A Guide To Data Protections & Direct Marketing
Reasons to choose Wilson Browne
Direct marketing can be an effective way to promote your products and services, build customer relationships, and generate new business opportunities.
However, businesses must ensure that their marketing activities comply with data protection and privacy laws.
Whether you are collecting customer information, sending marketing emails, purchasing marketing databases, or working with third-party providers, understanding your legal obligations is essential.
This guide outlines the key data protection considerations businesses should keep in mind when carrying out direct marketing activities.
On this page:
- Why Data Protection Compliance Matters
- What Customer Data Must Be Protected?
- Collecting Customer Data for Marketing
- Storing Customer Data Securely
- Managing Marketing Preferences
- Sending Marketing Communications
- Using Purchased Marketing Databases
- Sharing Customer Data with Third Parties
- Selling or Transferring Customer Databases
- How We Can Help
- Frequently Asked Questions (FAQs)
Why Data Protection Compliance Matters
Failure to comply with data protection and marketing regulations can have significant consequences for businesses.
Potential risks include:
- Financial penalties.
- Regulatory investigations.
- Reputational damage.
- Loss of customer trust.
- Restrictions on future marketing activities.
- Potential criminal liability in certain circumstances.
- Removal from industry or trade body memberships.
Implementing compliant marketing practices from the outset can help protect your business and maintain customer confidence.
What Customer Data Must Be Protected?
Personal data includes any information that can identify an individual, either directly or indirectly.
Examples include:
- Postal addresses.
- Email addresses.
- Telephone numbers.
- Customer account information.
- Online identifiers.
Personal data held electronically or within organised filing systems must be protected and handled appropriately.
Collecting Customer Data for Marketing
Have a Lawful Reason for Collecting Data
Businesses should only collect personal information where they have a legitimate reason for doing so.
For example:
- Providing requested information.
- Supplying products or services.
- Sending relevant marketing communications.
- Managing customer relationships.
Be Transparent About How Data Will Be Used
Individuals should be informed about how their information will be collected, stored, and used.
This is typically achieved through a Privacy Notice (sometimes referred to as a Fair Processing Notice).
A Privacy Notice should explain:
- What information is being collected.
- Why it is being collected.
- How it will be used.
- Whether it will be shared with third parties.
- How individuals can exercise their rights.
Businesses collecting data through a website should ensure that a clear and accessible privacy notice is available.
Collecting Sensitive Financial Information
If your business intends to collect payment card information, bank account details, or other sensitive financial data, additional security and compliance measures may be required.
Legal advice should be sought where appropriate.
Storing Customer Data Securely
Businesses must take appropriate steps to protect customer information from unauthorised access, loss, misuse, or disclosure.
Good practice includes:
- Limiting access to authorised personnel.
- Using secure systems and passwords.
- Encrypting sensitive data where appropriate.
- Minimising data stored on mobile devices.
- Regularly reviewing data security procedures.
Keep Data Accurate and Up to Date
Customer databases should be reviewed regularly to ensure information remains accurate and relevant.
Outdated or inaccurate information should be corrected or deleted where appropriate.
Do Not Retain Data Longer Than Necessary
Personal data should only be retained for as long as it is needed for the purpose for which it was collected.
Businesses should have clear retention policies in place and ensure records are deleted when no longer required.
Managing Marketing Preferences
Offering Opt-In and Opt-Out Choices
Individuals should be given clear opportunities to choose whether they wish to receive marketing communications.
Businesses should make it easy for recipients to:
- Subscribe to marketing communications.
- Withdraw consent.
- Update preferences.
- Unsubscribe at any time.
Unsubscribe mechanisms should be simple and effective.
Maintaining Suppression Lists
Where an individual opts out of marketing communications, businesses should retain enough information to ensure they are not contacted again for marketing purposes.
This process is commonly referred to as maintaining a suppression list.
Simply deleting customer details may increase the risk of contacting them again in the future.
Avoid Pre-Ticked Consent Boxes
Consent should be obtained through a clear affirmative action.
Examples include:
- Ticking an unchecked consent box.
- Completing a consent form.
- Selecting marketing preferences online.
Pre-ticked boxes or assumptions based on silence are unlikely to provide valid consent.
