Analyse this

Data Protection
Print this page Email a link to this page

Data Protection has been in the spotlight again in recent weeks, due to chaos caused by the Cambridge Analytica and Facebook fiasco.

The world is waking up to just how precious personal data is, how powerful it is when harnessed by direct marketing, and how costly it can be if it’s not managed properly. Facebook lost $35bn in market value the first day the drama emerged.

The General Data Protection Regulation (GDPR) does not define direct marketing but the Data Protection Bill does, classifying it as ‘the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals’.

This applies to all types of marketing and promotional work, whether you’re marketing for a commercial business, a not-for-profit organisation or a charity. So what should we take note of?


Sugging means selling under the guise of research. It occurs when a company contacts individuals for market research, thus avoiding direct marketing rules, when it actually intends to sell goods or services, or gather customer leads to market to later. This is not allowed and direct marketing rules must be followed if this is your intention.

Sound familiar? The storm surrounding Cambridge Analytica involves a relatively small number of Facebook users, who thought they were signing up to a simple survey. In fact it may have led to the personal data of up to 87 million people being used for direct marketing.


Businesses will, in the vast majority of cases, need to gain a person’s consent before they can send marketing texts or emails. Organisations will also require adequate consent to pass on customer details to another organisation.

GDPR-compliant consent is defined as an affirmative indication signifying agreement which is freely given, specific and informed.

In short it must be very obvious that a person has consented to direct marketing from your business, and we expect this will be carefully monitored by the Information Commissioner’s Office.

Steps for businesses to take

1. Make sure your marketing lists are up to date
Only include people on your list that have given genuine lawful consent, or who you have a legitimate interest to contact (e.g. existing customers on a “soft opt-in” basis). There is no point having someone on your marketing list who has shown no interest in your company in years. You can read more about this in our article last month.

2. Review your marketing activity and relevant consents
For each person, or data subject, you must ensure that you can show the consent you have, and evidence of this consent being given.

3. Don’t neglect internal communication
It’s not uncommon for businesses to market to their own employees, like a retail store offering staff discount on its products. The same external legal need for consent applies internally.

4. Create a suppression list
It is just as important to create a list of those who’ve opted out of receiving direct marketing, making sure they are no longer contacted by your organisation.

5. Consider entering the Corporate Telephone Preference Service (CTPS). If you don’t want your business to receive unsolicited marketing calls, register your company on the CTPS and prevent unwanted phone calls.

As Facebook has shown, it pays to make sure your personal data is managed properly and GDPR is here to help.

To learn more or for help data protection, GDPR compliance or any IT legal issues, email [email protected] or call 0191 211 7777.