Skip to content
Northern Powerhouse European Union
Business Strategy

Direct Marketing - current Acts and Regulations and the impact of the GDPR?

With the General Data Protection Regulation (GDPR) coming into force in the UK on 25 May 2018, Senior Associate Solicitor at Stephensons, Stuart Cook, comments on the current Regulations and impact of GDPR. 


In order to comply with the current legislation, marketers must have a good understanding and apply the rules laid out by:

  • The Data Protection Act 1998 (the DPA) which is based around eight principles of good information handling
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)

The latter, PECR, gives marketers specific rules concerning the sending of marketing emails, text messages or conducting telemarketing calls. Many businesses are currently consumed with complying with the GDPR (the new Data Protection Act), but they should not ignore PECR as this will continue to work alongside the new Data Protection Act.

The Act and Regulation define what is considered unsolicited communication and what is and is not acceptable in terms of Direct Marketing. The current Data Protection Act 1998 defines Direct Marketing as, “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”.

The new regulations are more far-reaching as they also govern the practice of data processors as well as controllers. The GDPR applies to ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

What does this practically mean for day to day marketing communications?

In order to process data for marketing purposes under the new the GDPR, there are 6 lawful bases for doing so. However, in order to conduct marketing activity, the two lawful bases marketers should primarily concern themselves with are Consent and Legitimate interest. Remember though, that when applying these lawful bases in practice, certain criteria need to be met.

Are there scenarios in which soft-opt in still exists?

There is different treatment for business contacts as opposed to individual contacts. If the contact details relate to a business e-mail address, in most instances you can market to them as long as the individual’s name cannot be identified. If for instance, the e-mail address is info@an organisation’s name and not a personal e-mail account e.g, you can market to them as they are not a sole trader or a partnership and opt-out options are given.

You can also send communications for marketing purposes if you have obtained the contact details in the course of a sale (or negotiations of a sale) of a product or service, however, , for soft opt-in to apply, what is being marketed needs to relate to the core product or service offering

This means that you can, in these circumstances, send electronic communications to your clients and customers without consent. It does not mean that you can send marketing messages to prospects or third party supplied lists or not for profit organisations.

When can you apply the lawful basis of legitimate interest?

The ICO say there are three main tests that have to be established:

  • legitimate interest
  • necessity test
  • a balance with individuals’ interests, rights and freedoms

Legitimate interest is unique out of the 6 lawful bases as it is the only ground that is not focused on a purpose. Its application is wider than the other grounds, businesses need to demonstrate accountability and transparency by documenting how they have defined that contacts can be marketed to and that they have balanced their legitimate interest and the necessity of processing the personal data against the interests, rights and freedoms of the individual.

When is consent required to market?

If the scenarios for soft opt-in outlined above cannot be met and you want a less subjective lawful ground than legitimate interest, express Consent must be sought before any marketing communications can be sent.

Market research is not considered direct marketing but research companies must still ensure data is treated fairly, securely and only for research purposes. Businesses and marketers must not be tempted to try and label their communication research when in fact there is still an element of selling in the message. For instance, if a client survey questionnaire is sent out and it asks clients as part of it to tick other services they are interested in, they are in fact cross-selling. To label this activity as research would be incorrect it is in fact what is termed ‘sugging’.

The starting point for marketers is to carry out an information audit, define the roles of processors and controllers with their suppliers and to assess the criteria of when soft in can be relied upon, when consent is needed and if the three-part test can successfully be applied to document legitimate interest as the ground for communication. Having clear documentation defining all the stakeholder types communicated with and the lawful grounds relied upon for communicating with them together with the rational for the same is crucial.


Does your business fully understand the requirements and impacts of GDPR? Register for our fully funded workshops in Wigan, Manchester and Stockport and ensure you're prepared.

GDPR – An Introduction

Is your business GDPR ready? During this half-day workshop you will explore the legal requirements of GDPR and uncover what this means for all elements of your business.

Date: 1st May 2018
Format: Workshops
Location: The Edge, Wigan
Time: 9:00am - 1:00pm


GDPR – An Introduction

Is your business GDPR compliant? During this half-day workshop you will explore the legal requirements of GDPR and uncover what this means for all elements of your business.

Date: 31st May 2018
Format: Workshops
Location: Holiday Inn, Bolton Centre, BL1 2EW
Time: 9:00am - 1:00pm


GDPR – An Introduction

Is your business GDPR ready? During this half-day workshop you will explore the legal requirements of GDPR and uncover what this means for all elements of your business.

Date: 9th May 2018
Format: Workshops
Location: Stockport Business & Innovation Centre, Stockport
Time: 9:00am - 1:00pm

The content of the blog is for general guidance only and should not therefore be regarded as constituting legal or other advice or an offer to provide legal services and should not be relied on as such. Content relating to the law and legal developments featured in the blog are based upon the laws of England and Wales unless otherwise expressly stated. If you need legal advice on a specific matter please contact us.
Stephensons Solicitors LLP makes no warranties, representations or undertakings about:-
A: any of the content of this Site (including, without limitation, any as to the quality, accuracy, completeness or fitness for any particular purpose of such content); or
B: any content of any other website referred to or accessed by hypertext link through this Site ("3rd party site").
Stephensons Solicitors LLP does not endorse or approve the content of any 3rd party site, nor will Stephensons Solicitors LLP have any liability in connection with any of them (including, but not limited to, liability arising out of any allegation that the content of any 3rd party site infringes any law or the rights of any person or entity).
The content and design of this blog are subject to copyright owned by Stephensons Solicitors LLP. Reproduction of part or all of the contents in any form is prohibited, unless for non-commercial private use.

Share this post

Stuart Crook

Stuart Crook , Senior Associate Solicitor, Stephensons