The Information Commissioner is producing a Direct Marketing Code of Practice, as required by the Data Protection Act 2018 which will provide practical guidance in relation to carrying out Direct Marketing in accordance with the requirements of Data Protection Law and the Privacy and Electronic Communications (EC Directive) Regulations 2003. The draft release is attached.
The Direct Marketing Code of Practice will significantly impact all organisations that use Direct Marketing and includes clarification on what is considered to be Direct Marketing, the limits of Legitimate Business Interest, Consent and how to ensure a Data Protection by design approach to marketing activity. It is unlikely that many organisations will currently fully comply with this code.
We recommend that all organisations that utilise Direct Marketing, particularly in the form of electronic communications, review their processes in detail to establish if they comply with the proposed new code of practice. You will be impacted if you fall under the following definitions:
- Commercial businesses marketing their products and services.
- Charities and third sector organisations fundraising or promoting their aims and ideals.
- Political parties fundraising or canvassing for votes.
- Public authorities promoting their services or objectives.
- Organisations involved in buying, selling, profiling or enriching personal data for Direct Marketing purposes.
Evolve North are providing a Direct Marketing review and remediation service that delivers the following:
- Identification of current Direct Marketing processes including data gathering, profiling and aggregation.
- Review of existing legal basis for Direct Marketing, including Legitimate Business Interest and assessing whether these are appropriate and in line with Data Protection law.
- Review of privacy notices that cover Direct Marketing.
- Review of any third parties providing Direct Marketing services for and on behalf of yourselves.
- Review of data sharing practices and agreements linked to Direct Marketing.
Outputs will include:
- Risks identified.
- Remediation guidance to assist in compliance with the code of practice.
- Supporting Policy and Procedure where required.
Typical review and remediation engagements are between two and five days. If you require any further information or to discuss your concerns about this or any other area of Data Protection or IT Security, please do not hesitate to contact us.