Guidance regarding marketing and data protection
This guidance is intended for all University staff who maintain or use databases of contacts for ‘marketing’ purposes, including publicising events and programmes, fundraising, alumni activities and offering goods for sale
Direct marketing only applies to targeting named individuals – for example, letters addressed to ‘the occupier’ would not qualify. It applies to communicating the advertising or marketing of commercial products or services, it also applies to fundraising, and includes all messages promoting an organisation or its values or beliefs. This could include information promoting University events such as conferences, or opportunities for students. Direct marketing covers all forms of communication, such as marketing by letter, telephone, email and other forms of electronic messages. It is important to also note that any activity where the ultimate aim is to send marketing, i.e. activities that lead up to, enable or support the sending of direct marketing, is already considered part of your direct marketing. Examples are lead generation, data enrichment, matching or screening.
Requirements for all forms of marketing
Any personal details collected and held for direct marketing purposes must comply with the data protection principles. This means that you must always:
- Inform data subjects in your privacy notice that you will use their personal data for marketing purposes, also of the way they will be contacted (letter, telephone…)
- Have a legal basis for processing the data
- Not keep the information for longer than necessary
- Hold the information securely.
If you have acquired contact details from a third party for marketing, you must check the following:
- What information about the use of the data was provided at the time the data was collected?
- Did the individuals indicate any preferences about their means of contact?
- How have unsubscribe requests been handled?
- How has the list been kept up-to-date?
If you have collected personal data from public sources such as LinkedIn or other websites, you must provide privacy information when you first communicate with the individual, but no later than one month from the date of collection. You cannot assume that simply because an individual has put their personal data into the public domain, they agree to being contacted for direct marketing.
If you want to rely on the so-called ‘disproportionate effort’ exemption, you must assess and document whether there is a proportionate balance between the effort involved in for you to provide privacy information and the effect the processing has on the individual. The more significant the effect is likely to be, the less likely it is that you can rely on this exemption.
The law distinguishes between direct marketing using electronic means and non-electronic means and has different requirements for both. Currently, ‘electronic means’ covers the use of email and text messaging.
Marketing by non-electronic means:
Marketing by letter
If you intend to send marketing information to named individuals by letter, you can rely on ‘legitimate interest’ as your legal basis. All letters must include clear information on the identity and contact details of the data controller. Data subjects must also be made aware in every letter that they can object to the processing and given information on how to do this, i.e. that they can ‘opt out’ of receiving further letters by phoning a free number or sending an email.
Marketing by telephone
If you intend to contact individuals for marketing purposes by telephone, you can also rely on ‘legitimate interest’ as your legal basis. In all calls, staff must identify themselves and, if requested, provide an address or telephone number on which they can be reached. Data subjects must also be made aware during every telephone call that they can object to the processing by phoning a free number or sending an email, i.e. that they can ‘opt out’ of receiving further calls.
Before making a telephone call, you will always need to make sure that the individuals are not registered with the Telephone Preference Service. If they are, you cannot rely on ‘legitimate interest’ but will need consent to contact them.
You can check here:
Marketing by electronic means
In addition to GDPR, the Privacy and Electronic Communications Regulations 2003 (PECR) regulate in detail the use of electronic communications for marketing such as by email or text messages (SMS). PECR is due to be replaced at some point by a new European ePrivacy Regulation (ePR). At this time it is unclear whether this will happen before the end of the transition period. If afterwards, it is unclear whether the UK will adopt the new Regulation.
Electronic marketing to private individuals can only be done with consent as the legal basis. Consent must be ‘opt-in’, must fulfil the GDPR requirements for consent, and any direct marketing messages should only be sent to those people who have in fact opted in to receiving such communications. All subsequent marketing communications must contain an option to opt-out of receiving further communications with details of how to do so, such as an ‘unsubscribe’ link at the bottom of an email. If you receive an opt-out request in relation to marketing, you must comply as soon as possible, there are no exceptions to this.
When requesting consent, it is good practice to request consent separately for different forms of communication i.e. whether individuals agree to be contacted via post, telephone or email. This is because the different forms of communication are covered by different legislation.
One exception to the need to obtain prior consent is the so-called ‘soft opt-in’, which is based on ‘legitimate interest’. Soft opt-in can be used in situations where you have a pre-existing commercial relationship with the individual: the individual has bought goods from you before, has used services you offer, has attended and paid for an event you have organised, or has been in negotiations with you about any of these with you. In these cases, you can market similar goods, services or events to the individual without consent, however, you must have informed people when you collect their data that there will be marketing and that they can opt out.
Also, this will only ever apply to commercial activities, i.e. where payment has been involved, it will not apply to, for example, free lectures.
If the individual you wish to market to is a business contact, then you will not need to obtain prior consent, rather, for so-called ‘business-to-business (B2B)’ marketing, you can rely on legitimate interest as an appropriate legal basis. Business contacts are all individuals who can be considered as representatives of their company, organisation or institution, such as academics from another university or professionals from all sectors. You must, however, provide the possibility to unsubscribe in every email.
Marketing via tracking software through social media