30th Floor, North Tower, Beijing Kerry Centre, 1 Guanghua Road, Chaoyang District, Beijing, 100020
+86 10 8519 0011
50th Floor, Central Plaza, 18 Harbour Road, Wan Chai, Hong Kong
+852 2521 5621
Room 4605, Park Place, 1601 Nanjing West Road, Jing An District, Shanghai, 200040
+8621 6321 1166
Suite 2405, 24/F, SCIA Tower, Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone of Shenzhen, Shenzhen, 518000
+86 755 6123 5666
Select your language
Please accept the geolocation request appearing in your browser
Find other officesThe Information Commissioner's Office (ICO) opened a consultation on a new draft direct marketing code last week in which it has encouraged businesses to plan their direct marketing activities.
The term 'direct marketing' encompasses the promotion of aims and ideals as well as the advertising of goods or services. Businesses processing personal data for direct marketing purposes are subject to the GDPR and UK Data Protection Act, and they may also be subject to the rules outlined in the Privacy and Electronic Communications Regulations (PECR) where their direct marketing activities are carried out via specific forms of electronic communication, including emails, phone calls, text messaging and in-app messaging.
"It is important to plan your direct marketing activity before you start so that you can build in data protection and PECR," the ICO said in its draft code. "It is hard to retrofit GDPR and PECR into your direct marketing activities once you have started the processing and you may find that you are infringing on the direct marketing rules by not having planned properly. This in turn may also harm your reputation and your relationship with your customers or supporters. Therefore it makes good business sense to properly plan ahead."
"A key part of GDPR is accountability. You are responsible for ensuring that your direct marketing practices are compliant and you must be able to demonstrate your compliance. You are likely to need to: adopt data protection policies; take a ‘data protection by design and default’ approach; maintain documentation of your processing activities; have written contracts with organisations that process personal data on your behalf; and carry out data protection impact assessments (DPIAs)," the ICO said.
According to the ICO's draft code, it is best practice for businesses engaging in direct marketing to carry out DPIAs for new projects even if there is no legal obligation on them to do so. DPIAs are a legal obligation in some circumstances under the GDPR, including where the processing of personal data is likely to present a high risk to individuals.
The draft code also addresses the lawful bases for processing personal data for direct marketing purposes. The ICO's good practice recommendation is that organisations obtain consent to the data processing even if there are other lawful means of proceeding with the processing.
While consents can be obtained through third parties, the ICO recommended that businesses "do not rely on consent that was given more than six months ago" in such circumstances.
The information commissioner is under an obligation to set out a code of practice to regulate direct marketing activities under the Data Protection Act. The ICO last updated its guidance on direct marketing in 2018, shortly before the new Act took effect.
The draft new code is open to consultation until 4 March. The ICO is expected to publish the finalised code later this year.
Stay ahead by signing up to our weekly email of news and expert analysis, tailored for you
Data, privacy & cyber
Valid email address
Thanks, we have sent an email to
Please check your inbox to confirm your subscription. The confirmation email may take up to 15 minutes to arrive.
• Check your spam or junk folder
• Ensure your email address was entered correctly.
• You can amend your details and resubmit if required
• If the email has still not arrived, please contact us for assistance
OUT-LAW NEWS
A recent decision by the Court of Appeal in England & Wales highlights that judicial remedies cannot be used to unwind or amend regulated mortgages, an expert has said.
OUT-LAW NEWS
Businesses in Germany face increased risks of mass claims being raised against them if personal data they are responsible for is made available for sale on the ‘dark web’, experts have said following a ruling by the country’s highest court.
OUT-LAW NEWS
A major new review has been launched into the role of artificial intelligence across the finance sector launched by the UK’s financial watchdog.
We use cookies that are essential for our site to work. To improve our site, we would like to use additional cookies to help us understand how visitors use it, measure traffic to our site from social media platforms and to personalise your experience. Some of the cookies that we use are provided by third parties. To accept all cookies click ‘accept all’. To reject all optional cookies click ‘reject all’. To choose which optional cookies to allow click ‘cookie settings’. This tool uses a cookie to remember your choices.
Please visit our cookie policy for more information.
