This checklist is designed to help you comply with the law and good practice. You should use it alongside the direct marketing guidance and other resources on our direct marketing hub.
The data protection law in the UK is the UK GDPR and the Data Protection Act 2018 (DPA 2018). The UK law covering e-privacy is the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR).
As well as this checklist, we have other ones to help you assess your compliance. These other checklists cover particular methods of getting direct marketing to people or specific parts of the law. See the further reading box at the end of this checklist for more information.
Identify direct marketing
Check whether what you want to do counts as direct marketing:
☐ We understand and can identify when what we want to do is for direct marketing purposes.
☐ We check if the messages we want to send contain direct marketing and, if so, we make sure that we comply with all the relevant rules (including PECR where appropriate).
☐ If our messages don’t contain direct marketing, we still ensure that we comply with data protection rules as normal.
Plan direct marketing
Plan how you will protect people’s information from the start:
☐ We take a data protection by design approach to our direct marketing activities and we build in compliance with data protection and PECR before we start.
Think about what information you want to use
☐ We think about what type of information we want to use for our direct marketing and we understand when we will be using people’s information.
☐ We ask for explicit consent from people if we want to use their special category data (eg health information) for direct marketing purposes.
☐ We take particular care if we want to use children’s information for direct marketing purposes.
Think about the marketing activity you want to do
☐ We check which rules apply to the method that we want to use to get our direct marketing to people.
☐ We check against the relevant preference services before sending direct marketing messages (eg the Telephone Preference Service for live calls and the Mailing Preference Service for post).
☐ If required by PECR, we get consent to send direct marketing messages and we make sure that the consent is valid.
☐ We check against our own ‘do not contact’ list before sending our direct marketing so we don’t contact people who’ve asked us not to.
☐ If we want to use social media for direct marketing, we make sure it’s fair to do this and we tell people about it.
☐ We make it clear who we are when we send direct marketing messages (including displaying our phone number when making marketing calls).
☐ We ensure it’s fair and lawful to share people’s information with others for direct marketing purposes and we tell people about this.
Think about who is responsible
☐ If we work with other organisations on our direct marketing, we’re clear who is responsible for complying with data protection and PECR rules.
Think about your data protection lawful basis
☐ When we use people’s information for direct marketing, we have a valid data protection reason (“lawful basis”) for each of our activities and we carefully consider which basis is appropriate.
Think about accuracy and how long to keep information
☐ We ensure, as far as possible, that the information we have for direct marketing is accurate and up-to-date (without taking intrusive steps to update it).
☐ We don’t keep people’s information for direct marketing longer than we need it and we’ve set clear policies on how long we keep it for.
Collect information and generate leads
When you collect information for direct marketing, do it fairly and transparently:
☐ We give people privacy information about our direct marketing when we collect their information from them. If we didn’t collect it directly from them, we give them privacy information no later than one month from getting their information.
☐ We clearly explain in our privacy information the direct marketing activities we want to use people’s information for.
☐ We use clear, plain language in our privacy information, taking into account the people whose information we are collecting.
☐ We tell people how they can use their right to object to direct marketing.
☐ We only collect people’s publicly available information to use for direct marketing purposes if it’s fair to do so, and we tell them about it.
☐ We don’t get additional contact details on our customers or supporters from other sources to use for direct marketing, unless they have agreed to this.
☐ If we find that someone’s contact details for direct marketing are out of date, we only get their new details from another source if that person made clear that they wanted this to happen.
☐ If we profile people for direct marketing purposes, we make sure it’s fair to do so and we tell them about it.
☐ We do appropriate checks and due diligence before we buy or rent information for direct marketing purposes (including marketing lists), as well as ensuring that our use of the information complies with the law.
Respect people’s preferences
Always respect people’s direct marketing preferences:
☐ We respect people’s preferences for direct marketing and we make it easy for people to change their mind.
☐ We have a procedure in place to deal with people who opt-out, unsubscribe or object to our direct marketing. We deal with these requests promptly.
☐ If someone objects to direct marketing, we stop using their information for this purpose.
☐ We make it easy for people to withdraw their consent, and if it’s withdrawn we stop any direct marketing based on that consent.
☐ We keep a ‘do not contact’ or suppression list of people who opt-out, unsubscribe or object to our direct marketing.
☐ If someone asks us to delete their details, we consider if it’s appropriate to put a small amount of their information on our ‘do not contact’ list. This stops us using their information for direct marketing in future.
5 December 2022 - This content was published.