*Reassuringly dull cyber security

Get ready for the ICO’s new Direct Marketing Code of Practice


As required by the Data Protection Act 2018, this new code will supersede the ICO’s existing Direct Marketing Guidance. The aim is to provide practical guidance and promote good practice in respect of processing for direct marketing purposes in compliance with data protection and e-privacy rules.

The ICO states that it intends the new code to apply to all processing activities that lead up to, enable or support the sending of direct marketing by an organisation or a third party. Examples the ICO has selected include:

  • Collecting personal data to build a profile of an individual with the intention to target advertising at them;
  • List brokering;
  • Data enrichment; and
  • Audience segmenting.

Whilst the publication date of the new code is unknown, here are a few of the key takeaways from the current draft:

  1. Sending direct marketing messages.
    No matter which method is used for sending direct marketing messages, the GDPR will apply when personal data is processed.
  2. Social media platforms.
    When using a social media presence to target direct marketing at individuals or using the platform’s advertising services and technologies, there will be a need to be clear about what data is being used and why.
  3. Tracking.
    The use of location-based marketing techniques must be transparent. People should also be told about the tracking. This is likely to be of significance for AdTech.
  4. Viral marketing (“tell a friend campaigns”).
    Viral marketing is likely to breach the Privacy and Electronic Communications Regulations 2003 (PECR) as it is almost impossible to obtain consent, particularly as the instigating organisation has no direct contact with the ultimate recipients, will not know what the referring individual has told their friends about the processing and will not be able to verify whether the friend provided GDPR standard consent.
  5. Publicly available information.
    Someone posting their details on social media or other public forums does not, by soing so, agree to his/her content being used for direct marketing purposes. (This means that if an organisation collects publicly available personal data, it must still comply with the GDPR and PECR).

Why is this important?

Once adopted, the ICO says it will monitor compliance with the new code through proactive audits.

I’m thrilled to have signed off on the CSaaS offering.  I’m looking forward to having the most complete cyber security package for the mid-market and continuing our successful working relationship with norm.

Richard Taylor, CIO
Summit Therapeutics

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

The biggest factor was that they had a data protection lawyer in-house who worked for them, which meant there was someone we could directly go to with specific questions about the (GDPR) regulation.

Phil Everitt, Management Information Systems Manager
Leicester Tigers

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group