Mobile Number Masking and UK GDPR: What Your Business Needs to Know in 2026

By Andy Pickett · Chief Technology Director and AI Champion

Published 28 May 2026 · About the author

Mobile number masking GDPR rules are now the single biggest compliance question for UK business directories, reverse phone lookup sites and B2B data brokers. A landline number bolted to a registered office address has never been especially private, but a UK mobile number sits in one person’s pocket, rings on their personal phone, and travels with them when they change job. UK GDPR treats that kind of number as personal data, and the Information Commissioner’s Office (ICO) has been clear that publishing it without thought is a regulatory risk. This guide explains how the law actually applies in 2026, why mobiles get masked when landlines often do not, how Connection Technologies’s last-four masking and takedown queue works, and what your own business needs to do if you collect, store or publish UK mobile numbers.

The Legal Frame: UK GDPR, the DPA 2018 and Phone Numbers

UK GDPR survived Brexit almost intact. It is now found in the retained Regulation (EU) 2016/679 as amended, sitting on top of the Data Protection Act 2018. The two pieces of law work together: UK GDPR sets the principles and the rights, the DPA 2018 fills in the procedural detail and exemptions. For a phone number to fall inside this framework, it has to qualify as personal data under Article 4(1).

Article 4(1) defines personal data as “any information relating to an identified or identifiable natural person.” A number is identifiable if it can reasonably be linked to a specific living individual, either on its own or by combining it with other data. A UK mobile number is almost always identifiable. The number itself routes to one SIM, the SIM is held in one handset, and the contract or pay-as-you-go top-up sits in one person’s name. Even when the SIM is paid for in cash, the handset’s IMEI, recent location history and contact graph mean a regulator or a determined third party can identify the holder.

The ICO published refreshed guidance in 2023 confirming that telephone numbers, including mobile and direct-dial numbers, are personal data when they relate to an identifiable individual. The guidance is explicit that a number does not have to come with a name attached for GDPR to apply. If “lookup is easy” — and for mobiles, it usually is — the number is personal data on its own. That ICO position has not shifted in 2026 and is the starting point for every masking and takedown decision we make.

Personal Data Versus Business Contact Data

The line that trips most businesses up is the difference between a personal mobile and a “business contact”. UK GDPR does not exempt business contact details. If a number identifies a specific living individual, it is personal data even when it is printed on a business card. The ICO has repeatedly said that the test is who the number identifies, not who pays the bill. A sales director’s mobile number issued by their employer is still her personal data because the calls reach her, the voicemail is hers, and the number travels with her if she resigns.

By contrast, a switchboard number on a generic reception desk usually does not identify a specific individual. Several people answer it, the rota changes weekly, and there is no reasonable way to attribute a single human to the line. That is why most reception landlines can be published freely without triggering UK GDPR, while almost every mobile cannot.

PECR Sits Alongside UK GDPR

The Privacy and Electronic Communications Regulations 2003 (PECR) bolt extra rules on top of UK GDPR specifically for telephone marketing. PECR covers live calls, automated calls, marketing SMS and faxes. It says you cannot make unsolicited marketing calls to anyone registered with the Telephone Preference Service (TPS) or Corporate TPS, and that any automated call needs explicit prior consent. PECR fines stack on top of UK GDPR fines, and the ICO has used PECR aggressively against firms that scrape lookup directories for marketing data.

Why Mobile Number Masking GDPR Rules Bite Harder Than Landlines

If everything we just said about identification is correct, why do most lookup directories happily publish full landline numbers but mask mobiles? The answer is reasonable expectation of privacy, and a few practical realities about how UK numbering works.

A UK landline (an 01, 02 or 03 number) is usually tied to a geographic address and a registered business. The number is published in Companies House filings, on the business’s own website, in invoices, in Ofcom number-allocation databases, and in trade directories that have existed for decades. The owner can reasonably expect that the number is part of their public commercial presence. By contrast, a mobile number is tied to a person. Even when it appears on a business card, the holder generally treats it as a private channel. The ICO uses the phrase “reasonable expectations” all over its guidance for a reason: it is the test that decides whether you have a lawful basis under Article 6.

