How will new data protection rules affect your marketing campaign?

17 April, 2018

Businesses that don’t comply with new data protection rules face hefty fines, warns Elliot Fry, a commercial solicitor at law firm Cripps Pemberton Greenish.


The General Data Protection Regulation (GDPR) comes into force in May this year, replacing the existing Data Protection Act 1998. It governs the use of personal data, and will affect out of home food businesses in a number of ways, including in relation to their marketing campaigns. While it’s unlikely to be relevant to indirect marketing (such as television spots, flyers and print ads), direct marketing (such as sending special offers by email, text or post) will inevitably use personal data, and so will come within the scope of the new rules (which are generally a lot tougher than before). If your marketing breaches the new rules, the maximum penalties under GDPR will be significantly higher (rising from £500,000 to €20m or 4% of worldwide turnover), so it’s worth making absolutely sure your campaign is compliant.


While the GDPR is EU law, the UK government has already produced a draft domestic version, so businesses shouldn’t dismiss GDPR on the basis of Brexit. 


Electronic marketing

Current law already requires businesses to have an individual’s consent before sending marketing emails or texts. The GDPR raises the bar for the standard of that consent though, and you will need to ensure the consent complies with GDPR requirements, even for historic data. It will be harder to claim that a general consent will stretch to cover marketing from third parties, so you should check any bought-in lists are compliant.


If you’ve obtained the individual’s details in the course of selling them a product, then you can send them texts and emails for similar products (or services) without opt-in consent. However, you must have given them an opportunity to easily opt out of that marketing at the point when you collected their details, and in every message you send after that. This is known as the “soft opt-in” and will continue under the GDPR.


Whichever route you take, you should ensure you have a record of the consent or “soft opt-in” to show you are entitled to market to the individual.


Consent will not generally be required for electronic marketing sent to companies, but marketers must still respect any request by individual employees to not send electronic marketing to their personal corporate email addresses.


Postal marketing

Postal marketing is subject to a different standard. As with electronic marketing, any requests to be taken off a mailing list must be complied with, and you’re advised to clean any mailing lists against the Mailing Preference System (MPS). Although GDPR consent will not generally be required to send postal marketing to existing customers, any bought-in lists should still be scrutinised to ensure the appropriate level of consent has been obtained from individuals.


The bottom line

Any direct marketing campaign needs to be carefully considered to ensure you have the appropriate consent or other basis to send out marketing materials to your audience (remember, asking for permission to send marketing material is itself a marketing message). It’s also worth considering whether any of your online advertising is done on a targeted basis, as this is likely to involve the use of personal data.


For further information about GDPR, contact Elliot Fry at

This article first appeared in Out Of Home magazine.