GDPR accountability shapes UK direct marketing code

Out-Law News | 20 Jan 2020 | 3:24 pm | 2 min. read

The principle of accountability enshrined in the General Data Protection Regulation (GDPR) is reflected in a UK regulator's proposed new code of practice on direct marketing.

The Information Commissioner's Office (ICO) opened a consultation on a new draft direct marketing code last week in which it has encouraged businesses to plan their direct marketing activities.

The term 'direct marketing' encompasses the promotion of aims and ideals as well as the advertising of goods or services. Businesses processing personal data for direct marketing purposes are subject to the GDPR and UK Data Protection Act, and they may also be subject to the rules outlined in the Privacy and Electronic Communications Regulations (PECR) where their direct marketing activities are carried out via specific forms of electronic communication, including emails, phone calls, text messaging and in-app messaging.

"It is important to plan your direct marketing activity before you start so that you can build in data protection and PECR," the ICO said in its draft code. "It is hard to retrofit GDPR and PECR into your direct marketing activities once you have started the processing and you may find that you are infringing on the direct marketing rules by not having planned properly. This in turn may also harm your reputation and your relationship with your customers or supporters. Therefore it makes good business sense to properly plan ahead."

"A key part of GDPR is accountability. You are responsible for ensuring that your direct marketing practices are compliant and you must be able to demonstrate your compliance. You are likely to need to: adopt data protection policies; take a ‘data protection by design and default’ approach; maintain documentation of your processing activities; have written contracts with organisations that process personal data on your behalf; and carry out data protection impact assessments (DPIAs)," the ICO said.

According to the ICO's draft code, it is best practice for businesses engaging in direct marketing to carry out DPIAs for new projects even if there is no legal obligation on them to do so. DPIAs are a legal obligation in some circumstances under the GDPR, including where the processing of personal data is likely to present a high risk to individuals.

The draft code also addresses the lawful bases for processing personal data for direct marketing purposes. The ICO's good practice recommendation is that organisations obtain consent to the data processing even if there are other lawful means of proceeding with the processing.

While consents can be obtained through third parties, the ICO recommended that businesses "do not rely on consent that was given more than six months ago" in such circumstances.

The information commissioner is under an obligation to set out a code of practice to regulate direct marketing activities under the Data Protection Act. The ICO last updated its guidance on direct marketing in 2018, shortly before the new Act took effect.

The draft new code is open to consultation until 4 March. The ICO is expected to publish the finalised code later this year.