GDPR Checklist - Direct Marketing Checklist

Article ID: 2844
Last updated: 31 Oct, 2019

DIRECT MARKETING CHECKLIST

Step 1 of 1: Direct marketing  

1.1 Direct marketing governance 

Your business has defined and allocated responsibility for compliance with data protection legislation and PECR when carrying out direct marketing activities or roles.

You should clearly allocate responsibility for the oversight of data protection when carrying out direct marketing activities.

Where appropriate you should have steering groups to monitor performance in data protection and discuss relevant issues.

You should have reporting lines and effective links between key roles to ensure a coordinated approach.

You need a targeted programme of work for direct marketing/data protection compliance, and management should routinely monitor progress.

1.2 Your business has approved and published direct marketing policies and procedures, which contain data protection and PECR guidance and are routinely reviewed to ensure they remain fit-for-purpose. 

You should have policies and procedures, which are approved by senior management, to provide guidance to staff about how to comply with data protection and PECR legislation when carrying out direct marketing activities.

You need to communicate these policies to permanent, temporary and contract staff and review them regularly.

You should identify performance measures, which reflect organisational needs and risks, to allow you to monitor compliance.

You should undertake monitoring on a regular basis and report the results to the person with lead responsibility for direct marketing so that they can assess the risks and take appropriate action.

Conducting regular checks or audits of your direct marketing practices will help provide assurances of data protection and PECR compliance, and you should report the results to senior management.

1.3 Your business ensures that you provide data protection training to all staff with direct marketing responsibilities (including temporary staff and contractors). 

You should brief all direct marketing staff on their data protection and PECR responsibilities on or shortly after appointment with regular updates to maintain levels of awareness.

Awareness materials might include posters, office wide emails, intranet updates, or data protection content in newsletters.

Where necessary, you should deliver specialised training to staff in particular identified roles, based on the job role requirements.

1.4  Lawful basis for direct marketing

Your business has obtained the necessary consent from individuals for marketing in compliance with data protection legislation and PECR (Privacy and Electronic Communications Regulations).

Under data protection legislation:

  • Consent must be a positive action, that makes it clear the individual agrees to the use of their information for direct marketing;
  • Pre ticked opt-in boxes are not permitted – silence or inactivity from the data subject will not show consent.

You should:

  • Ensure consent for marketing is “unbundled” from other requests for consent;
  • Inform the individual what methods of marketing communication you are going to use, eg email, text, phone, automated call, post; and * provide the individual with the option to choose their preferred method(s) of contact. (This is termed granular consent). Individuals should not be forced to agree to all or nothing;
  • Make it easy for the individual to withdraw consent and tell them how; 
  • Name your business and any third party relying on consent.

You should be able to identify the:

  • Name or other identifier of the individual;
  • The time and date when they gave consent;
  • The platform or mechanism you used to gain consent;
  • Exactly what it covers.

You should be easily able to update these records on receipt of any changes.

You should archive the text of the website, leaflet, contract, and telephone script etc. you used to inform the individual at the time they provided consent. You should cross reference this information with customer records to enable you to have an accurate record of what they consented to if you need to retrieve it.

If you operate more than one brand or linked business you must be specific about which business gained the consent. For cross brand marketing you should provide the names of all the brands at the time of gaining consent. You cannot assume that if an individual is agreeing to marketing from one brand that they are consenting to marketing from all the brands.

If you are offering online services to children and you need to obtain consent, you must adopt age-verification measures and seek parental consent for children under 13.

If you pass the details of individuals to third parties for marketing purposes then you must specifically request this consent. You must provide the individual with the name of any/all third parties. There must be enough detail to enable the individual to make an informed choice over marketing.

You should also review existing/legacy consents and consent mechanisms to check they meet the GDPR standard. If they do, you do not need to obtain fresh GDPR compliant consent.

However if the consent is not compliant you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.

1.5  If you are relying on ‘legitimate interests’ as the lawful basis for your marketing activities your business has applied the three part test and complies with other marketing laws.

Not all marketing will require consent - legitimate interests could potentially be applied in situations where PECR doesn’t require consent eg postal marketing, live calls to numbers not registered on the Telephone Preference Service or electronic mail where the ‘soft opt-in’ applies.

Your business must:

  • Show that direct marketing is necessary for your purposes;
  • Carry out a balancing test;
  • Give data subjects a clear option to opt out of direct marketing when you initially collect their details.

You may not be able to rely on legitimate interests for direct marketing by electronic means. This is because PECR requires individuals to give consent to some forms of electronic marketing.

1.6  Bought-in lists

Your business has sought assurances about the origins and accuracy of any bought-in marketing lists to ensure that they were compiled fairly and lawfully.

You should not use bought-in lists for emails, texts or automated calls unless you have proof of 'opt-in' consent within the last six months, which specifically names your business.

If collecting consent of children, you should have appropriate evidence to demonstrate that you have taken steps to verify the child’s age and that you have obtained parental consent .

You should keep records of when and how obtained consent was obtained, and exactly what it covers.

You may maintain a 'suppression list' of individuals who don't want to receive marketing. You should keep this list up to date and accurate and consider which staff should have access to it.

You should provide privacy information to individuals outlining:

  • What methods of marketing communication you will use;
  • Details of any sharing;
  • The purpose for any sharing that may take place (unless an exemption applies).
  • Your lawful basis for processing;
  • How individuals can withdraw their consent and /or object to the marketing.

1.7 Marketing lists

If your business sells marketing lists, all lists were compiled fairly and lawfully and accurately reflect people’s wishes.

You should ask for consent to pass contact details to third parties for marketing, and name those third parties.

You should keep records of when and how you obtained consent, and exactly what it covers.

