Hi Des,
I am surprised by your lawyer’s response. It isn't entirely clear cut. This is because of the ways you are contacting people, namely by phone or by email. We need to add in a bit of context to explain this.
GDPR is the law which (will) govern all processing of personal data, no matter how that is done. GDPR provides for 6 legal bases of processing, they are:
6.1.a - Consent
6.1.b - Necessary for a contract to which the data subject is party
6.1.c - Necessary to fulfil a legal obligation
6.1.d - Necessary to protect the vital interest of the data subject ...
6.1.e - Necessary for a task carried out in the public interest ...
6.1.f - Necessary for the purposes of the legitimate interests of the data controller ...
It is unfortunate that consent comes at the top, because it should be considered as the basis you will 'have to use' if no other basis will do. As the ICO put it in their consent guidelines, if it's difficult it may be wrong. For prospecting using traditional media (i.e. not email, text etc) 'legitimate interests' is normally better.
Now, that said, you are contacting these people using a 'publicly available electronic network', so there is additional legislation that comes into play. Currently that law is the Privacy and Electronic Communication Regulations (PECR). PECR says that you can contact people by telephone so long as they can opt-out, and you screen your unsolicited calls against the TPS (and in your case CTPS) list. PECR also currently says the only people who you need consent to send emails to are 'individual subscribers'. A subscriber is the person who has a contract with the telecoms company, so this loophole is what allows the sending of unsolicited email to people in a work context, they do not have the contract with the telco, their employer does (caveat about sole traders and partnerships being 'natural persons').
BUT, sorry, more new laws, PECR will shortly be replaced by the ePrivacy Regulation (ePR). This was due to happen at the same time as GDPR, but is now delayed. In any case, ePR will happen, and this WILL (it's still min draft, so no-one can be 100% certain, but there is not even the slightest hint this won't be true) require email, text, and other 'over the top' services (maybe LinkedIn), to only be done on the basis of consent. ePR will not change the basis for telephone calling, that will be derogated to national governments, and so will stay the same.
So, to summarise, you must choose a legal basis for processing, and you must tell the data subject what that is. If you choose 'consent', the you WILL need consent; if you need to use unsolicited email, when ePR comes in you WILL need consent. BUT, if you want to telephone prospects, or mail them, then 'legitimate interests' would be a very valid alternative. Indeed Recital 47 of GDPR states direct marketing 'may be regarded as carried out for a legitimate interest.' That's a pretty strong hint.