GDPR: Processing Personal Data for Marketing Purposes

The UK GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 grant individuals significant control over how their personal data is processed, from rights relating to erasure (the ‘right to be forgotten’), data portability and objecting to automated decision-making and profiling, to strict measures relating to consent.

With potentially large penalties for non-compliance, including fines of up to 4% of annual global turnover or £17.5 million (whichever is greater), data protection law is clearly worth taking seriously.

But how do the Regulation’s requirements square with using personal data for marketing purposes?

What measures do you need to take to ensure your marketing team processes personal data lawfully? And how do you demonstrate that you have trained your marketing team in accordance with your obligation under the law?

GDPR definition of personal data

The GDPR’s definition of personal data is much broader than under the DPA 1998. It encompasses biometric, genetic and locational data, email addresses and online identifiers such as IP addresses.

For instance, a business email that allows you to identify an individual is in the Regulation’s scope.

However, some marketing also falls under the scope of the PECR (Privacy and Electronic Communications Regulations).

These rules apply even when you are not processing personal data, and take precedence over the GDPR where the laws overlap.

What are the PECR?

The PECR complement the UK GDPR and DPA 2018, setting out rules relating to:

  • Electronic marketing, including telephone calls, SMS messages, emails and faxes;
  • The use of website cookies to track visitors;
  • The security of public electronic communications services; and
  • The privacy of users of electronic communications services.

The PECR use the UK GDPR’s standard for consent – which must be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement”.

So, if the PECR requires you to use consent to send electronic marketing communications, you must your customers to tick an opt-in box to confirm they want to receive marketing materials.

Lawfulness of processing

If you do not need consent under the PECR, you have five other options under the GDPR, which stipulates that personal data can only be processed:

  • If the data subject has given their consent;
  • To meet contractual obligations;
  • To comply with legal obligations;
  • To protect the data subject’s vital interests;
  • For tasks in the public interest; and
  • For the legitimate interests of the organisation.

You can use legitimate interests as your lawful basis for processing personal data under the GDPR – if you can demonstrate that your use of personal data “is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object”.

Data processing principles

The GDPR also sets out are six data processing principles, which govern how you process personal data. They cover:

  • Lawfulness, fairness and transparency;
  • Purpose limitation;
  • Data minimisation;
  • Accuracy;
  • Storage limitation; and
  • Integrity and confidentiality.

When using personal data for marketing purposes, it is essential to meet these requirements.

For instance, data can only be used for the purpose for which it was collected, you should process only the data that you need in order to fulfil that purpose, and you shouldn’t retain that data for any longer than is absolutely necessary.

These rules mean that organisations can’t, for instance, collect a wide range of customer data just in case you might find it useful in future.

GDPR for Marketing Staff Awareness E-Learning Course

These and other considerations are explained in our GDPR for Marketing Staff Awareness E-Learning Course.

It helps your marketing team understand the importance of processing customer data lawfully and helps maintain and demonstrate your organisation’s GDPR compliance.

The course covers:

  • What to consider when collecting personal data.
  • Data subjects’ rights under the GDPR.
  • The different types of lawful basis and when to use them.
  • How and when to use consent.
  • What legitimate interest is and when it is not appropriate to use.
  • The difference between a contractual and marketing email.
  • How to audit your privacy notice.

learn more


  • Neil Ford

    Neil is IT Governance's copywriter. Punctilious about punctuation and scrupulous about syntax, he is nevertheless painfully aware of Muphry's Law. He writes about all IT governance subjects.