You may maintain a 'suppression list' of data subjects who don't want to receive marketing. You should keep this list up to date and accurate and consider which staff should have access to this list.

If any third parties are act as processors undertaking marketing work, you should have contracts in place to ensure the security of all data provided.

You should provide privacy information to individuals outlining:

  • What methods of marketing communication you will use;
  • Details of any sharing;
  • The purpose for any sharing that may take place (unless an exemption applies).
  • Your lawful basis for processing;
  • How individuals can withdraw their consent and /or object to the marketing.

1.8 Telephone marketing

Your business identifies itself when making live marketing calls and only makes them in compliance with PECR.

You must screen live marketing call numbers against the Telephone Preference service (TPS) and/or the Corporate Telephone preference service (CTPS).

If you do not make calls with reference to a live database and instead create call lists, you should regularly update them as the status of consent may change.

At the start of every marketing call, you must identify your business and provide a valid business address or Freephone number. This can be in the content of an automated call recording or when asked during a live call.

If you are a direct marketing company registered in the UK, you must display your phone number when making unsolicited phone calls, even if your call centres are based abroad.

1.9 Your business identifies itself when making automated marketing calls and makes them only in accordance with the express wishes of both corporate and individual recipients in compliance with PECR

The rules on automated calls are stricter (calls made by an automated dialling system which play a recorded message). You can only make these calls to people who have specifically consented to receiving them. Consent to receive live calls is not sufficient. Indirect consent (ie consent originally given to a third party) is also unlikely to be sufficient.

All automated calls must give the identity of the caller, and a contact address or Free phone number. You must allow your number (or an alternative contact number) to be displayed to the person receiving the call.

There is no need to screen against the TPS when making automated calls. It makes no difference whether or not a number is registered with the TPS. Even if the number is not on the TPS list, you cannot make this type of call without the person’s consent.

1.10 Electronic mail

Your business identifies itself when sending electronic marketing messages and ensures you have the initial and ongoing permission of recipients in compliance with current legislation.

You must ensure that you have prior 'opted-in' consent to send electronic marketing messages by email, text, picture or video messaging, or that the “soft” opt-in applies.

The ”soft” opt in means you can send marketing texts or emails to existing customers if:

  • You have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person;
  • You are only marketing your own similar products or services;
  • You give the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.

If you want to contact previous customers about similar products or services and consent was achieved using the ‘soft opt-in’, you should carry out regular checks to ensure that the consent is still valid.

Please note: not-for-profit organisations should take particular care when sending marketing communications by text or email; this is because the ‘soft opt-in’ exception only applies to commercial marketing of products or services.

You must identify your business and provide an easy means to opt-out of receiving further electronic marketing in every message.

1.11 Postal marketing

Your business only sends marketing mail to named individuals who have not objected to receiving mailings in line with current legislation.

You should maintain your own 'do not contact' list to screen those who have notified you directly that they object to receiving marketing mailings.

It is good practice to screen marketing mailings against the Mailing Preference Service (MPS).

If an individual objects to your marketing, under the GDPR right to object to the processing of their personal data, then you should ensure you have processes in place to action their request, within the one month timeframe

1.12 Marketing by fax

Your business identifies itself when sending marketing faxes and sends them only in accordance with the express wishes of recipients in compliance with data protection legislation and PECR.

You should not send marketing faxes to individuals, including sole traders and some partnerships, unless they have specifically consented.

You should not send marketing faxes to any number registered with the Fax Preference Service (FPS), unless the receiver has specifically consented to receiving faxes from you.

All marketing faxes must include your business name and a contact address or Freephone number.

1.13 Opt-out

Your business has mechanisms in place to ensure that individuals can opt out of marketing easily.

It must be as easy to withdraw consent as it was to give it. This means the process of withdrawing consent should be an easily accessible one-step process. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.

You must keep records to evidence consent – who consented, when, how, and what they were told. This will make it easier for people to withdraw their consent at any time.

Consider using preference-management tools so individuals can access and update their consent settings. Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business processes.

Individuals can object to marketing if you are using ‘legitimate interests’ as your lawful basis for the direct marketing.

Individuals also have the right to opt out of marketing under PECR, if they originally consented through the ‘soft opt in’.

1.14 Retention of personal data

Your business has a retention policy and procedures in place for the personal data you hold for direct marketing.

Personal data you hold should be accurate and up to date. What is considered to fall under these categories will change over time and as your business needs change.

You should have processes in place to ensure that you correct or remove on a regular basis any personal data for direct marketing that is inaccurate or is out of date.

You should take reasonable steps to ensure the accuracy of personal data collected by direct marketing and to deal with challenges to the accuracy of personal data from individuals about whom information is recorded over time. This should allow for the personal data to be amended, removed or clarified where appropriate.

Where an individual advises that their data is inaccurate, or asks you to erase their data, then you should have processes in place to ensure you respond to their request within one month

Data you collect through direct marketing activities should be adequate, relevant and limited to what is necessary. If you do not make decisions regarding what personal data you should hold for direct marketing then you are at risk of collecting excessive data and infringing the privacy of an individual, or you may hold too little to facilitate effective decision making about those individuals. Again what is adequate, relevant and not excessive will change with business need.

You should identify what types of records or data sets you hold and process as a result of direct marketing activities, what type of information these records hold and then discard, delete (weed) or anonymise personal data within records you hold as soon as it becomes surplus to your requirements.

Once you have identified the types of records or data sets you hold, you can assign retention periods. You can then destroy records securely once they reach the end of this retention period.

Article ID: 2844
Last updated: 31 Oct, 2019
Revision: 11
Views: 793
This article was:  


Also listed in
folder GDPR Centre