How to avoid violating GDPR when using lead lists?

Using purchased or third-party lead lists under GDPR requires careful compliance work:

Verify the source:

How did the provider collect this data?

Was consent obtained for third-party marketing?

Can they provide documentation of consent or lawful basis?

Reputable vendors provide this information; evasive answers are red flags

Establish your own lawful basis:

You cannot rely solely on the vendor's basis

Conduct your own legitimate interest assessment if using that basis

Document your analysis and reasoning

Provide transparency:

When contacting list recipients, explain where you got their data

Explain why you're contacting them

Provide privacy notice access

Honor rights:

Respond to access requests (what data you hold)

Process erasure requests (right to be forgotten)

Remove people who object to processing

Data quality:

Outdated lists are both legally risky and deliverability hazards

Verify data is current and accurate

Purchased lists often contain spamtraps and invalid addresses