91Ï㽶»ÆÉ«ÊÓƵ

Last updated 30 June 2025

The Data Protection Act 2018 (DPA) replaced the 1998 act on 25 May 2018. The UK General Data Protection Regulations (UK GDPR) apply to all EU member states. The DPA applies GDPR standards in the UK but also includes rules beyond the scope of GDPR. 

The DPA governs the use and processing of personal data by businesses and other organisations. You will need to comply with the act if you use, hold, store or otherwise process personal data as part of your business. For example, because you hold customer details or details of employees.

What is personal data?

Personal data is defined very broadly and is any information about a living individual who is identified or who is identifiable. It includes information such as:

• name and address
• bank details
• opinions expressed about an individual
• identification number
• IP addresses
• location data
• online identifiers

Data protection principles

If you are processing personal information covered by the DPA you must comply with the entirety of the DPA and specifically with the following data protection principles. These require that:

• the processing of personal data must be lawful and fair
• the purpose for which personal data is collected must be specified, explicit and legitimate, and not be processed in a manner that is incompatible with the purpose for which it was collected
• personal data processed must be adequate, relevant and not excessive
• personal data processed must be accurate and, where necessary, kept up to date
• personal data processed must be kept for no longer than is necessary for the purpose for which it is being processed
• personal data must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures 

Under GDPR, there is an accountability principle which specifically requires you to take responsibility for complying with the principles and for the personal data that you process. 

Under the Data Protection (Charges and Information) Regulations 2018, you may be required to pay a data protection fee to the Information Commissioner's Office if you are processing personal data unless you are exempt. Use the on the ICO website to find out if you need to pay a fee to the ICO.

Last updated 30 June 2025

The Data Protection Act (DPA) applies to the use of personal information for marketing purposes. To comply with the first data protection principle of the DPA you have to tell individuals:

• who you are
• what you will use their information for (e.g. for marketing purposes)
• anything else necessary to make sure you are using their information fairly, including whether you plan to pass your marketing lists to other organisations and how you will be contacting people, such as by post, phone or email
• you must not do anything that individuals would not reasonably expect or which would cause them unjustified harm

Data protection rights

Individuals have a number of legal rights regarding their personal information:

• the right to be informed
• the right to access
• the right to rectifications
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• rights in relation to automated decision making and profiling 

Lawful basis for processing

You must have a valid lawful basis for processing the personal information of any individual for marketing purposes. In relation to direct marketing the most appropriate lawful basis would be one of the following:

• Consent - you can rely upon the consent of the individual to market to them. This must be a clear affirmative and positive action to process the data in this way, you must explain to the individual the categories of personal you will use, how you will use them and that they can withdraw consent at any time.
• Legitimate interest - you may rely upon your businesses legitimate interest of obtaining new customers in order to direct market to individuals. However, this will not negate the consent requirements of PECR. For more information on legitimate interests please see Legitimate Interests.

An individual's right to object

You are using personal information for marketing purposes if you use an individual's details to send them mail advertising your products or services. Some email addresses will be personal information, eg an email address in the format firstname.surname@company.com. An email address that does not name or identify an individual is not personal information.

The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. All individuals have the right to stop their personal information from being used for direct marketing. This right to object is absolute and there are no exceptions. You must inform individuals of their right to object when you first contact them. You should act on objections without undue delay, and within a reasonable period. The ICO suggest within 28 days for calls, texts or other electronic communications and within two months for postal communications.

You normally cannot charge a fee for complying with objections. If the objection is unfounded or excessive, you may request a 'reasonable fee' to deal with it. 

You don't need to erase a person's details from your records if they object to direct marketing. The right to object to direct marketing does not prevent a business from holding a suppression or 'do not contact' list. You can keep a 'do not contact' list of people who have opted out or otherwise told you directly that they do not want to receive marketing to ensure you comply with their objection. 

Privacy Notices

You must provide individuals with certain information. This privacy notice information should be provided to individuals at the point in time when they provide you with their personal information. It makes sense to do this when they give their consent to your marketing or when they order goods or services from you. If you do not obtain personal information from the individuals, you should provide them with this notice, at the latest, when you first make contact with them.

