New ICO Guidance and what it means to companies sourcing data

Share Twitter Logo Facebook Logo LinkedIn Logo Google Plus Logo

Steve Henderson, a Member of DMA Email Council Legal and Best Practice Hub & Compliance Officer at Communicator, looks at the updated ICO guidance and increased activity and what this means to you.

The Information Commissioner's Office (ICO) recently released their 2013 Direct Marketing Guidance which has updated guidelines for selling, sourcing and using personal data in line with the Data Protection Act 1988 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR).

The laws have not changed, but these new ICO guidelines clarify what vendors and marketers should do to make sure they adhere to these laws.

The ICO are without question becoming more active and must be given more consideration than ever before; doubling enforcement actions over the past 12-18 months and recently wrote to the Ministry of Justice lobbying for more funding, saying that they have to consider moving away from advice and guidance intervention towards a “mandatory fines” approach.

ICO Direct Marketing Guidance – Headlines

Only with consent
The PECR states that organisations need an individual consumer’s consent before they can send marketing texts, emails or faxes, make calls to a number registered with the TPS, or make any automated marketing calls. The first Principle of the Data Protection Act 1988 means that organisations will also need consent to pass customer details on to another organisation.

Due diligence
The ICO expects organisations buying or renting a marketing list from a list broker or other third party must satisfy themselves that the third party obtained specific consent for this type of marketing.

Specific questions you could ask a data vendor would include:

  • Is the seller registered with the ICO and a member of the DMA?
  • Has the list been screened against TPS or other relevant preference services?
  • Has the seller received any complaints?
  • Is the seller a member of a professional body or accredited in some way?

Make it easy to quickly respond to complaints to prevent escalation
ICO has updated their disclosure and demonstration guidelines:

If an organisation cannot demonstrate that they had valid consent, they may be subject to enforcement action. Organisations should keep clear records of what an individual has consented to, and when and how this consent was obtained, so that they can demonstrate compliance in the event of a complaint.

With third party data these proof of consent and disclosure requirements still exist. You must ensure the data vendor is able to deal with any data queries or complaints that may arise.

Not forever
One of the more interesting headlines from the updated guidance is the ICO’s statement that organisations should not rely on consent collected more than six months ago.

While this is the headline statement gaining most publicity from the guidance, the actual guidance is more flexible:

Consent will not remain valid forever. How long consent remains valid will depend on the context and the person’s current wishes

Third party B2B mailings
Permission and relevancy standards should be as high for business lists as they are for consumer lists.

Sole traders and some partnerships have the same data protection and privacy protection as consumers, whereas Limited companies and larger organisations fall under different regulations. Not all UK-listed companies and recipients are based in the UK! Companies often have offices or servers in more than one country and because it is common for people to travel and pick up email

The upshot is that although it is legal to buy, sell and use business lists for marketing you need to be mindful of how, why, where and when the data was collected and that you use a data vendor who can work with you to provide you data relevant and appropriate for your needs.


The updated ICO guidance may be making headlines and the ICO is undoubtedly becoming more active in enforcement, but it doesn’t really change best practice for direct marketing or for customer acquisition:

Whether you are sourcing data for a B2B or B2C campaign, make sure you choose a data vendor who is ICO registered, who is a member of the UK DMA and who can work with you to source the best, targeted data for your needs.

Many list sellers in the industry are rightly concerned about conforming to some of these new standards, but if you ensure you are working with a real data consultant (those who provide services in profiling, cleansing, segmenting and targeting) then you are much more likely to be in safe hands.

Remember that in practice, it is not just about adhering to the law, but what you can prove, your customers’ expectations and their standards; and of course, your company reputation. This means that your standards should always be higher than the minimum legal standards, regardless of how the laws or guidance changes.

Blog written by Steve Henderson
Member of DMA Email Council Legal and Best Practice Hub & Compliance Officer at Communicator