Ethical Marketing in the UK: Navigating Data Protection Compliance and Best Practices

To what extent does GDPR influence the way UK businesses market their products and services? We explain in our new blog.

How does GDPR affect marketing activities in the UK?

GDPR (in its original EU form) may not directly apply to the UK, but that’s only because virtually all of its provisions were morphed into the Data Protection Act 2018 and other legislation when the UK left the EU. At that point, the GDPR became the UK GDPR and it very much applies to the way you market your business.

In this post, therefore, when we refer to ‘GDPR’, we mean both the UK and EU’s data protection legislation. GDPR applies to all marketing activities that involve processing personal data, including email marketing, social media advertising and targeted advertising.

What constitutes ‘personal data’ in the context of marketing under GDPR?

‘Personal data’ is any information that can directly or indirectly identify an individual. This (extremely broad) category includes names, email addresses, phone numbers, location data, IP addresses and online identifiers.

Even data that can’t, in isolation, be used to identify an individual could constitute personal  data if it could be pieced together with other data in a way that would enable an individual to be identified.

The Information Commissioner’s Office (the ICO) notes that there’s a contextual element to personal data. Information that may not be classed as personal data when used in one context could become personal data in another. As the ICO stresses, “Understanding whether you are processing personal data is critical to understanding whether the UK GDPR applies to your activities.” Misunderstanding this fundamental question could leave you exposed to the risks of noncompliance, which is why it’s always wise to seek expert advice form a GDPR consultant.

What steps should UK marketers take to obtain valid consent under GDPR?

You might imagine asking to use an individual’s data is a simple matter, but there’s a lot to unpick. The GDPR requires any consent you gain to be freely given, specific, informed, and unambiguous.

Freely given: The ICO gives the example of an online furniture store which asks customers to consent to their details being shared with other stores before they complete checkout. In this instance, consent isn’t freely given. Effectively, the customer’s goods are being held hostage, and will only be released if they agree to the store unnecessarily sharing their data. Contrast this with consent to share personal details with the delivery company that will be couriering the goods. Here, the requirement is necessary and won’t prevent consent being freely given.

Specific and informed: GDPR requires organisations seeking consent to explain the identity of the data controller, your purpose in collecting the data and the specific processing activities you are carrying out.

Unambiguous: As the ICO notes; “You must clearly explain to people what they are consenting to in a way they can easily understand. The request for consent needs to be prominent, concise, separate from other terms and conditions, and in plain language.”

In addition to the above, individuals must be able to withdraw their consent at any time and every organisation should make that process easy.

For all the above, the question we often see from organisations is ‘how do we know that we have done enough to comply?’ How concise is concise? How can we be sure that our definition of ‘freely given’ will stand up to scrutiny?

This is the value of expert GDPR services, where a GDPR consultant can act as your guide, providing reassurance (or corrective advice) to ensure your compliance measures are sufficient.

What are the consequences of non-compliance with GDPR for UK marketers?

Non-compliance with GDPR can lead to severe penalties, including fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.

Focus naturally tends to fall on the largest fines awarded to date, and these have in the main involved US companies (META, Google, Amazon etc) or their international subsidiaries. Dig a little deeper, however, and UK companies have not been immune from heavy GDPR fines.

Both Marriott and British Airways faced fines of £99 million and £183 million respectively in 2019, although the final amount paid by both was significantly reduced in the face of a number of mitigating factors, not least the pandemic.

How does GDPR influence UK marketers’ data security practices?

GDPR mandates that organisations (and their marketers), implement technical and organisational data security measures appropriate to the risk.

Where the risk is deemed significant, those measures might include pseudonymisation, encryption, regular security assessments and incident response plans.

For your organisation, however, the challenge is often in determining whether your assessment of what is appropriate is… well, appropriate.

Once again, it’s wise to enlist the GDPR services of a specialist GDPR consultancy to determine how much the regulation will influence your actions.

Explore how our GDPR services can support you now, get data protection advice or, for questions about your next steps, call +44 1772 217800.