GDPR in Marketing

Market to your customers and stay within the rules

Is your marketing activity legal? We can make sure it is.

Just before GDPR became enforceable in May 2018, marketers panicked. Many abandoned their activity altogether (much to the dismay of their sales teams), decided they needed consent without fully understanding what that meant, or just ignored their obligations altogether thinking they were untouchable or hardly in the scope of the ICO.

None of these demonstrate rational thinking – and inevitably lead to problems further down the line.  Even today, with confidence in marketing on the increase, business owners are cautious as to what they can and cannot do…

If this sounds like the decisions your business has had to make, then give our Privacy Team a call – our marketing specialists are experienced in providing guidance in all kinds of scenarios and can make sure your marketing is both compliant AND successful.

Unlike other areas of your business, marketing is regulated by a separate legislation – the Privacy & Electronic Communication Regulation, 2003 (PECR).

This legislation outlines how data can be used for electronic marketing – namely, email, telephone, SMS (and fax!)  Although it has been in force since 2003, many companies are still operating outside of this – and it is the one area the ICO are most active in enforcement, particularly around nuisance calls and text messaging.

PECR should not be confused with GDPR

The two complement each other but are entirely separate.

GDPR relates to the initial collection of personal data for a specific purpose, or purposes, which may include marketing if the data subject is aware of this.

PECR relates to the use of personal data for electronic marketing purposes: elements to consider…

Have you obtained the appropriate permissions from the data subject

  • Can you demonstrate this if challenged?
  • Do your emails have the appropriate headers and footers?
  • Are you calling with a visible CLI?
  • Since 2003, there have been several amendments to the legislation – each to adjust to market activity and technological demands.

The latest came into force on 15th December 2018 and addressed the issue of companies breaching PECR and closing their business down to avoid paying any enforcement fines – currently up to £500,000.

The latest update means that any Director whose company is found guilty of breaching the PECR legislation will be PERSONALLY liable for a fine of up to £500,000 – irrespective of whether their business still trading. Of all the Directors we’ve spoken to, not many want to be in that position.

If you’d like more detail on this for your longer-term strategy, get in touch and our marketing specialists will advise and work with you.

How to market

In spring 2018, the common question among marketers was “do I need consent for this marketing? Many panicked and decided that consent was the best option – ultimately, they LOST the consent for marketing from many people… when they didn’t need it, so their marketing databases were reduced massively for no reason.  The other problem is once you’ve lost consent, getting it back is a challenge.

In many cases, our marketing privacy specialists were able to “rescue” significant amounts of customer and prospect data before the delete button was pressed – much to the relief of Marketing Directors who engaged with us.

This is all thanks to the solid understanding and interpretation of the GDPR that our specialists have – and in particular, being able to apply at least one of the six legal bases of processing to an activity.

For marketing, you need to understand the conditions of consent – Article 7, of the GDPR – and that the use of legitimate interest is not the golden egg that most businesses assume.


This is typically used when contacting prospects on a B2C basis with whom you have no existing, demonstrable relationship. It also applies when contacting sole traders or partnerships on a B2B basis.

For consent to be valid at the time of data collection, you must satisfy the demands of Article 7, Recital 32 of the GDPR.

Clear & affirmative act by the data subject – Assumed consent (silence) or pre-ticked boxes are not appropriate and will not be valid

Freely given – Not in exchange for a “free offer” or entry to a competition/prize draw

Informed – Told at the time of collection exactly what the marketing activity will entail

Unambiguous decision – there is absolutely no uncertainty as to how the personal data will be used and who it will be shared with – including your business partners, or other advertisers.

You should also give data subjects the option to revoke their consent at any point – and easily as it has been granted.

With consent-based marketing being such a hot topic and an activity that can cause annoyance from those on the receiving end and potentially complaints to the ICO under GDPR or PECR, it makes sense that you engage with an independent specialist to review and sign the activity off ahead of going live.

Either that or you have a conversation with your Board about the six-figure fine they need to pay.

Legitimate Interest – This can be used when contacting individuals on a B2B level (corporates or limited companies only), or when you have an existing relationship with a customer – but there are exceptions to this…our experts will explain this in full to you.

Far from being the “golden egg” and an “easy option”, you are responsible for PROVING to anyone you contact using legitimate interest that you have a right to do this. If you don’t, or you cannot prove it, then your activity is unlawful and potentially a breach of both GDPR and PECR – there have been instances of this in the past.

