The UK privacy regulator – the Information Commissioner’s Office (ICO) – published for public comments its draft code of practice for entities engaging in direct marketing. The code aims to provide practical guidance and recommendations for organizations using direct marketing in compliance with the GDPR and the e-Privacy Directive as applied in the United Kingdom (the Privacy and Electronic Communications Regulations – PECR).
The code explains that direct marketing includes any promotion or advertising of goods and services directed at specific individuals. It describes how organizations should apply GDPR principles such as transparency and fairness of processing, stating that the lawful basis for this processing will most likely be the organization’s legitimate interest or the consent of the data subject.
The code explicitly prohibits organizations from conditioning the provision of the product or service on use of the individual’s data for direct marketing.
The code also discusses using direct marketing for profiling and data enrichment purposes and states that even processing non-personal data, such as assumptions about the types of people who live in a particular postcode becomes personal data when it is used to enrich the data an organization knows about an individual.