Article topics

The EU Data Laws – how does it affect UK marketing?

Mark Tomkins

As you know, the European Parliament has been voting on one of the biggest changes in data protection for a generation. The idea is to give the control of personal data and privacy back to the individual and that the regulation of this is managed centrally.

What does this mean for UK (and European) business and how they market their products and services in accordance with the new laws? Good question.

In a nutshell, it means that if an individual (a customer of a company) doesn’t want their details that are held by the company to be used in marketing campaigns or for other data harvesting purposes, the individual will be able to request complete removal of their details from the company’s database. It also means that this ‘digital profile’ can be taken and transferred to another service provider without the previous company being able to market or use the details of that profile once moved. This is being called the ‘Digital Single Profile’.

As we understand the new laws, if a company does not comply or is caught breaching the request, the fines are potentially huge. As much as 4% of annual turnover or 20M Euros (about £16m).

When does this become law?

Assuming it gets ratified by the European Parliament early summer 2016, it will come into effect late Summer 2016 and all companies that operate within the EU will have 2 years to comply with the new regulation.

What does it mean to the marketing world?

For large companies (the size of which is yet to be defined by the detail of the law at the time of writing this) they will need to employ a Data Protection Officer that overseas the use of all stored data and make sure that it complies with the regulations and is monitored regularly. In the event of non-compliance or a data breach, they are obliged to inform the new regulatory body within 72 hours.

In theory, the threat to companies having the regulatory body being able to arrive and be investigated in terms of systems and correct processes being in place for data protection could be enough to see marketing across Europe change significantly for both digitally and traditional methods.

Gone will be the days where email marketing lists of dubious origin, gathered by sales forces and tenuous subscriptions through website signups will be usable for marketing campaigns without express opt-in records.

We’re already seeing the likes of Mailchimp and other leading email marketing platforms suspend accounts were the bounce rate increases or the volume of contacts an account has little or no double opt-ins on record (where an individual’s details are added to an email list and a confirmation of this is sent to them to confirm they are happy with being added to the list).

Some argue that this double opt-in method is to ensure a better quality of list content and therefore better engagement and reduction in bouncebacks and (ultimately) the quality of Mailchimp’s (and others) IP reputation. Others say that it is simply a barrier to sale and that the single-opt-in process is more commercially viable and acceptable (but worse for the individual’s privacy).

It’s possible that we’ll also see a huge reduction in the types of companies selling data lists as their source of user data will dry up. They may choose to change their model and sell lists of individuals that have expressly opted-in to receive marketing from anyone but the sheer numbers that occupy these lists will reduce massively.

Additionally, companies will have to be much more transparent about what they do with their customer data and express this in ever-more complicated privacy policies and T&Cs. But who will really read these?

What does it mean to UK marketing?

Well, it means that they (UK-based businesses) will need to make sure they comply with the new rules within 2 years of Summer 2016. They will need to review their processes, how their customer data is captured, stored and managed. They will need to review their privacy and data policies to ensure they are current and comply with the new rules and that they can actually work to the new rules.

There will also be industry-specific governing bodies that will want to review these data policies and add to them in respect to compliance and adherence to their specific guidelines.


Full details can be read in respect to each aspect of the data laws, in terms of compliance, affected areas and guidance notes here on the European Commission’s website:

However, this website and document is an epic tome and almost impossible to understand. We’ve found a better response and outline from our own UK ICO (Information Commissioners Officer) website at They also offer a very useful newsletter signup service that is excellent for marketeers to stay up to date.

We’ve summarised the common questions asked by SMEs in the UK and put it to the ICO for some direct answers to help clear the myths. The following helps clarify on how these new laws affect UK business marketing:

Can I send email marketing to my existing client base even if the client hasn’t specifically opted in to receive the emails but has bought from me?

The ICO say:

“Under the Privacy and Electronic Communications Regulations (PECR) if you can fulfil the soft opt-in criteria it may be possible to send clients marketing emails. The soft opt-in criteria are; 

  • the contact details were obtained in the course of a sale or the negotiations for the sale, of a product or service to that client
  • the marketing material being sent is for similar products or services
  • the client was given a simple means of opting out at the time their details were initially collected and is given an opt out opportunity at the time of each subsequent communication.

Soft opt-in is explained in paragraphs 131-138 of the Direct Marketing guide.”


Do I have to seek an opt-in for every contact I want to send marketing emails to?

The ICO says:

“Consent must be obtained for email marketing to individuals. Paragraph 57-82 of our Direct Marketing guide covers the definition of consent, implied consent, methods of obtaining consent and opt-in/out boxes.”


What happens if my website gets hacked and our customer database breached – who do I need to tell?

The ICO says:

“Under the Data Protection Act (DPA), although there is no legal obligation on data controllers to report breaches of security, we believe that serious breaches should be reported to the ICO. And you can do this through our website at


Can I still send out marketing brochures (via direct mail) to our customer list even if they haven’t asked for it?

The ICO says:

“PECR doesn’t cover marketing by mail, but organisations sending marketing mail to named individuals must comply with the DPA. Paragraphs 154-157 of the Direct Marketing guide cover marketing mail.”


Can I still buy-in lists of prospects of people who might be potential customer to send out marketing emails and direct mail?

The ICO says:

“Paragraphs 83-96 of the Direct Marketing guide deal with ‘indirect consent’ – the term used to cover situations where a person tells one organisation that they have consent to receive marketing from other organisations. It is important to note that paragraph 85 states
‘Although there is a well-established trade in third party opt-in lists for traditional forms of marketing, organisations need to be aware that indirect consent will not be enough for texts, emails or automated calls.’”

What remains to be seen though is just how many big businesses (and it is those that are affected more) will change their policies.


Social media

What about social media sites like Facebook and Twitter – how will it affect those? Well, put simply, if you want to close your account with them you will be given the option to ask for your profile to be completely removed and deleted. At the moment, most social networks will retain the information that you have provided about yourself even when you close your account. However, the new rules state that you have the ‘right to be forgotten’.

This ‘right to be forgotten’ is something that the new law wants to see across all aspects of data collation. e.g, if you are a customer of Virgin for your TV and phone and you decided you wanted to move to Sky, Virgin will be obliged to transfer your profile from their system to Sky’s and then be irrecoverably deleted from the Virgin database. That’s the theory, anyway.

Additionally, we predict that there will be a big surge in new ‘white label’ privacy policies being produced to buy and people will simply copy and paste them onto their websites and on their T&Cs without even reading what they the privacy policy says and how they conform.