This is the first of a series of articles on the draft ICO draft Direct Marketing Code of Practice. The consultation is open until the 4th March 2020. We look at why we need a Code of practice.

Direct marketing: why do we need a code of practice?

Code of Practice

The new Direct Marketing Code of Practice, a statutory piece of legislation, is a requirement of the Data Protection Act 2018. This is the first time that the marketing and advertising industry has a set of legal rules. It updates the previous guidance and brings together requirements under the GDPR and PECR in one place. The draft code concentrates solely on processing personal data for direct marketing purposes.

The draft Code overall is a vast improvement on the previous guidance. It is apparent the ICO has thought carefully about the structure and has taken advice from the industry.

The code takes you through a marketing campaign from initial planning to the communication going out. It looks at the data processing implications for each stage. It is clear that the rules apply not just to the direct marketing communication itself, but to all processing that takes place to create it. So it covers suppliers of personal data, profiling/enrichment services and the sender of the communication.

The code makes clear the difference between the GDPR and PECR in terms of the type of data it covers. In the past this was not clearly explained. The GDPR only covers the processing of personal data, data about living individuals. PECR covers any data, personal or not. This is often misunderstood, especially In terms of cookies and other technologies. Even if a cookie only collects non-personal data, for example the number of visits to a particular website, PECR applies.

It is clear the guidance will form the basis of any investigation into non-compliance with data protection rules. What is not clear is the status of best practice recommendations within the Code. These often go far beyond the legal requirements. It would be useful for the ICO to confirm how they see best practice. A clear statement that failure to follow these will not form part of any investigation would be useful clarification.

The legislation has never defined “Direct Marketing” and this is still the position in the GDPR. The ICO have always applied a wide definition and in the draft Code they confirm their view it should have wide scope. They also confirm what is important to consider in terms of processing for direct marketing purposes. It is the purpose of the processing, not the activity itself. If the purpose is a marketing communication, the direct marketing rules apply to all processing that takes place.

Marketers will be familiar with the term “advertising and marketing”. The example is clear that asking people to opt-in to marketing is marketing, so the rules apply. The ICO has investigated cases that have demonstrated this.

There is helpful clarification that if you process personal data in the preparation of a communication, the rules come into play. It will still be direct marketing even if you remove the personal data from the communication before you send it.

All channels of communication are included. GDPR applies to more traditional forms of marketing, for example direct mail and telephone. It also applies to the new technologies, such as email, online and social media marketing.

Data protection by design

As expected, the ICO have included data protection by design in the process. They look at the data implications of your marketing from the beginning. A useful set of questions to consider in your preparation stage is provided. These are relevant for a simple direct mail piece or a wide reaching online/social media campaign. There is also guidance on how the different parties within the campaign are responsible for compliance.

Data Protection Impact Assessments (DPIAs)

This is a useful summary of the circumstances when you need a DPIA. The best practice recommendation is however confusing. A DPIA is recommended even if no high risk is identified! This could lead to a tick box mentality. If organisations always do a DPIA, when one really is necessary, it may not be done with the care and attention it should.