How to keep your marketing GDPR compliant

In partnership with the UK Domain, we explain how to keep your business marketing GDPR compliant, whichever modes of communication you use

The General Data Protection Regulation (GDPR) likely impacts most of  your staff, but marketing is one of the departments which has the most direct contact with customers meaning it’s an area more likely to encounter the legislation day-to-day.

It seems that the  lack of understanding when it comes to GDPR within the marketing industry is worrying. The Chartered Institute of Marketing (CIM)’s report, Whose data is it anyway?, found that 41 per cent of marketers admit to not fully understanding both the law and best practice around the use of customers’ personal data.

But now that we’re over two years into GDPR and the Information Commissioner’s Office (ICO) is being less lenient with violations, it’s vital that marketing professionals know exactly how to stay compliant with GDPR.

What is GDPR?

GDPR is a regulation within EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It is now part of UK law under the Data Protection Act 2018 so Brexit will not mean that the personal data protections no longer apply. The aim of the legislation is to protect citizens’ personal data within the EU.

How does GDPR apply to different parts of my marketing strategy?

It really depends what marketing you do and who it’s targeted at. With this in mind, we’ve identified some more specific marketing activities below and looked at how GDPR impacts them. As GDPR applies to both business-to-consumer (B2C) and business-to-business (B2B) marketing, we’ve also included the rule differences between each below.

It’s important to note that sole traders and certain partnerships are seen as individuals. A corporate body can be a Scottish partnership, limited liability partnership or government body. ‘Companies’ applies to all other businesses.

Emails or text

Individuals, sole traders and partnerships (B2C): Consumers must give you explicit consent to receive marketing and communications emails. This could be by ticking an opt-in box, for example.

One grey area here is ‘refer a friend’ schemes, where a friend will recommend another friend for a service or deal. It could also be for a group booking where the business sends each member of the party unique confirmation emails to the addresses given to the business by the original friend. As the business will need to contact the friend(s) with a confirmation or discount, they will have to email them. This can be justified under legitimate interest as it fulfils the transaction. It is important to note that the business does not have consent to send any further emails and must then delete the contact details of the friend.

Companies and corporate bodies (B2B): You can email or text any corporate body – but do keep a ‘do not email’ list. This list should include any businesses that object or opt out. Mention whether they’ve specifically opted in, say with an opt-in box as mentioned before, and what type of messages this consent covers.

Live calls

Individuals, sole traders and partnerships (B2C): On the calls front, you can contact anybody who isn’t listed on the telephone preference service (TPS) or the corporate telephone preference service (CTPS). However, if they have objected to your calls in the past you do not have consent, and you cannot call to market claims management services – calls for this require express consent.

Companies and corporate bodies (B2B): The same applies to B2B marketing.

Recorded calls

Individuals, sole traders and partnerships (B2C): Be careful about recorded calls. You can’t call an individual with an automated message unless they’ve given permission to receive this kind of message.

Companies and corporate bodies (B2B): Again, the same applies to B2B marketing.


Individuals, sole traders and partnerships (B2C): The consumer must have given sender-specific consent to receive marketing faxes.

Companies and corporate bodies (B2B): Marketers should look at the Fax Preference Service (FPS); businesses can opt out of communications at any time too.

Business cards

Individuals, sole traders and partnerships (B2C): GDPR applies if you intend to file business cards, put the details into a computer system or use the contact details for purposes other than those for which they were provided.

Companies and corporate bodies (B2B): Same as above.


Individuals, sole traders and partnerships (B2C): The name must have been obtained without breach of personal data legislation and people must have the option to opt out.

Companies and corporate bodies (B2B): You can mail corporate bodies and individual employees must be able to opt out.

What about social media?

Social media marketers have to be careful as they face a different set of challenges.

If you haven’t done so already, carry out a social media audit to find out what data you hold on each user, where it came from, whom you share it with and whether you have consent to use it. Take a look at what third-party providers you use and make sure they’re compliant with GDPR too.

Each social media advertising feature has its own set of rules (e.g. Facebook Lead Ads, LinkedIn Sponsored InMail, Pinterest Tags) so it’s best to check with each feature.

Much depends upon the privacy notice that users see when they first visit your website. If you want to contact a user outside of the social media platform, you need to make it very clear in your privacy policy that you may do so.

A note on third-party platforms

Similarly, you must have consent to place a cookie in a user’s browser if you’re doing affiliate marketing. You need to get permission before the person clicks the link.

If you have ads from a third-party ad server, users must consent to this. If your ad server collects data for targeting purposes, inform users that this is how it’s going to be used upfront too. On the topic of third-party providers, if you use sponsored content and the company uses cookies or retargeting data, you’ll have to flag that in your privacy policy too.

Those who are using Google Analytics might be collecting user ID and hashed personal data, IP addresses, cookies or behaviour profiling without realising it. To remain complaint with GDPR, you must either anonymise the data before storage and processing begin or add an overlay to the site that gives notice of the use of cookies and asks for the user’s permission before entering the site.

Is GDPR a replacement for Privacy Electronic Communications Regulations (PECR)?

No, GDPR does not replace PECR. Rather, it sits alongside PECR and you must comply with both.

PECR gives people specific privacy rights in relation to communications. There are specific rules on:

  • Marketing calls, emails, texts and faxes
  • Cookies (and similar technologies)
  • Keeping communication services secure
  • Customer privacy in regards to traffic and location data, itemised billing, line identification and directory listing

Some of the rules only apply to organisations that provide a public electronic communications network or service. But even if you are not a network or service provider, PECR will apply to you if you market by phone, email, text or fax; use cookies or a similar technology on your website; or compile a telephone directory (or a similar public directory).

How should I know which areas to target for GDPR compliance?

Start by looking at what your marketing offer is at present. Break it down and audit every part of it. You should be asking:

  • What personal data do I have on users?
  • Do I have more information than is necessary for the needs of my business?
  • Can I prove their consent?

The key is to only hold the essential data you need and to make it  easy to opt out. There is no official length of time you can keep data for but generally you should keep it for the shortest period possible. This period of time should be set out to the user when they give their consent. In any case, once the data is no longer fulfilling its original purpose, it’s time to get rid of it.

If you don’t have evidence of a user’s consent, it’s best to remove them from your database. A good solution for keeping track of customer preferences could be to manage them in a Customer Relationship Management (CRM) system. Just ensure that any personal data you hold is securely held.

For more information on GDPR, visit the Information Commissioner’s Office (ICO) website or the UK Domain’s guide on GDPR for small businesses.

This article was brought to you in partnership with the UK Domain.

Read more

What businesses need to know about legitimate interest under GDPR

Avatar photo

Anna Jordan

Anna is Senior Reporter, covering topics affecting SMEs such as grant funding, managing employees and the day-to-day running of a business.

Related Topics