The Information Commissioner's Office (ICO) warns firms that they must respect individuals' rights and prefernces about using their data for direct marketing purposes. They can object, and you must stop (or not start) using their information for that purpose.
In parallel with that, the General Data Protection Regulation (GDPR) applies wherever you are processing ‘personal data’. So, if you can identify an individual either directly or indirectly, the GDPR applies - whether your marketing is to consumers or businesses.
If you have the name and number of a lead on file, or their email address identifies them (i.e. initials.lastname@company.com), the GDPR applies. Even business cards fall under the GDPR if you file them or add them to a database.
In practice, those involved in business marketing can fall back on 'legitimate interests' as their justification. But remember that this must be 'real and not too vague'. In other words, make sure your targeting makes sense! Indiscriminately contacting people with no knowledge of what they do is likely to be a bad plan.
Key takeaways
- Businesses must respect people’s preferences when it comes to their data being used for marketing purposes.
- To ensure GDPR compliance when marketing, we’ve outlined 10 steps, from clear consent and storage limitation policies to data protection.
- Breaching the GDPR can cost a company up to €20 million or 4% of annual global turnover.
How to ensure GDPR compliance when marketing
- Make appropriate disclosures to data subjects via privacy notices - so they know who is collecting their information, what it will be used for, whether it will be shared with other organisations and when.
- Inform data subjects upfront of their right to object to data processing - via privacy notices and in your first communications with them.
- Get clear, explicit and unambiguous consent from individuals for any marketing activity - pre-filled boxes, silence or inactivity cannot be taken as a sign of consent. Remember that specific rules apply to data relating to children, special categories and vulnerable adults.
- Implement a consent withdrawal process - to ensure that if data subjects change their mind about marketing, they are not contacted in future and their wishes are respected.
- Honesty is the best policy - encourage everyone to report any data loss, theft or accidental transfer promptly. Cover ups can be costly under the GDPR.
- Establish a process to notify the relevant authority and data subjects if there is a personal data breach - You have 72 hours to notify the data authority and must inform affected individuals without undue delay if there is a high risk to their rights or freedoms.
- Only use 'clean' data lists from approved and trusted data suppliers - make sure any in-house lists you use for direct marketing do not contain the names of anyone registered with the Telephone Preference Services (CTPS/TPS). And if you do buy or rent data, verify in writing how the data was collected and permissions acquired - it's your reputation on the line, not theirs.
- Storage limitation - a core principle of GDPR is that you must not keep personal data for longer than you need it. The ICO advises that you should "periodically review the data you hold, and erase or anonymise it when you no longer need it."
- Don't forget about data protection - make sure your data is stored securely using IT. Measures such as access controls and ensure data is transferred securely and not downloaded and held on devices.
- Make sure your staff know the rules - it may seem an obvious point, but the rules are complex, and often an afterthought for those focusing on their day-to-day work. At a minimum, new employees need GDPR compliance training, and GDPR desk guides are a handy way to make sure everyone follows the rules. Remember, it's not just the marketing team that needs to know them, but everyone in the chain, from customer service and sales to finance.
ICO fines for GDPR marketing breaches
Breaching the GDPR can cost you up to €20 million or 4% of annual global turnover. If you're thinking the ICO doesn't take action, recent penalties might change your mind.
The examples below are all household names that could have easily avoided fines by simply following the tips outlined above.
- OSL Financial Consultancy was fined £50,000 by the ICO in December 2020 for illegally sending 174,342 nuisance marketing text messages. Investigators found they collected personal information from those requesting a quote, then used this data for marketing purposes. There was no opt-out option on marketing texts; hence valid consent had not been sought or obtained.
- Telecoms giant EE was fined £100,000 in June 2019 for sending over 2.5 million direct marketing messages to its customers, without their consent.
- Hong Kong airline Cathay Pacific was fined £500,000 in March 2020 for failing to protect the security of its customers’ personal data. Their computer systems lacked appropriate security measures which led to customers’ personal details being exposed.
- DSG Retail was fined £500,000 in January 2020 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
- Leave.EU was fined a total of £60,000 in February 2019 for sending almost 300,000 unsolicited communications without consent.
- In September 2020, CPS Advisory Ltd was fined £130,000 for making more than 100,000 unauthorised direct marketing calls to people about their pensions.
GDPR compliance: FAQs
What is a data subject in terms of the GDPR?
The “natural person” (identified or identifiable living individual) whose personal data is collected/processed/stored, such as a customer or an employee.
What is a privacy notice?
A public document that gives clear, easily understandable and transparent info about how your organisation collects, protects, stores and uses people’s personal data.
How does the ICO monitor GDPR marketing breaches?
Via public complaints, the TPS, and reports by companies themselves, as well as reviewing the effectiveness of a firm’s internal audit procedures.
Want to learn more about GDPR?
Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection and GDPR Training Package offers a complete solution for your compliance programme. Courses in the libraries include:
- General Data Protection Regulation (GDPR) Training Course
- Data Protection Training Course
- Information Security Training Course
- Cybersecurity Training Course
We've created a comprehensive GDPR compliance roadmap to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.
Explore our collectionWritten by: Emmeline de Chazal
Emmeline is an experienced digital editor and content marketing executive. She has a demonstrated history of working in both the education management and software industries. Emmeline has a degree in business science and her skillset includes Search Engine Optimisation (SEO) and digital marketing analytics. She is passionate about education and utilising her skills to encourage greater access to e-learning.
