1. I need to wait until GDPR is finalised on 25th May 2018 before I consider buying data
No, you don’t. GDPR has already been finalised and the law for nearly 23 months. It comes into direct force on 25th May 2018 when everyone has to comply. Guidance on how to comply has been coming out from the ICO and the Article 29 Working Group on all aspects of the legislation so businesses will know how to implement the changes necessary.
2. I need to gain consent for telemarketing campaigns
You do not need to gain consent. You can use legitimate interests for telephone marketing, but you must screen telephone numbers against the Telephone Preference Service and Corporate Telephone Preference Service registers every 28 days. This is the general do not call register, which is set up by PECR. If they are not registered you can call them and if they elect to not be called again by your company you must add them to your own internal do not call list.
3. I need to gain consent for email marketing
Not when emailing a corporate business. GDPR will still apply as it covers the processing of personal data in a general sense but email marketing is currently governed by PECR. In a B2B environment, there is an exemption under PECR for employees of corporates, and you can use legitimate interests to send a marketing email to these individuals without their prior consent (eg. firstname.lastname@example.org, email@example.com).
A corporate is defined as a limited company, public limited company, limited liability partnership or government department. When emailing a corporate, you must a) give them the option to easily unsubscribe from receiving further communications, b) the product or service being promoted must be able to be purchased by the recipient in a professional capacity and c) you must identify the sender and provide contact details.
Marketscan – Great Data Properly Regulated