There is also a numbering-stability problem. Ofcom reallocates landline ranges and mobile prefixes when they have been unused for a fixed quarantine period. We cover the full mechanics in our deep-dive on Ofcom number reallocation and what it means for UK landlines. The short version is that mobiles change hands much faster than landlines. A directory entry that was accurate two years ago can ring a complete stranger today, which makes any unmasked mobile number a higher complaint risk than the equivalent landline.

The “Sensitive Identifier” Argument

Mobile numbers are also used as second-factor authentication tokens, banking lookup keys and password-reset destinations. A publicly available mobile number is therefore not just a contact identifier — it is part of an individual’s security perimeter. The ICO has not declared mobile numbers “special category” data under Article 9, but it has accepted submissions from charities and victim-support groups arguing that publication of a mobile number can directly enable harassment, stalking and SIM-swap fraud. That argument has shaped enforcement priorities even where the formal classification has not changed.

What Mobiles Do When Landlines Do Not

• Travel with the individual through job changes, divorces, house moves and relationship breakdowns.
• Serve as a default 2FA destination for banks, government services and email providers.
• Carry SMS notifications that reveal lifestyle, medical and financial detail by inference.
• Resolve through every major messaging app (WhatsApp, Signal, iMessage) to a profile photo and “last seen” status.
• Are typically allocated for life — many UK mobile numbers have been with the same person for over fifteen years.

Each of those points raises the privacy risk of publishing a UK mobile number relative to a landline. None of them, on its own, makes publication unlawful. Taken together, they explain why the ICO expects directories to apply extra care, and why we mask by default.

How the Masking-Last-4 Rule Works on This Site

Connection Technologies operates a free UK phone number checker, a reverse phone lookup directory and a set of carrier-specific report pages. Across every public surface, UK mobile numbers (prefix 074, 075, 077, 078 and 079) are displayed with the last four digits replaced by asterisks. A full number such as 07400 123456 appears in directory listings as 07400 12****.

Showing the first seven digits keeps the listing useful. Visitors can confirm the prefix and the range, see network attribution where we have it, and read aggregated reports from other people. They cannot, however, dial the number from the masked listing. To call back or verify, you need either to enter the full number yourself (the masking unlocks for your own input) or to have already received the call.

The rule is implemented at three layers:

• Storage layer. We store the full number in the portal database so that reports map to a single canonical record. Storage is encrypted at rest, and only authorised staff have read access through audited internal tooling.
• Render layer. Every public template runs the number through a masking helper that returns the first seven digits plus four asterisks for any 074x-079x prefix. The helper is the only function permitted to print mobile numbers on a public page.
• Cache layer. Page caches and the CDN store the masked output. We never push an unmasked mobile number into edge caches.

If we cannot positively identify a number as a UK mobile (a prefix we do not recognise, or a partial submission), we default to masking. The fallback is always to mask more, not less.

What Happens When the Caller Reports a Number Themselves

The masking rule has one carefully scoped exception. If you are the person who received a call and you submit a report through our number checker, your own session sees the full caller number you submitted. We do not strip the last four digits from your view of your own report. The masking only applies to other visitors browsing the public directory, which is where the GDPR exposure sits.

This matters because the lawful basis we rely on for directory publication is Article 6(1)(f) — legitimate interests in helping the public identify scam, nuisance and fraud numbers. Helping a person verify a number they have just received is squarely inside that interest. Allowing a stranger to dial a third party’s full mobile from the directory is not.

How This Compares to Other UK Lookup Sites

Some UK lookup sites still publish full mobile numbers. A few mask only the middle three digits. A handful mask the first half, which is the worst option for everyone — the prefix is the part that helps you identify scam campaigns, while the last four are what enable a callback. Last-four masking is the option that minimises subject risk while keeping the listing genuinely useful to people trying to identify a suspicious caller from one of the top UK phone scams of 2026 or work out whether an 0800 caller is genuine.

Subject Rights: SAR, Erasure and Objection

Once a mobile number sits in a database — masked or not — the holder gets a portfolio of rights under UK GDPR Articles 12 to 22. Three of those rights drive almost every takedown request we see.

Subject Access Request (SAR)

A SAR is a formal request under Article 15 for a copy of every piece of personal data you hold about the subject, plus information about how it is processed. The subject does not need to use the words “subject access request”; the right is triggered by any clear request for “the data you hold about me.” We must respond within one calendar month, free of charge, in a commonly used electronic format. If a request is “manifestly unfounded or excessive” we can charge a reasonable fee or refuse, but the threshold is high and the ICO is unforgiving when refusals are challenged.

