If your organisation plans direct marketing campaigns, find out what you need to know about protecting personal information here.
Watch Elizabeth Denham's keynote speech, screened at the DMA's Data Protection 2018 event on Friday 23 February 2018.
See the latest monetary penalties, enforcement notices, undertakings and prosecutions we have issued in the sector.
Recital 47 of the GDPR says direct marketing is a legitimate use of personal information, which is true. It is important to remember, however other rules also apply for example the Privacy and Electronic Communication Regulations 2003 (PECR). PECR restricts the circumstances in which you can market people and other organisations by phone, text, email or other electronic means. So when sending electronic marketing messages remember - you have to comply with both the data protection law and PECR. You can check the Direct Marketing Checklist and read the Direct Marketing Guidance to get a fuller picture of how to send marketing without breaking the rules.
If you're planning a marketing campaign, you'll have to comply with a number of regulations. Some of these apply to unsolicited electronic messages sent by telephone, fax, email or text, while others apply to marketing material sent by post.
Electronic mail marketing
The most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you're targeting has given you their permission.
However, there is an exception to this rule. Known as the 'soft opt-in' it applies if the following conditions are met;
- where you've obtained a person's details in the course of a sale or negotiations for a sale of a product or service;
- where the messages are only marketing similar products or services; and
- where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in future messages.
When you send an electronic marketing message, you must tell the recipient who you are and provide a valid contact address.
The rules on emails don't apply to emails sent to organisations, though you must still identify yourself and provide an address.
The Telephone Preference Service (TPS) and Fax Preference Service (FPS) are operated by the Direct Marketing Association, and allow people to register their numbers to opt out of receiving unsolicited calls or faxes. You must not market individuals or organisations who have registered their numbers with the TPS or FPS.
In summary, we recommend that your marketing campaigns are always permission-based and you explain clearly what a person's details will be used for. Provide a simple way for them to opt out of marketing messages and have a system in place for dealing with complaints.
To ensure your marketing complies with data protection law and good practice see our direct marketing checklist - ideal for small businesses. For more information read our direct marketing guidance.
Postal marketing can form an important part of any organisation's overall marketing strategy. From simple flyers and response forms to competition entries and interactive CDs, postal campaigns can generate important new leads and business.
However, some postal marketing may be unwanted – more commonly known as ‘junk mail’. As with electronic marketing, if the person or organisation you're targeting asks to be taken off your mailing list, you must comply with their request. There are no exceptions to this rule, and if you fail to comply, they can apply to the courts for an order against you under section 11 of the Data Protection Act.
The Mailing Preference Service (MPS) is a service set up by the direct marketing industry to help people who don't want to receive 'junk mail'. People simply register their details to prevent further mailings, and several direct marketing codes of practice specify that marketers should clean their lists against the MPS file. Many of the companies who subscribe to the MPS recognise the considerable benefits of the service as they save money, time and resources by not sending material to people who don't wish to receive it.
To ensure your marketing complies with data protection law and good practice see our direct marketing checklist. For more information read our direct marketing guidance.
Requests for personal information
Your employees and customers have rights to see their personal information. They can make a subject access request to see the personal information you hold about them. Find out more information on this and what you need to do to reply to a subject access request.