GDPR and the effects on marketing

 In News

How you market your business in the UK and across the EU is about to change. On May 25th, the new General Data Protection Regulations (GDPR) come into force.

This is the biggest change in marketing and database management since 1998 when the Data Protection Act was introduced in the UK. The thinking behind GDPR is that the way that customer data is used has changed beyond recognition in the twenty years since the current legislation became law and that those changes have been to the detriment of individuals’ privacy. GDPR is designed to redress that imbalance.

So, what does it means for marketing in the UK? How will your business have to change? Here is Archeo and Futura’s summary of GDPR.

What stays the same

You can continue to approach with no permission needed beforehand to the following:

  • Individuals, sole traders, partnerships, and limited companies by telephone marketing as long as they are not registered with either the Telephone Preference Service or Corporate Telephone Preference Service (as applicable) on products or services you think they have a legitimate interest in and
  • Individuals, sole traders, partnerships, and limited companies by postal marketing. Although not a legal requirement, we would advice that you check that a potential recipient is not on the Mailing Preference Service.

What’s changing?

The definition of “consent” is becoming much tighter and this will be the key to GDPR-compliant marketing after the 25th May. The areas affected the most by GDPR is email marketing and mobile phone messaging (for example, SMS, MMS, WhatsApp, and so on).


Consent is defined in Part 171 of the regulations in the following way – “it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation”.

You’ll need to demonstrate for all your current email addresses or mobile phone numbers that you use for marketing that you have “unambiguous and demonstrable” consent from the person you wish to send messages to.

If your clients are individuals, sole traders, or partnerships and you cannot show this “unambiguous and demonstrable” consent from when they opted in to receive your messages, you’ll almost certainly need to ask every single person on your list again for permission. This includes for your existing customers although you won’t need consent to send them queries about their account with you, to chase up invoices, or for any other non-marketing purpose.

If your clients are limited companies, PLCs, or are purchasers within a public-sector body (like a school or a local council), you do not need prior consent to send a marketing email to them. This type of marketing will remain essentially unaffected.

Bought in lists

Many companies use lists they buy in from data owners or data brokers which they then use to send out marketing emails to. If your business makes use of these types of database, how will GDPR affect you?

For individuals, sole traders, and partnerships, “consent” now must be given on a company-by-company basis. GDPR effectively bans the sale of these lists. If you use of these lists within your business right now, you have until May 25th to extract as much value from them as you can.

Third-party consent for individuals, sole traders, and partnerships is not permitted under GDPR. Third-party consent describes the type of consent you give when you tick a box on a website which allows the company that owns that website to sell your details to other companies whose products or services may be of interest to you.

However, third-party consent is still legal for limited companies, PLCs, or purchasers working for a public-sector body with three conditions. Those conditions are:

  • You must be marketing products or services that are of direct benefit to the organisation and not the individual (for example, public liability insurance is fine whereas pet insurance would not be).
  • You must provide a free-of-charge opt-out
  • You must display your company name and full postal address in your email.

You’ll still be able to buy in B2B email prospecting lists from May 25th for limited companies, PLCs, or purchasers working for a public-sector body.

Getting ready for GDPR

You can still continue to do until 25th May whatever you’re doing right now to market your company.

After that, you’ll need to be GDPR-compliant. The regulator in charge of the implementation and policing of GDPR in the UK, the Information Commissioner, has indicated that they will take a softly-softly approach in the first few months after the law is introduced in an attempt to help businesses and organisations transition successfully. After that, the fines for breaching GDPR will be heavy with a maximum of 4% of annual global turnover of EUR20m.

Ask Archeo & Futura for guidance on GDPR by calling 020 8871 3616 or emailing

Leave a Comment

Start typing and press Enter to search