<img alt="" src="https://secure.leadforensics.com/29321.png" style="display:none;">


Recommended Blogs

Twitter to increase character limit 'next week'
According to reports, Twitter’s long-awaited character limit increase will finally be introduced next week.  What is changing? In response to user feedback, Twitter has changed its character count. IThis means that: Photos Videos Gifs Quoted tweets Will no longer count towards the 140 character...
10 things to look for when choosing an automated workflow system
Regulated businesses are increasingly looking to automate their marketing processes. When you look at the potential benefits of automation, this isn’t surprising. Automating your processes can: Minimise the time you take to produce collateral Cut out unnecessary admin, duplication and rework Reduce...
Top 10 digital transformation trends for 2017
While it might seem early to be thinking about 2017, an article on Forbes.com this week shares predictions on digital transformation trends for the next year. The predictions, made by expert Daniel Newman make interesting reading. Here we share his thoughts and explore their relevance to regulated...

ICO provides greater clarity on GDPR requirements

Dimitriya Paunova

Data Protection Regulation

The Information Commissioner’s Office (ICO) has published its draft guidance on consent for the General Data Protection Regulation.

The guidance is out for consultation, with responses required by 31st March 2017.

Remind me – what is the GDPR?

The General Data Protection Regulation is a European Union regulation. It aims to strengthen and increase consistency in data protection for individuals within the EU. It also governs the export of personal data outside the EU.

It will replace the 1995 EU data protection directive (officially Directive 95/46/EC) and the UK Data Protection Act 1998 (DPA) when it comes into force on 25 May 2018.

The new regulation will affect any firm that:

  • Possesses or processes data pertaining to an identifiable person
  • Contacts those individuals via email, phone, SMS or mail
  • Tracks their engagement via e-shots, cookies, or landing pages for the purpose of profiling an individual

In other words, it impacts pretty much every B2B and B2C business.

You can read more about the regulation and what it means for firms here.

Although it’s an EU regulation, it seems that the imminent Brexit is no reason to stop preparations. In spite of the UK’s upcoming departure from the Union, the relatively short deadline for GDPR compliance means that marketers need to assume it’s ‘business as usual’ in terms of working to meet the requirements.

And with commentators asking whether the new rules have the potential to be the next PPI scandal, firms would be wise to get on the front foot.

What is ‘consent’ in the context of the GDPR?

The ICO states in its consultation document that ‘The GDPR sets a high standard for consent’.

The draft guidance sets out:

  • The ICO’s recommended approach to compliance
  • What counts as valid consent

And includes information to help firms decide when to rely on consent, and when to look at alternatives.

What does the ICO document clarify?

The consultation paper gives more information on:

  • when and how consent should be the basis for processing data
  • The other five legal bases for data processing, which are:
    • Having a contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract.
    • The need for compliance with a legal obligation: if you are required by UK or EU law to process the data for a particular purpose, you can.
    • Vital interests: you can process personal data if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else.
    • A public task: if you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing under UK law – you can.
    • Legitimate interests: if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.

The last of these – ‘legitimate interests’ is likely to be of interest to marketers.

The fact that firms can contact individuals for ‘a genuine and legitimate reason (including commercial benefit)’ could be seen as a green light for direct marketing under the new rules.

This is certainly the way the Direct Marketing Association has read it. In its response to the consultation, DMA CEO Chris Combemale said that:

"The DMA fought extremely hard to have direct marketing acknowledged as a legitimate interest in the GDPR and we are pleased the ICO Guidance draws attention to legitimate interest as an alternative to consent within certain clear frameworks.”

The ICO document also clarifies how long consent lasts, clearly stating that its duration is based on the context in which it was given.

This will also be welcomed by marketers – and by the DMA, who said:

"The DMA also welcomes the section that clarifies how long consent lasts. We have argued for some time that how long consent lasts depends on the context which is clearly stated in the guidance.”

What changes will marketers need to make to comply with GDPR?

The ICO guidance sums up the requirements as follows. Consent: 

  • must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
  • must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
  • requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
  • should be obvious and require a positive action to opt in.
  • must be expressly confirmed in words, rather than by any other positive action. 


  • There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate. 

What happens next?

If you want to contribute to the consultation, you can download the Consent Guidance Consultation Document from the ICO’s website and either email or post it back to them (details for both are in the document).

The Direct Marketing Association is also collating its own response; if you want to respond as part of this you should email Zach.Thornton@dma.org.uk with your feedback.

The ICO will then collect and analyse the results of the consultation. It is hoping to publish its guidance in May 2017, (depending on any developments at a European level that it needs to take into account). The guidance will be published on the ICO’s website once ready.

Stay on the front foot in terms of marketing compliance

The GDPR is just one of the compliance challenges facing regulated marketing teams. You can ensure your activity is compliant with all the current regulations by reading our Marketing Guide to Compliance. This comprehensive guide has everything marketers need to know about financial promotions. Download your free copy here.

New Call-to-action

Topics: Marketing

Subscribe to our weekly blog

Tips and best practice for Compliance teams, along with the latest news and views.

  • 2017-05-19 13:38:56 6 success strategies for effective email marketing

     Email remains one of the most effective channels for your marketing messages. According to a recent article in Digital Marketing magazine, email marketing has topped the digital ROI charts for the...

    Learn More
  • 2017-05-12 13:57:19 How to create a successful social media strategy

     We’re all ‘doing’ social media. Practically every firm has an account on either Twitter, Linkedin or, if you’re B2C, maybe Facebook or Instagram.

    Learn More
  • 2017-05-09 12:35:04 How to produce best practice ads: lessons from the ASA

     The Advertising Standards Authority (ASA) and Committee for Advertising Practice (CAP) recently released their annual report.

    Learn More