Irrespective of any exit from the European Union, the UK will adopt the General Data Protection Regulation (GPDR) governing the collection and use of personal data as well as the new ePrivacy Regulation. Though GDPR is not likely to come into force until next year, businesses are advised that their actions should already comply. In other words, companies need to be looking at this right now – particularly regarding customer consent to be a marketing target.

The existing legislation

Currently, businesses need to abide by the 1998 data protection act and the 2003 directive on privacy and electronic communications regulations (PECR). Both predate the first iphone (2007) by some years and we are therefore overdue for an upgrade.

Consequences for non-compliance

The consequences for failing to comply are not just hefty fines.  Businesses could find themselves unable to use their database because they have are not able to demonstrate lawful, informed, freely given consent that a customer’s personal data can be used for a specific purpose, such as email marketing.

What it covers

GPDR is not just about the security of customers’ personal data. It also governs its acquisition, legal requirements for corporate processes and data storage in addition to aspects of its use such as fairness, transparency and the consent of the customer to be a marketing target. Direct marketing (digital or traditional) will therefore be significantly affected.

A lack of knowledge is not an excuse

A lack of knowledge is not an excuse. Nationwide and First Financial were recently fined for a total of £300k for unsolicited marketing and TalkTalk were fined £400k in 2016 for a variety of inadequacies relating to the use of customers personal data. “Bundled” consent with other matters such as might make your company happy but that won’t please the regulator when they come knocking. For example, data acquired from badge scanning at a trade show (note the involvement of an intermediate third party) or a list of attendees supplied by a conference may well not be backed up with specific consent to be used for direct marketing purposes. Schoolboy errors abound.  FlyBe and Honda were recently punished under existing legislation for emailing customers to ask for the consent they should already have had in order to send the email in the first place!

So what to do?

We can map the data flow into and around your marketing activities and help create a plan to achieve compliance. It might not be quite as easy as you think.  For example, does your website use a plugin which means your customers’ data gets routed to the USA and back again? Or, do any of your partners (e.g. marketing and web design agencies) can they demonstrate compliance with all the relevant aspects of legislation and when handling your customer data? Its not quite as easy as you might think. In fact, you may find you’ve got some tough decisions to make…

Drop us a line at

Please note – this information is not legal advice.  Please consult legal counsel before taking action relating to the law.