On 8 January 2020, the UK’s Information Commissioner’s Office (ICO) released a draft ICO direct marketing code of practice. It is still in draft format, and was open for consultation until 4 March 2020. While it may not be in its final form, however, for those who it applies to, it is vital to understand the ICO’s vision, as it gives us insight into their expectations regarding compliance with the GDPR and PECR.
Does the ICO direct marketing code of practice apply to you?
There are two important considerations to account for when determining its applicability to you.
- Consider whether you engage in direct marketing. The ICO’s direct marketing code applies to almost anyone intending to, or already conducting marketing directed at particular individuals, or operating in the broader marketing spectrum. It includes all online and offline direct marketing, from mail to targeted advertising. The list of who this applies to is extensive, however the code does provide for all actors. This means that if you process data with the intention to market towards particular individuals, you should seriously consider applying the code in practice.
- Consider whether the GDPR or PECR applies to you. It doesn’t matter where in the world you are, if you are processing personal data on people in the EU for the purposes of direct marketing, the code will apply to you.
The code applies to virtually any organisation that direct markets
What is the purpose of the code?
The code combines the relevant GDPR and PECR rules to assist you in taking steps to comply with the rules without imposing any new obligations.
It creates a central guideline for ensuring compliance in the direct marketing regime. This takes a ‘life-cycle’ approach. It begins with helping you identify whether the code is applicable to you, and then gives you the steps and information on how to become compliant.
You should see it as a tool to ensure you or your business meets the principles of accountability, transparency and fairness in your processing. Following it precisely will also ensure compliance with multiple bodies.
Do you have to follow the ICO direct marketing code of practice?
The short answer is no, but you really should. While it isn’t legally binding, it is a way of ensuring your compliance and ensuring that you uphold the rights of the data subjects you hold information on.
The ICO, through its code, emphasises the need for controllers to ensure due diligence in their processing. If you decide not to follow the code, you must still be able to demonstrate compliance in another way. Failure to do this can lead to heavy fines under the GDPR or PECR.
Where to from here?
The code is still in draft form, and was open to public consultation until 4 March 2020. From that date, the UK parliament has four weeks to approve the code, and if no objections are made, the code will then be final. Objections have been made and some of the contents of the code are before the courts. Until the courts rule of these issues the ICO Direct Marketing Code of Practice cannot be finalised.
The ICO code of practice is currently in limbo
Changes may be made, however the draft gives us a good indication of the ICO’s expectation when it comes to direct marketing. It provides a wealth of information, and is an incredibly valuable tool in becoming compliant and protecting data subjects.
It would be beneficial to begin following it sooner rather than later.
To find out more on how we can help you, visit our privacy and data protection page.
