Direct Marketing – Code of Practice

The Information Commissioner’s Office (ICO) issued a draft consultation code of practice in January 2020 regarding  Direct Marketing. It demonstrates the direction of travel in regards to marketing activity conducted by any business with individuals or on a business to business basis using the values and principles put in place by the General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communication Regulation (PECR).

We, at Data Risk Solutions found the following points most pertinent:

  • The code applies if you process personal data for direct marketing purposes. Direct marketing includes the promotion of aims and ideals as well as advertising goods or services. Any method of communication which is directed to individuals could constitute direct marketing.
  • Direct marketing purposes include all processing activities that lead up to, enable or support the sending of direct marketing.
  • In most cases it is unlikely that you will be able to make using an individual’s data for direct marketing purposes a condition of your service or buying your product.
  • The two lawful bases most likely to be applicable to your direct marketing purposes are consent and legitimate interests. However; if PECR requires consent then in practice consent will be your lawful basis under the GDPR.
  • It provides guidelines on use of consent data when obtained from third-parties.
  • The principle of privacy by design and Data Protection Impact Assessment (DPIA’s) will help in making sure that any marketing activity is compliant with data protection regulations.
  • Market research will not constitute direct marketing if you contact individuals to conduct genuine market research (or you contract a research firm to do so).
  • Direct marketing is not limited to the sale of good and services, it also includes fundraising, campaigning and promotional activities. This means that the activities of not-for-profit organisations such as charities and political parties are covered by the direct marketing rules.
  • Further guidance on the use of data received from data brokers and specific due diligence expectations on the Data Controller.
  • Asking existing customers to provide information on their friends and family members for marketing purposes and the difficulties this creates from a consent perspective.
  • Recommendations on managing marketing lists for business to business direct marketing activity, specifically for communications via email or text.
  • More detailed requirements provided for the appropriate use of Cookies and/or similar technologies through your websites, specifically how consent is managed.
  • Location-based marketing techniques must be transparent and clearly tell people about this type of tracking. These are likely to require consent.

In summary; the use of personal information for marketing purposes is a complex field but we at Data Risk Solutions Ltd understand the commercial and business value that such information can create. We therefore recommend an appropriate and balanced approach to direct marketing activity 
and have the expertise to help you achieve this.

For further information or support – please contact us by email ( or phone 0113 873 0209.

Call us on: 0113 8730209 to find out more!

Our team specialise in Data Quality, Regulatory Compliance, Data Governance and Data Protection assignments.