Providing personal information to third parties

You may provide personal information about individuals to a third party if:

• they are authorised to obtain that personal information on behalf of the individual
• your business outsources the processing of personal information - for example, payroll processing
• the police need it as part of an investigation

Any third parties who will be relying on the consent must be named - precisely defined categories of third parties will not be acceptable under the UK GPDR definition. You must keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.

If you buy databases containing customers' personal information, you must comply with data protection requirements. These requirement are set out in:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act (DPA)
• The Privacy and Electronic Communications Regulations (PECR)

Businesses generally may only use personal information from a bought-in database if the individuals consented to their information being passed on. You must keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented. They must have specially consented to receive a particular type of message from you. Generic third party consent is not enough and organisations must carry out rigorous checks before relying on such consent.

Neither the DPA nor PECR ban the use of marketing lists, but organisations must take steps to ensure a list is compiled fairly and accurately reflects peoples' wishes.The Information Commissioner's Office provides guidance on .

Sell the database of a defunct business

A business that is insolvent, bankrupt, being closed down or sold may sell its customer database without consent& under the following circumstances:

• the seller must make sure that the buyer understands they can only use the information for the purposes for which it was originally collected
• any use of the information should be within the reasonable expectations of the individuals concerned
• consent is sought if the information is to be used for a different purpose
• the individuals are informed about the new owner and given their contact details

Download a guide to sending direct marketing messages (PDF, 118KB).

Last updated 30 June 2025

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act (DPA) and the UK General Data Protection Act (UK GDPR), and are the rules that govern how you conduct your electronic marketing, such as email or telephone. The regulations will also affect you if you use cookies on your website or if you operate telephone or similar directories.

Key elements of the regulations are that you must obtain consent before installing cookies on a user's machine and in some cases you must have the customer's specific consent to be able to send them electronic marketing. If an individual has opted out of receiving marketing information, you are not allowed to send it.

To comply with the regulations you must:

• Ensure that you have the customer's consent to electronically market to them by phone, fax or email.
• Identify yourself when you carry out marketing.
• Provide appropriate contact details when sending marketing material or messages so that the individual or organisation receiving the marketing can contact you. This should be a postal address, email address or Freephone number.

For telephone marketing, you must identify yourself. You must also give your address or Freephone number if the person you are calling asks for it.

Businesses must tell visitors to their website that they use cookies and obtain their consent. You must also tell your site users how you use cookies.

For more information on the rules applying to different forms of electronic marketing, see electronic, email and telephone marketing regulations.

There are different rules governing the various methods of marketing.

Electronic mail

The rules covering electronic mail marketing apply to any message that consists of text, voice, sound or images, eg email, voicemail, SMS and messaging apps.

You can only carry out marketing by electronic mail if the individual you are sending the message to has given you their consent.

There is an exception to this rule, known as the 'soft opt-in' that applies where:

• You have obtained the individual's details during a previous sale or the negotiations for a previous sale of a product or service to that person.
• The individual did not opt out of marketing messages. (The opt-out option should allow the individual to reply directly to the message. In the case of text messages, an individual could opt out by sending a stop message to a short code number, for example, text 'STOP' to 12345. The only cost should be the cost of sending the message.)
• Individuals can opt out of receiving marketing at any time and you must comply with any opt-out requests promptly.
• The future messages are only marketing your similar products or services. On this basis, there is the assumption that individuals are probably happy to receive marketing from you about similar products or services even if they haven't specifically consented.
• The soft opt-in rule does not apply to prospective customers, new contacts (e.g. from bought-in lists) and non-commercial promotions (e.g. charity fundraising or political campaigning).

Email marketing to organisations

If you are sending marketing to organisations, you don't have to have their consent but you must include the name of your business in the email and provide a valid address where opt-out requests can be sent. However, if you have an email address which is 'personal data', for example name.surname@company.co.uk, the individual employees of that organisation still have the right to prevent that email address being used for direct marketing.

