter when you use bought or acquired lists for marketing purposes:

• Individuals must still be informed about how you’ve got their data and how it will be used
• You must respect UK marketing laws (such as the Privacy and Electronic Communications Regulations) for consent and opt-out rights
• Suppression lists should be maintained so you don’t contact anyone who’s already opted out

The bottom line? Make sure your data collection and use is transparent, fair, and covers all relevant legal requirements – not just those of the UK GDPR.

Key Takeaways: Third‑Party Data Collection & GDPR

• Whenever you collect personal data from any third party, you must comply with the UK GDPR’s transparency, fairness, and notification requirements.
• Inform all individuals whose data you obtain about: the source of their data, what you’re using it for, your details, their rights, and any further disclosures.
• Notification must generally be given within one month – or sooner if you intend to contact or use their data for marketing.
• There are limited exceptions to notification, but you must document your justification and consider alternative options if direct contact isn’t possible.
• Do not rely on third parties’ assurances – conduct your own checks and keep records of all compliance steps.
• Review your contracts and relationships with anyone who supplies personal data to your business, and update your documentation accordingly.
• Getting your data protection basics right from day one will protect your business, your brand, and your customers.

Get Help With UK GDPR Compliance

If your business is collecting or planning to collect personal data from third parties, don’t leave compliance to chance. Sprintlaw’s friendly team can guide you through the legal requirements, draft or review your Privacy Policy, review your supplier contracts, and help you build safe, scalable practices for using and sharing data. If you’d like legal help or a no-obligation GDPR compliance review, call us on 08081347754 or email team@sprintlaw.co.uk for a free, friendly chat. We’re here to make UK GDPR compliance simple, so you can focus on growing your business with confidence!