For a phone-number directory, a SAR usually returns: the full number, every report we have ever associated with it, the timestamps and IP-based country of each report, any network attribution we have, the masked version we display publicly, and a copy of the audit trail showing every time the record was modified. We do not return reporter identities — the reporters are separate data subjects whose own privacy we have to balance.

Right to Erasure (Article 17)

The “right to be forgotten” lets a subject ask for personal data to be deleted. The right is not absolute. It applies most strongly when the data is no longer necessary, when the subject withdraws consent on which processing relied, when the subject objects under Article 21 and there is no overriding legitimate interest, and when the data has been unlawfully processed. We treat any erasure request for a UK mobile number as presumptively valid, on the basis that the subject’s privacy interest almost always outweighs our editorial interest in keeping the number listed. Exceptions are narrow and usually involve confirmed fraud reports from police forces.

Right to Object (Article 21)

The right to object is the weapon of choice for legitimate-interests processing. Where we rely on Article 6(1)(f), the subject can object on grounds relating to their particular situation. We must then stop processing unless we can show compelling legitimate grounds that override the subject’s rights. For directory listings, “compelling grounds” is a high bar. We rarely meet it and we rarely try.

Operating a Takedown Queue You Can Defend to the ICO

The most common UK GDPR mistake we see in B2B directories is not the masking decision — it is the takedown workflow. A regulator will accept that you publish mobile numbers, with or without masking, as long as your subject-rights workflow is fast, well documented and consistent.

Our queue uses a single SLA: a verified takedown request for a UK mobile number is acted on within 72 hours, and the formal Article 12 response is sent inside seven calendar days. The statutory deadline is one calendar month, so we sit well inside it. The faster timeline matters because every hour an objection sits in a backlog is an hour where the subject’s number is still visible to scrapers and competitors.

Verification Without Friction

Identity verification has to be proportionate. Asking for a passport scan to remove a single phone number is unlawful — the ICO has been blunt about that. We use a layered approach:

• The subject submits the request through a form that captures the number, a contact email and a free-text reason.
• We send an SMS to the number with a six-digit code. Receiving and replying with the code proves control of the SIM.
• If the SMS bounces (ported number, dead SIM, voicemail-only) we accept an email confirmation that matches the contact record we have, or a written explanation.

We never ask for a driving licence or passport for a routine erasure. We do ask for police reference numbers if the subject is alleging harassment or stalking, because those records change the lawful basis for any onward reporting we do.

Audit Trail and Internal Logging

Every action on the takedown queue is logged. We record the timestamp, the actioning operator, the before-and-after state of the record, the verification method used, and the eventual outcome. The log is immutable in production and is retained for six years, which matches the ICO’s expectations for accountability under Article 5(2). If a subject re-submits a request, we can show that the previous record was actually deleted and is not lingering in a soft-delete table.

When We Decline a Request

We decline a small number of requests every quarter. The grounds are narrow and always documented: numbers tied to active police investigations where we have a confirmed crime reference number, numbers that appear in our own carrier-allocation data as never having been a UK mobile (so the requester is not the subject), and a handful of repeat or vexatious requests where we have already taken the action being requested. In every declined case we send a written explanation, point to the ICO complaints route and offer a free internal review.

Practical Compliance for B2B Directories Beyond Connection Technologies

If you operate any kind of B2B contact directory in the UK in 2026 — a recruitment platform, a CRM enrichment service, a sales-prospecting list, or a niche trade index — the same UK GDPR framework applies to you. There are six things that consistently separate compliant operators from ICO targets.

1. Document Your Lawful Basis Before You Publish

You need a written record of why you publish each category of personal data and which Article 6 basis you rely on. For mobile numbers the choice in practice is consent (rare in scraped or directory contexts), legal obligation (almost never relevant), or legitimate interests. If it is legitimate interests, write the three-part test — purpose, necessity, balance — and sign it off at director level. The ICO will ask for that document on the first day of an investigation.

2. Run a DPIA for Any New Data Source

Article 35 requires a Data Protection Impact Assessment for processing “likely to result in a high risk to the rights and freedoms of natural persons.” Scraping or buying a mobile number list is exactly that. The DPIA should describe the source, the volume, the retention period, the masking or display rules, the subject-rights workflow and the residual risk after mitigation.

