Data Protection and Marketing

25 February 2016

Amethyst’s Ross Thomson discusses the new regulations all businesses should be aware of

The draft text of the EU General Data Protection Regulations received political agreement on the 15 December 2015.  The final publication is likely to be published shortly and predicted to come into force in the Spring/Summer of 2018 following a two-year implementation phase.  It essentially seeks to harmonise the law across the EU and tighten up the rules in specific areas, including consent, and greatly enhance enforcement penalties if the law is deliberately flouted or ignored.  Businesses need to be aware of the new regulations and relevance to them.

Marketing is a case in point and a tool which when used well, can greatly increase sales and profitability.  When used badly it can damage the brand, annoy existing and potential future customers, and in some cases break the law.  The two current laws that are most relevant in this area are the Data Protection Act (DPA) 1998 and the Privacy and Electronic Communications Regulations (PECR) 2003.  It is important to understand that contact details held on individuals in a private capacity or individuals in a business capacity, are both likely to be considered personal data under the Act and therefore organisations will be required to comply with the eight data protection principles.  In accordance with the DPA, they must make clear to the individual whether any data is collected for marketing purposes, how the organisation is intending to communicate with them and clearly identify in the message who the marketing communication is from. The Data Controller[1] must also ensure that if marketing communications are outsourced the data is protected in accordance with principle seven of the Act. A key point is that individuals have the absolute right to object to marketing at any time by notifying the Data Controller.

Marketing to individuals relies on the principle of consent; and is defined as the fully informed and freely given indication of the Data Subject’s wishes.  It must ensure: consent is given for all modes of marketing, e.g. post, email, telephone, SMS; the extent of any third party marketing, including the personal data is disclosed to them; the point size, clarity of wording and location of the notice identified; and the right of withdrawal explained.  Data Controllers can choose to ask data individuals in two different ways whether they consent to receive marketing communications:

  • Opt In – where the data subject freely accepts the marketing by ticking the box and returning/submitting the form

  • Opt Out – where the data subject has to tick the box to reject the marketing (but if they forget or skip the tick box they still have to positively return/submit the form).

There are two exceptions where explicit consent does not have to be gained.  The first can only be used in very special circumstances and only where marketing without consent can be legitimised by the Data Controller.   The second exception is what is known as ‘Soft Opt In’ and can apply if the following conditions are met:

  • where the business has obtained a person's details in the course of a sale or negotiations for a sale of a product or service

  • where the messages are only marketing similar products or services

  • where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in future messages.

The Data Controller is also required to establish and add individuals to a Suppression List which are to be used to block the processing of personal data for marketing purposes, e.g. when they unsubscribe from an email communication.   The Controller must also seek to minimise complaints by ensuring the data is current; that communication is not being targeted at minors or the deceased, and that there is a simple way to opt out.

In summary, the Information Commissioners’ Office has published on its website marketing recommendations which all organisations should seek to follow. They include:

  • Try to use permission based marketing

  • When collecting data, be up front and make it clear what the personal data is going to be used for

  • Avoid using pre-ticked consent boxes

  • Provide a simple, quick and no cost opt-out

  • Promptly comply with opt-out requests

  • Suppress details instead of deleting

  • Have a complaints system in place to deal with any problems/queries.



[1] “Data Controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed

Contact us for more information

<< Back to Latest News items