*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

Direct Marketing Code of Practice – make sure you’re ready.

norm phone

As required by the Data Protection Act 2018, this new code will supersede the ICO’s existing Direct Marketing Guidance. The aim is to provide practical guidance and promote good practice in respect of processing for direct marketing purposes in compliance with data protection and e-privacy rules.

The ICO states that it intends the new code to apply to all processing activities that lead up to, enable or support the sending of direct marketing by an organisation or a third party. Examples the ICO has selected include:

  • Collecting personal data to build a profile of an individual with the intention to target advertising at them;
  • List brokering;
  • Data enrichment; and
  • Audience segmenting.

Whilst the publication date of the new code is unknown, here are a few of the key takeaways from the current draft:

  1. Sending direct marketing messages.
    No matter which method is used for sending direct marketing messages, the GDPR will apply when personal data is processed.
  2. Social media platforms.
    When using a social media presence to target direct marketing at individuals or using the platform’s advertising services and technologies, there will be a need to be clear about what data is being used and why.
  3. Tracking.
    The use of location-based marketing techniques must be transparent. People should also be told about the tracking. This is likely to be of significance for AdTech.
  4. Viral marketing (“tell a friend campaigns”).
    Viral marketing is likely to breach the Privacy and Electronic Communications Regulations 2003 (PECR) as it is almost impossible to obtain consent, particularly as the instigating organisation has no direct contact with the ultimate recipients, will not know what the referring individual has told their friends about the processing and will not be able to verify whether the friend provided GDPR standard consent.
  5. Publicly available information.
    Someone posting their details on social media or other public forums does not, by soing so, agree to his/her content being used for direct marketing purposes. (This means that if an organisation collects publicly available personal data, it must still comply with the GDPR and PECR).

Why is this important?

Once adopted, the ICO says it will monitor compliance with the new code through proactive audits.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group