Telephone marketing

You can't make unsolicited telephone calls to an individual or organisation who has told you they do not want your calls, or has registered with the . To comply with PECR organisations should screen the list of numbers they intend to call against the TPS register. 

The same rules apply to marketing calls made to businesses. Sole traders and partnerships may register their numbers with the TPS in the same way as individual consumers, while companies and other corporate bodies register with the Corporate Telephone Preference Service (CTPS). So organisations making business-to-business marketing calls will need to screen against both the TPS and CTPS registers.

Automated calls

You cannot make automated calls (pre-recorded phone messages) without getting the individual or organisation's specific consent first.

Fax

Organisations cannot send marketing faxes to individuals (including sole traders and some partnerships) unless they have agreed to receive them and provided their specific consent.

Last updated 30 June 2025

Cookies are text files that are stored on a user's computer when they visit a website that uses them. Thereafter, the cookie sends information back to the website. They can be used to monitor browsing preferences of users, eg types of goods searched for, pages visited and length of dwell time on each page. However, you need to be open with your customers about how you will use this information to comply with the law on cookies.

If you use cookies as part of your website you will need to tell individuals about that the cookies are there, explain what the cookies are doing and why, and get the person's consent to store a cookie on their device. You must give clear and comprehensive information about why you are using cookies and obtain their consent.

This information should be easy to understand and should tell users of the website that cookies will be used to collect and store information about them. You should also give users the opportunity to refuse the continued storage of any cookies on their computer or access to it and explain how users can turn the cookies off. There are very few circumstances where this information does not have to be provided.

There are certain data protection rules you must follow when carrying out email marketing. See these commonly asked questions:

Can we advertise the products and services of third parties by electronic mail?

If you are offering a 'host mailing' service, you are not disclosing your mailing list to a third party but you are willing, for a fee, to promote their goods and services alongside yours. It is unlikely you could send such messages on a 'soft opt-in' basis because they are not your own 'similar products and services'. However, you could send such material if the individual has agreed to receive it, provided you identify that you and not the third party are the sender.

Can we use third-party email marketing lists?

The law does not stop you using rented email marketing lists. However, you are responsible for any emails you send so make sure that the individuals you are sending the email to gave their consent for their details to be passed to third parties. You should check with the list rental business that they have the consent of the individuals concerned.

Last updated 30 June 2025

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes both accidental and deliberate breaches. It also means that a breach is more than just about losing personal data.

The main data protection offences relate to the following:

• Notification - particularly where an organisation has failed to notify the Information Commissioner's Office (ICO) within 72 hours about the way they process personal information or to make necessary changes to their notification entry.
• Obtaining or disclosing personal data without the consent of the data controller. Employees have been prosecuted for selling their employers' information or even disclosing it to friends or family for their purposes. Employees also need to be trained to recognise attempts to 'con' information out of them by unscrupulous individuals who trade in this type of information.
• Breaching formal notices issued by the Information Commissioner.

Penalties

The Information Commissioner has the power to prosecute those who may have committed a criminal offence. An enforcement notice could be issued if an organisation has not complied with one or more of the data protection principles. The Information Commissioner can issue an information notice to demand information needed to consider a complaint or decide if a principle has been breached. This is usually a last resort if the information is being withheld. Both notices can be appealed to the Information Tribunal.

The Information Commissioner has also had the power to impose civil penalties on any data controller where:

• there has been a serious violation of data protection principles
• the violation was likely to cause substantial damage or distress
• the violation was deliberate or the data controller knew (or should have known) that a damaging or distressing violation as possible but failed to take reasonable steps to prevent it

The data controller will be served with a notice of intent detailing the nature, circumstances and seriousness of the violation along with an indication of the penalty amount. The maximum penalty is capped at £500,000.

Not notifying a breach when required to do so can result in a significant fine of up to 10 million euros or 2 per cent of your global turnover.

Data controllers can make a representation to the Information Commissioner (providing information on the mitigating circumstances and any relevant documents and evidence) on receipt of a notice of intent.

You could be liable for a financial penalty if you fail to notify or comply with an enforcement or information notice. If you are convicted of any other offence under the Act, you could face a fine.