If you are gathering, storing, using or otherwise processing information about customers, potential customers or suppliers, you must comply with the Data Protection Act 2018 and in particular, with the six data protection principles. These require that:
- the processing of personal data must be lawful and fair
- the purpose for which personal data is collected must be specified, explicit and legitimate, and not be processed in a manner that is incompatible with the purpose for which it was collected
- personal data processed must be adequate, relevant and not excessive
- personal data processed must be accurate and, where necessary, kept up to date
- personal data processed must be kept for no longer than is necessary for the purpose for which it is being processed
- personal data must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures
You must also:
- have permission to hold third-party information; and
- check whether you need to register with the Information Commissioner’s Office.
The General Data Protection Regulation (GDPR) came into effect in the UK on 25 May 2018. Alongside the Data Protection Act 2018, the GDPR introduces new rules on processing and safeguarding personal data.
Read more about privacy and data protection in marketing.
Privacy and electronic communications
The Privacy and Electronic Communications Regulations require you to get individuals to opt in consent before sending them marketing emails, unless they've already shown interest in similar products or services and have met the requirements of the ‘soft opt-in’ rule. Namely, that the individuals are customers of your business, were given the opportunity to opt-out of marketing emails when you first gathered their data and are given the opportunity to do so at each subsequent commination and any marketing emails solely relate to similar products or services for which they are interested.
The law also covers contacting sole traders and unincorporated partnerships. You can send unsolicited marketing emails to companies or individuals within companies - though doing so may not be good for your reputation and you will need to ensure that this is in compliance with GDPR.
Individuals and businesses may prefer not to be contacted by your business unless they have given their consent for you to do so. If you are selling or marketing using post, phone, fax or email, you should check to see if anyone you intend to contact does not want to be approached in this way and keep a record of this. You can do this by
- getting your call list cleaned by a list cleaning company
- checking numbers online on the Telephone Preference Service (TPS) website
- buying a licence for the area or time period you require
Anyone opting out of receiving direct mail may have registered through the TPS, the Mailing Preference Service (MPS), the Fax Preference Service (FPS) or the Corporate Telephone Preference Service (CTPS). The CTPS represents corporate bodies, schools, government departments and agencies and hospitals and other public bodies.
It is illegal to communicate by telephone or fax with anyone registered with the TPS or FPS if you do not have their consent first. It is also illegal to send unsolicited email messages to individuals unless they have consented to receiving information from you. There are some exemptions to this. Read more about email marketing.
As with all marketing, you must be honest and accurate about the goods and services you offer.