Unsolicited PR Emails and GDPR: How Much Risk Do Agencies Take, and Can Clients Be Liable?
SME cybersecurity: how risky is GDPR-breaching “PR spam”, and who pays?
When a “cyber expert” PR agency scrapes your work email and fires over an unsolicited pitch, it feels like a minor annoyance. However, it can be a compliance and reputational mess for the sender, and sometimes for the client too. The risk is not theoretical; under GDPR, maximum administrative fines can reach €20 million or 4% of annual global turnover (whichever is higher), depending on the infringement and regulator approach.
This sits right on the border between data protection and direct marketing rules; UK SMEs and their advisers should understand both, because the liability story changes depending on who decided to contact you, why, and how.
What law is actually being breached: UK GDPR, EU GDPR, or PECR?
Start with the basics in plain English:
* UK GDPR / EU GDPR regulate personal data processing; a named work email like jane.smith@company.co.uk is usually personal data because it identifies a person. The sender needs a lawful basis and must meet transparency obligations.
* PECR (UK ePrivacy rules) govern electronic marketing; unsolicited marketing emails have extra rules around consent, identification, and opt-out.
Many PR firms assume “B2B means exempt”. It does not. Even if consent is not strictly required for every corporate-address email under PECR, UK GDPR still applies to the collection, storage, and use of the individual’s contact details, and PECR still expects clear opt-out and sender identification.
Is it “human error” or deliberate non-compliance? Why it matters for enforcement
This is where SME cybersecurity intersects with governance. A reputable agency should be able to explain:
* where they sourced the contact details,
* what lawful basis they rely on,
* how they provide privacy information,
* how opt-outs are captured and honoured,
* and how they prevent repeat mailing after objection.
If they cannot, they are running a compliance risk that looks less like a mistake and more like a business model. Regulators tend to be unimpressed by “we’re a cyber specialist” when basic privacy controls are absent.
Can the client be pulled in, and are they jointly liable?
This is the crux.
Under GDPR roles:
* A controller decides the purposes and means; the “why and how”.
* A processor acts on the controller’s instructions.
If a PR agency builds its own list, decides who to email, and runs the outreach for its own method, it may be an independent controller, not a processor. If the client instructs targeting criteria, approves lists, or jointly determines the campaign mechanics, the relationship can drift toward joint controllership.
Two important practical points for advisers:
* Joint and several liability is explicit for compensation claims under GDPR where parties are joint controllers; a data subject can claim full damage from either party, and the parties argue contribution between themselves.
* Fines are not “automatically shared” like civil damages; regulators can pursue the organisation(s) responsible for the infringement. In practice, both agency and client can face exposure if both shaped the unlawful activity, or if the client failed to put proper controls and contracts in place.
So yes, a client can be dragged into the story; not always, but often enough that sensible clients should care.
