GDPR and direct marketing

This content is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters outlined. 

Many organisations make use of various means to contact prospective customers. Often this can be in the form of emails, some of which could be considered ‘marketing’. However, in many cases these emails are not random and shotgun in approach but rather they are targeted towards someone who may have expressed some interest in hearing more about a specific topic in the past. As is often case there is broad spectrum when it comes to direct marketing. What could be one person’s irritating marketing email could be another person’s highly valuable business opportunity.

Recently a member asked these two questions.

What impact, if any, does GDPR have on our ability to approach identified target acquirers cold? And what additional steps do we need to take in that regard as a result of GDPR?

My response was:

We have tried address the topic of direct marketing in a recent blog post. While this form of approach may not be viewed as strictly marketing, much of the guidance on this topic will be set out by the Direct Marketing Association, which follow the ICO code of conduct.

In this case, it would seem reasonable to use “Legitimate interest” as the basis of processing the personal data, in this case a direct email to someone. However I would strongly recommend obtaining written consent within 30 days of this approach to ensure that you could continue to market directly to individuals.

Also, see this blog post (How can I tell if I am GDPR compliant or not?).

The second question posed was:

We also have a database of individuals and corporates who we have previously approached or who have previously expressed an interest in looking at opportunities that we have. What action do we need to take in respect of those contacts? Presumably, we need to write to them again and ask them to confirm that they want us to continue contacting them?

My response was:

In the case of the marketing database, it is highly recommended to gain express consent from the individuals named in the database. It is worth keeping in mind that as these people have previously expressed an interest in receiving such emails then I would expect there to be a very high positive opt-in rate. Essentially the value of such a contact database will improve.

Many professionals are asking similar questions. We continue to wait for answers from the ICO. The latest Houses of Parliament briefing paper that I have seen on the new Data Protection Act (published 28 February) expects the ICO to [prepare] “a direct-marketing code of practice”. Hopefully, that arrives soon.

The overall principle of GDPR is being accountable for how you use, process and protect personal data. By understanding your use of personal data will help you adhere to the central principles of GDPR.

Our GDPR hub is here: