11 May 2018 by Vincent Billings

Direct Marketing and General Data Protection Regulation (GDPR)

The law around direct marketing seems to be an issue that our clients seek clarification on. We will deal with some of the main issues arising from direct marketing practices below.

The main sources of regulation are the GDPR but also the less well known Privacy and Electronic Communications Regulations 2003 (PECR). Please note that the PECR is due to be replaced by new regulations at some point in 2018.

Most direct marketing activities will involve the processing of data and in order to do so you need a “lawful ground” under the GDPR, the two potential lawful grounds are:

  • processing for the purpose of a legitimate interest (for example contacting a former client or customer in relation to an offer) except where the interests are overridden by the data subject, and
  • where the data subject had given consent to receive direct marketing.

Beware however, being able to demonstrate a lawful ground does not give you a blanket right for direct marketing, as data subjects always have the right to object at any time to their data being processed for direct marketing purposes.  The right to object must be brought to the attention of the data subject and presented clearly and separately from other information.

Where the data subject objects you must stop direct marketing to them immediately.

PECR covers all unsolicited marketing in relation to telephone, text messages and emails, The Information Commissioners Office states you must comply with PECR if your business makes unsolicited calls or send unsolicited texts or emails to generate marketing leads, even if the initial message does not include any sales or promotional material. Any unsolicited calls, texts or emails made for direct marketing purposes are covered and will require you to obtain consent.

What is permitted by PECR depends on whether your direct marketing activity is aimed at a business or an individual.  The rules are generally stricter for marketing to individuals than for marketing to businesses. Generally, you cannot:

  • make unsolicited marketing calls to numbers registered on the Telephone Preference Service (TPS) or its business equivalent, or to anyone who has told you they do not want to receive your calls (this is already the case under existing laws); and
  • send texts or emails to individuals without their specific consent, save in limited situations where you are marketing similar products or services to existing contacts who have not previously objected and they have a chance to opt-out.

How will the GDPR and/or PECR specifically impact your business?

The answer is that it very much depends on the nature of your business and what data you are collecting and processing – which is why we have created an online questionnaire.

If you haven’t had the chance already and you want to know how the GDPR might specifically impact your business then click the link below to take our free, short and simple questionnaire.

Once completed you will receive an immediate score indicating how at risk your business might be. If you provide us with your contact details one of our lawyers will then contact you direct and provide some pointers as to the practical steps you should be taking to minimise the risk of non-compliance.


Alternatively you can contact our Corporate and Commercial Team to discuss how the GDPR will impact your organisation on 020 7288 4700.

27 April 2018 by

A Poisoned mind? Set the Will aside

Fraudulent calumny, also sometimes known as ‘the poisoning of the mind’, is the name for a specific type of Will […]

27 April 2018 by

Cost revolution at court

This month a quiet revolution was ushered into the English courts. The courts have (for some types of cases) now […]

Signup To Our Weekly e-News

"*" indicates required fields

We’ll never share your details with any third party in line with our privacy policy.