Legitimate interest is a balancing act – you must be able to prove to the recipient that it is as much in their interest to hear about your product/service as it is for you to use their personal data to promote via that channel.  This is achieved by completing a Legitimate Interest Assessment (LIA) document.

In the event of a complaint from the recipient, or the ICO, this LIA document will be key to proving to the complainant or the regulator that you have considered your approach and you are right to make contact. Going forward, however, this contact should be removed from your outbound activity

Our specialists are experienced in preparing LIAs and helping companies demonstrate why their marketing approach is reasonable, so allow us to guide you through this process.

Third Party Data – If you purchase data from third parties – brokers, or data owners directly – then ensure you conduct the appropriate due diligence on these organisations.  As a word of warning, many claim their activities are “GDPR compliant”, but very few can demonstrate this sufficiently.

Under the GDPR, as the data controller, you are responsible for your supply chain, which includes purchasing third-party data.

If the data has not been collected appropriately, or there have been failings in the transparency principle during the collection phase, then the use of the data could be unlawful – for which you will be liable due to inadequate due diligence.  In most cases, a large fine will be imposed putting pressure on the business and giving your outbound marketing operations unwanted bad press.

Our marketing specialists have many years of experience in conducting due diligence on third-party suppliers, so Privacy Helper can either reassure you or advise against specific data purchases.

Such is the varied nature of our work with marketing teams, our specialists have:

SAVED many thousands of records from being deleted – simply by identifying the correct legal basis of processing. Legitimate interest, rather than consent.

HELPED devise major marketing campaigns that satisfy all elements of the legislation – both GDPR and PECR. In the event of any complaints, these can be handled swiftly and professionally in the knowledge that the company has done nothing wrong.

HELPED several businesses respond to ICO complaints regarding their outbound marketing activity. Our technical knowledge of the activity meant we were able to respond to the letter on behalf of our client, which minimised their risk of further action.

STOPPED a call centre dialling a database due to insufficient opt-ins on the data. The business owners were unaware the data wasn’t appropriate for use and our guidance directly addressed all risks of his marketing activity.

WARNED against the use of cookies to track individuals on a website. This information was then used by third-party advertisers – a direct contravention of the new guidelines on the use of cookies.

Get in touch with us today and allow us to act as your outsourced marketing compliance team – expert advice and meaningful updates on legislation as it is announced by the ICO, or European regulators to ensure your marketing operations develop in line with your obligations as a data controller.


As with our ethos, our pricing structure is simple, straightforward and highly competitive – we offer fixed-price options.

Audit Only

For companies that will action the output of the Gap Analysis themselves or via a third-party

£175 per hour

(Budget 3 hours per Department/Work Area)

No contract commitment
Single fixed price

  • Basic Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”

Audit plus Action

For companies that need Outsourced DPO and long-term gap-closure support

£150 per hour

(Budget 3 hours per Department/Work Area)

Leads to a GDPR Action & Outsourced DPO plan
Single fixed price

  • Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”


When on-site, our working day is 9am – 5pm. For site visits, reasonable subsistence expenses are charged, however these are all agreed by you in advance. On large-scale projects, where our Global Privacy Consultants are engaged, fees are £250 per hour.

Our hourly rates mean you only pay for EXACTLY the time we need for the task – our hours are recorded on timesheets, so we are fully accountable for time vs tasks!

At PRIVACYHELPER, we pride ourselves on tailoring packages to suit your business – your needs and your budget. That is why we don’t offer pre-packaged services that your business has to try and fit into.

Once we have conducted the data discovery phase, or reviewed your existing GAP analysis documents, we’ll propose a set number of days per month – based on the size of the business, the challenges you face and the amount of guidance you’ll need from us.

This resourcing model is perfect for most companies, as it offers you the flexibility to use our time intensively when the need arises, but to keep time to a minimum at other times. You remain in complete control of your budgets!

Why choose us?

Click here to find out why we are the UK’s #1 privacy consultancy.

How much will this cost?

Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.

What next?

Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.

Other services you may be interested in from PRIVACYHELPER

Security Icon

GDPR Consultancy

Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.

GDPR Training Courses

An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.


Is your marketing activity legal? We can make sure it is.