The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Step 1 of 1: Direct marketing

1.1 Direct marketing governance

Your business has defined and allocated responsibility for compliance with data protection legislation and PECR when carrying out direct marketing activities or roles.
Your business has approved and published direct marketing policies and procedures, which contain data protection and PECR guidance and are routinely reviewed to ensure they remain fit-for-purpose.

1.2 Direct marketing training

Your business ensures that you provide data protection training to all staff with direct marketing responsibilities (including temporary staff and contractors).

1.3 Lawful basis for direct marketing

Your business has obtained the necessary consent from individuals for marketing in compliance with data protection legislation and PECR (Privacy and Electronic Communications Regulations).
If you are relying on ‘legitimate interests’ as the lawful basis for your marketing activities your business has applied the three part test and complies with other marketing laws.

1.4 Bought-in lists

Your business has sought assurances about the origins and accuracy of any bought-in marketing lists to ensure that they were compiled fairly and lawfully.

1.5 Marketing lists

If your business sells marketing lists, all lists were compiled fairly and lawfully and accurately reflect people’s wishes.

1.6 Telephone marketing

Your business identifies itself when making live marketing calls and only makes them in compliance with PECR.
Your business identifies itself when making automated marketing calls and makes them only in accordance with the express wishes of both corporate and individual recipients in compliance with PECR

1.7 Electronic mail

Your business identifies itself when sending electronic marketing messages and ensures you have the initial and ongoing permission of recipients in compliance with current legislation.

1.8 Postal marketing

Your business only sends marketing mail to named individuals who have not objected to receiving mailings in line with current legislation.

1.9 Marketing by fax

Your business identifies itself when sending marketing faxes and sends them only in accordance with the express wishes of recipients in compliance with data protection legislation and PECR.

1.10 Opt-out

Your business has mechanisms in place to ensure that individuals can opt out of marketing easily.

1.11 Retention of personal data

Your business has a retention policy and procedures in place for the personal data you hold for direct marketing.