Sending Marketing Communications
Marketing by Post and Telephone
Businesses may generally send marketing communications by post or telephone unless the recipient has opted out or registered with a relevant preference service.
Before launching campaigns, businesses should check applicable preference registers and suppression lists.
Marketing by Email, SMS and Fax
Additional rules apply when sending electronic marketing communications.
In many circumstances, businesses will require consent before sending marketing messages to individuals.
Before sending electronic marketing communications, businesses should ensure:
- Appropriate consent has been obtained where required.
- Marketing preferences have been checked.
- Opt-out requests have been respected.
Understanding the Soft Opt-In
Businesses may be able to rely on the “soft opt-in” in certain circumstances.
This can apply where:
- Customer details were obtained during a sale or genuine sales enquiry.
- Marketing relates to similar products or services.
- The customer was given the opportunity to opt out when their details were collected.
- An opt-out option is provided in each subsequent communication.
Businesses should ensure they meet all relevant requirements before relying on the soft opt-in exemption.
Using Purchased Marketing Databases
Purchased databases can present significant compliance risks.
Before using externally sourced data, businesses should:
- Verify how the data was collected.
- Confirm the marketing permissions obtained.
- Review contractual rights relating to the data.
- Check suppression lists and preference registers.
- Provide appropriate privacy information to individuals.
Legal advice should be sought before purchasing or using third-party marketing databases.
Sharing Customer Data with Third Parties
Businesses sometimes engage third-party providers to assist with marketing activities, including:
- Call centres.
- Marketing agencies.
- Fulfilment houses.
- CRM providers.
- Data processors.
Before granting access to customer information, businesses should ensure that appropriate contractual safeguards are in place covering:
- Data security.
- Data processing obligations.
- Compliance responsibilities.
The business remains responsible for protecting customer data even where processing activities are outsourced.
Selling or Transferring Customer Databases
Businesses may sometimes transfer customer databases as part of:
- Business sales.
- Mergers and acquisitions.
- Corporate restructures.
However, such transfers must be carefully assessed to ensure compliance with data protection laws and customer expectations.
Professional legal advice should always be obtained before selling or transferring customer data.
How We Can Help
Direct marketing compliance can be complex, particularly where businesses are collecting customer data, purchasing databases, outsourcing marketing functions, or conducting large-scale marketing campaigns.
Our Corporate and Commercial team can advise on:
- Data protection compliance.
- Privacy notices.
- Marketing consent requirements.
- Data sharing agreements.
- Database transfers.
- Marketing campaigns.
- Third-party processing arrangements.
Obtaining advice at an early stage can help reduce risk and ensure your marketing activities remain compliant.
Frequently Asked Questions (FAQs)
Do I need consent to send every marketing communication?
Not always. The rules depend on the type of communication, the recipient, how their details were obtained, and whether any exemptions apply.
What is the difference between consent and legitimate interests?
Consent requires a clear affirmative indication from an individual agreeing to receive marketing. Legitimate interests may provide an alternative lawful basis for certain processing activities, depending on the circumstances and balancing exercise carried out.
Can I market to existing customers?
Potentially, yes. Existing customer relationships may allow certain marketing communications, particularly where the soft opt-in applies. However, businesses should ensure all legal requirements are met.
What is a suppression list?
A suppression list is a record of individuals who have opted out of receiving marketing communications. It helps businesses ensure that future marketing is not sent to those individuals.
Can I buy a marketing database and use it immediately?
Not necessarily. Before using purchased data, businesses should verify that appropriate permissions have been obtained and that the data can legally be used for the intended marketing activities.
How often should customer databases be reviewed?
Businesses should regularly review databases to ensure information remains accurate, up to date, and relevant for the purpose for which it is being used.
What should I do if someone asks to stop receiving marketing communications?
The request should be actioned promptly and the individual’s details added to any relevant suppression lists to prevent future marketing communications.
Can I share customer information with a marketing agency?
Yes, but appropriate contractual protections and data processing arrangements should be in place before any customer information is shared.
What happens if my business breaches data protection laws?
Depending on the circumstances, businesses may face regulatory action, financial penalties, compensation claims, reputational damage, and loss of customer trust.
When should legal advice be sought?
Legal advice is recommended when collecting large volumes of customer data, purchasing databases, launching significant marketing campaigns, sharing data with third parties, or transferring customer information as part of a business transaction.