GDPR and Marketing: Our Top Legal Tips

GDPR. Four little letters which strike terror into the heart of everyone who has been given the unenviable task of ensuring their business is GDPR compliant.

Well the good news is that, legally, marketing in accordance with the GDPR is actually quite simple!

Lawful ways to process personal data

There are six lawful ways to process personal data but only two of these apply to marketing: consent or processing necessary to pursue your legitimate interests.

If you are communicating by electronic means (for example: text, phone, social media or email) you will also need to consider the Privacy and Electronic Communications Regulations. Under these regulations only existing customers can be marketed to without their explicit consent. Other forms of e-marketing and e-marketing using a bought-in list, for example, require consent.

This means that, depending on your intended audience, you may only be able to use consent for electronic marketing but you could use consent or legitimate interests for postal marketing.

Legitimate Interests

Looking at legitimate interests first this must be a REAL interest, so it can’t be vague.

You should:

  • Carry out and document an assessment of your legitimate interests
  • Consider this assessment on a case by case basis take into consideration the reasonable expectations of data subjects based on their relationship with the controller
    • For example for current customers this could be:
      • Reasonable to assume they would expect to receive marketing from you
      • It shouldn’t really intrude into their privacy as long as there is no disproportionate impact
    • Ensure you balance this with the rights and freedoms of the data subject
      • Give them the clear right to object
      • Be transparent
      • Put processes in place to manage this – i.e. if someone has objected, don’t send them anything else!

If you conclude you cannot rely on this, then consent will be required even for postal marketing.


Consent must:

  • Be freely given, specific, informed and unambiguous
  • Be through a clear act, so no pre-ticked boxes!
  • Cover ALL of the things that you will be using the data for, ie. Give them the option to consent to some things and not others

You should:

  • Keep evidence – date, time, source
  • Keep personal data and the relevant consents up to date and under review
  • The right to withdraw must be clear and communicated

Privacy Notices

When you send marketing materials out in whatever form you need to include a privacy notice.

This must:

  • Be concise, transparent, intelligible and easily accessible;
  • Be written in clear and plain language;
  • Clearly identify you and include your contact details
  • Set out the purposes and legal basis for processing their data (and what data!)
  • State how long you are going to keep it
  • State whether you will transfer it to a third party or outside of the EEA (if you store it on servers outside of the EEA e.g. Dropbox you will need to say so!)
  • Detail the legitimate interests pursued (if relevant)
  • Detail where the data came from
  • Give the data subject the right to complain, object or withdraw their consent

A simple link to a long and complicated privacy policy during registration will likely not do the trick.

This must be supplied as soon as possible with any material you send out if you have obtained the data from a third party. If you have collected it yourself, you need to tell them on collection.

All in all it’s quite simple: be transparent about what you’re doing and why you’re doing it and if someone asks you to stop – stop!