GDPR - Guidance for Marketing

GDPR - Guidance for Marketing

A common concern with the forthcoming General Data Protection Regulation (“GDPR”) is the impact it will have on businesses’ marketing activities. Many businesses are unsure whether it is necessary to obtain fresh consent from their entire existing marketing database before conducting any marketing post 25th May 2018.

Lawful basis for direct marketing

Under the GDPR, if direct marketing involves the processing of personal data, businesses will have to demonstrate that they have a lawful basis (under Article 6 of the GDPR) to carry out direct marketing.

The GDPR also provides some new rights for individuals and strengthens some of the rights that currently exist under the Data Protection Act 1998. This includes:

  • the right to request the personal information a business holds about them;
  • the right to erasure (known as the ‘right to be forgotten’) of their personal details from marketing databases; and
  • the right to object to the processing of their personal data for direct marketing purposes (including profiling to the extent that it is related to direct marketing).

If a business processes personal data for direct marketing purposes, it must ensure that its procedures provide for such rights and where applicable, how requests will be dealt with including a timeline.

Relying on existing consent as a lawful basis for direct marketing

If a business currently relies on consent for the purposes of direct marketing and that consent complies with the requirements of the GDPR, it is not necessary for the data subject to give his or her consent again.

As a reminder, consent under the GDPR should be presented in a manner which is clearly distinguishable from other matters and is in an intelligible and easily accessible form using clear and plain language. Also, the data subject has the right to withdraw such consent at any time and should be informed of this right prior to giving his or her consent.

If a business’ existing consents do not comply with this requirement, it will need to obtain new consent from those individuals who it is proposing to market to and ensure that such new consent complies with the GDPR.

Legitimate interest as an alternative lawful basis for marketing

Consent is not the only lawful basis to carry out direct marketing. Recital 47 of the GDPR states that processing of personal data for direct marketing purposes may be carried out for a legitimate interest of the data controller concerned. If a business relies on its legitimate interest as a lawful basis for carrying out direct marketing, it is not necessary to also obtain consent. However, the legitimate interests condition does not override the requirements of the Privacy and Electronic Communications Regulation (“PECR”) which restricts the circumstances in which a business can market by phone, text, email or other electronic means. 

Marketing via electronic mail

When sending unsolicited marketing material by phone, text, email or other electronic means to an individual (which also includes a sole trader or a partnership), a business must comply with the PECR in addition to the GDPR. The PECR requires data subjects' prior consent to any marketing via electronic mail. There is an exception to this however (known as the ‘soft opt-in’) if the following rules are satisfied:

  • an individual’s details have been obtained  in the course of a sale or negotiations for the sale of a product or service to that individual;
  • where the messages are only marketing similar products or services; and
  • where the person is given a simple opportunity to refuse marketing when their details are first collected and in every message after that.

In other words, if a business intends to carry out unsolicited electronic marketing, it may be able to do so on the basis of the soft opt-in referred to above as opposed to consent.  In such circumstances, as the basis for the marketing is not based on consent in the first place, there is no requirement to seek new consent under the GDPR. However a business must not send marketing material electronically to any individual who has said they do not want to receive it.

These rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to other businesses (except to sole traders and partnerships). The only requirement is that the sender must identify itself and provide contact details.

The PECR is currently undergoing its own reform and will be replaced at some point in the future with the e-Privacy Directive. Although the draft e-Privacy Directive largely adopts the existing rules under the PECR as referred to above, until its final form has been approved, it is unclear whether or not there will be significant changes. The European Commission has stated that it wishes to adopt the e-Privacy Directive to tie in with the GDPR but whether or not this will be achieved is uncertain.

In addition to complying with the GDPR and the PECR, businesses should not market to individuals or organisations who have registered their numbers with the Telephone Preference Service (TPS) and Fax Preference Service (FPS) without the individual’s specific prior consent.

Marketing via post

If a business wishes to send marketing marketing material via the post (e.g. details about a new product or service to its existing customer base), it can rely on its legitimate interests and will generally not require consent from its customers. However, as with electronic marketing, customers who are individuals must be offered an opt-out and if a customer asks to be taken off a mailing list, such a request must be complied with.

Businesses should also consider the Mailing Preference Service (“MPS”) and review its lists against those people who have registered on the MPS that they do not want to receive 'junk mail'. This will help save money, time and resources by not sending material to people who do not wish to receive it.

The GDPR and PECR rules referred to above do not apply to marketing material which is not addressed to individuals such as leaflets or inserts although any business conducting such activity will still need to comply with any other relevant codes.

There are a number of other rules and industry specific codes of practice relating to marketing which businesses should ensure they are familiar with but these are outside the scope of this article.


The new Data Protection Bill was published in September 2017 and is currently making its way through Parliament. It is too early to know what form the final Data Protection Bill will take and it may differ from the GDPR in some respects. Brachers will continue to monitor the situation and highlight any differences that are likely to have a material effect.

How can we help?

For further information on the GDPR, please contact either Erol Huseyin or Julie Alchin in the Commercial Team or Catherine Daw or Antonio Fletcher in the Employment Team.