3. Apply the Same Masking to Every Surface

It is not enough to mask numbers on your public website. The same rule must apply to your API responses, your XML sitemap, any PDF exports, your internal CRM-export feature and any partner integrations. Auditors look for the leak path, not the headline page. We have seen directories with perfect on-page masking and a JSON feed that returned the unmasked number to anyone with a URL.

4. Honour TPS and CTPS Even If You Are Not Marketing

The Telephone Preference Service is the legal floor for marketing calls, but the ICO treats publishing a TPS-registered number alongside contact details as evidence of weak data hygiene. Many directories now scrub their lists against the TPS and CTPS monthly and remove or further-mask the matches. The cost is trivial and it removes a common complaint vector.

5. Plan for Bulk Takedowns

Once you appear in the press, on social media or in a popular consumer-rights blog, takedown requests can spike from two a week to two hundred a day. Your queue and your verification flow have to scale. If verification depends on a single staff inbox, you have a single point of failure. Automate SMS verification, route inbound requests into a ticketing system and resource the queue ahead of any media attention.

6. Train Your Sales Team Like It Is Your Compliance Team

Most ICO enforcement begins with a complaint from a single subject who could not get someone in your business to take their request seriously. A polite, well-trained first-line response often turns a complaint into a closed ticket. A defensive or evasive one turns it into a regulator’s letter. For sales-led organisations, that culture point usually matters more than any technical control.

ICO Enforcement Examples and What They Teach Us

The ICO publishes its monetary penalty notices on its website. A handful of cases since 2022 are directly relevant to anyone publishing or using UK mobile numbers commercially.

In late 2022 the ICO fined a UK lead-generation firm £130,000 under PECR for making more than 75,000 unsolicited marketing calls to TPS-registered mobiles. The fine itself was modest by GDPR standards, but the supporting decision notice walked through how the firm had bought a “verified business contacts” list, never run it against TPS, and could not produce any record of consent. The lesson was that a clean purchase document does not make the underlying data clean.

A 2023 case involved a recruitment platform that had imported candidate CVs from a defunct competitor. The platform never asked candidates for consent to the transfer and never offered them an objection route. The ICO required deletion of the entire dataset and imposed a six-figure fine. The CV data included mobile numbers, and those numbers were the trigger for most of the original complaints.

In 2024 the ICO targeted a UK reverse-lookup site that published full UK mobile numbers without masking, did not respond to erasure requests inside the statutory window, and had no documented lawful basis. The published reprimand stopped short of a fine but imposed an enforceable undertaking covering masking, takedown SLAs and quarterly compliance reporting to the ICO for two years. We treat that reprimand as the de facto operating standard for any UK directory publishing mobile numbers, and our internal controls map directly onto its requirements.

In early 2026 the ICO opened a thematic review of “spam-likely” labelling by mobile networks. The review focused on transparency: do subjects know how their number ended up flagged, and can they object? It is an open file at the time of writing. We track the review closely and we wrote up the engineering side in our deep-dive on how UK networks decide that a number is “spam likely” on iPhone. The same principles will probably be applied to directories within the next twelve months.

What This Means for Your Business in 2026

If you are reading this because your number appears in a directory and you want it removed, the path is short: send a written objection to the directory’s published data-protection address, give them the number and a contact email, and reference Articles 17 and 21. The directory has one calendar month to act. If they do not, you can escalate to the ICO at no cost and with no lawyer required.

If you are reading this because you run a B2B service that holds mobile numbers, you need three things on file by the end of this quarter: a written legitimate-interests assessment for each category of mobile number you process, a documented takedown workflow with named owners and an SLA, and proof that your public-facing systems mask UK mobile numbers by default. Those three artefacts will not eliminate UK GDPR risk, but they will move you from the “easy ICO target” pile to the “well-run UK directory” pile, which is where you want to be in 2026.

For everyone else, the practical advice is unchanged: treat your mobile number like a security credential, not a contact detail. Do not post it on a public page if you can avoid it, use a separate virtual number for any business listings, and report unsolicited calls through our number checker so that the wider community can see the pattern. If you would like help designing a compliant directory, a takedown workflow or a virtual-number strategy for your business, our team is happy to talk — start with our contact page or read more about our UK business mobile services.

Frequently Asked Questions