Analyse This

Issue 35

Joe Torre, apprentice solicitor at Muckle LLP, cuts through the social media storm swirling around personal data with some legal dos and don'ts for direct marketing.

Data Protection has been in the spotlight again in recent weeks, due to chaos caused by the Cambridge Analytica and Facebook fiasco.

The world is waking up to just how precious personal data is, how powerful it is when harnessed by direct marketing, and how costly it can be if it’s not managed properly. Facebook lost $35bn in market value the first day the drama emerged.

The General Data Protection Regulation (GDPR) does not define direct marketing but the Data Protection Bill does, classifying it as ‘the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals’.

This applies to all types of marketing and promotional work, whether you’re marketing for a commercial business, a not-for-profit organisation or a charity. So what should we take note of?


Sugging means selling under the guise of research. It occurs when a company contacts individuals for market research, thus avoiding direct marketing rules, when it actually intends to sell goods or services, or gather customer leads to market to later. This is not allowed and direct marketing rules must be followed if this is your intention.

Sound familiar? The storm surrounding Cambridge Analytica involves a relatively small number of Facebook users, who thought they were signing up to a simple survey. In fact it may have led to the personal data of up to 87 million people being used for direct marketing.


Businesses will, in the vast majority of cases, need to gain a person’s consent before they can send marketing texts or emails. Organisations will also require adequate consent to pass on customer details to another organisation.

GDPR-compliant consent is defined as an affirmative indication signifying agreement which is freely given, specific and informed.

In short it must be very obvious that a person has consented to direct marketing from your business, and we expect this will be carefully monitored by the Information Commissioner’s Office.

Steps for businesses to take…

1. Make sure your marketing lists are up to date

Only include people on your list who have given genuine lawful consent, or who you have a legitimate interest to contact (e.g. existing customers on a ‘soft opt-in’ basis). There is no point having someone on your marketing list who has shown no interest in your company in years. You can read more about this in our article last month.

2. Review your marketing activity and relevant consents

For each person, or data subject, you must ensure that you can show the consent you have, and evidence of this consent being given.

3. Don’t neglect internal communication

It’s not uncommon for businesses to market to their own employees, like a retail store offering staff discount on its products. The same external legal need for consent applies internally.

4. Create a suppression list

It is just as important to create a list of those who’ve opted out of receiving direct marketing, making sure they are no longer contacted by your organisation.

5. Consider entering the Corporate Telephone Preference Service (CTPS)

If you don’t want your business to receive unsolicited marketing calls, register your company on the CTPS and prevent unwanted phone calls.

As Facebook has shown, it pays to make sure your personal data is managed properly and GDPR is here to help.

Sign-up to our newsletter

  • This field is for validation purposes and should be left unchanged.