Guidance on direct marketing (email, post or SMS) at Progress Housing Group
This guidance covers any advertising, promotional or marketing communications sent by Progress Housing Group (PHG) or its subsidiary brands or companies to a specific individual’s home address, personal or work mobile phone (SMS), or personal or work email address.
The term 'direct marketing' refers to the communication of promotional material which is directed to particular individuals either:
- Electronically including email, mail and text (SMS)
- Direct mail whereby post communications are addressed to an individual household who have been selected based on profiling and targeting.
- What is 'direct marketing'
- What is and is not covered by 'direct marketing'?
- What direct marketing activities does PHG carry out?
- What rules apply to PHG's direct marketing activities?
- What steps do I need to take in order to carry out direct marketing activities?
- What additional steps do I need to take for specific types of direct marketing?
- How do I obtain an individual's consent for marketing purposes?
- Do I need to maintain a list of people who have opted out of marketing?
- Can I use publicly available data for marketing purposes?
- Can I use marketing lists obtained from third parties?
- Can I share personal data with third parties for marketing purposes?
- What if I want to send marketing for fundraising purposes?
- Do I need to carry out a data protection impact assessment?
- Who can I contact for further information?
1. What is 'direct marketing'?
The term 'direct marketing' refers to the communication of promotional material which is directed to particular individuals.
This definition is wider than you might expect and covers any advertising, promotional or marketing material sent by Progress Housing Group (PHG) or its subsidiary brands or companies to a specific individual (who may be an employee of another organisation).
Direct marketing is not confined to communications sent in a commercial context, e.g. in relation to the provision of services – it also includes information that promotes our brand values, aims and objectives.
2. What is and is not covered by 'direct marketing'?
Within PHG, we talk in general terms about internal marketing and external marketing.
Internal marketing is generally used to mean communications to PHG employees relating to their experience as an employee. Other than in exceptional cases, communications to PHG employees do not amount to direct marketing.
External marketing is generally used to mean communications to individuals that are not current PHG employees. The most common examples of external marketing at PHG are communications sent to (i) prospective customers, (ii) existing tenants or customers, (iii) organisations or (iv) individuals that PHG consider may be interested in the services provided by PHG.
In most instances PHG's external marketing activities do amount to direct marketing. The one obvious exception is external marketing that is not directed at a specific individual – such as a marketing email sent to a generic email address or displaying posters in communal areas.
3. What direct marketing activities does PHG carry out?
PHG undertakes a broad range of direct marketing activities.
- Promoting our services such as Progress Lifeline and Progress Futures to prospective customers
- Promoting our brand values and successes via the tenants’ newsletters
- Promoting PHG events externally
- Targeted campaigns to specific groups such as those in arrears or under-occupying properties
- Targeted communications at stakeholders and partners (individuals)
This marketing takes many forms, e.g. via SMS, email, social media and mail.
4. What rules apply to PHG's direct marketing activities?
The main pieces of legislation currently governing PHG’s direct marketing activities are:
- Data protection rules: the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA 2018); and
- Marketing specific rules: the UK Privacy and Electronic Communications Regulations (PECR).
The GDPR and DPA 2018 govern how you may process personal data such as names, contact details and any other information that relates to an identifiable living individual. This includes where you use that information in a direct marketing context, e.g. when sending a direct marketing email or organising an event.
PECR imposes several obligations on organisations in respect of specific types of direct marketing – for example, electronic and telephone based direct marketing – which apply in addition to the requirements of the GDPR.
5. What steps do I need to take in order to carry out direct marketing activities?
The steps that you must take in respect of all types of direct marketing communications are set out below.
a) Provide a privacy notice
You must inform the individuals who will receive the marketing communication that you will use their personal data for marketing purposes. This is usually done by giving the individual a privacy notice, which describes how you will market to them as well as setting out other relevant privacy information. Please see the template here for further guidance on privacy notices.
Where the personal data to be used for marketing purposes is collected by PHG directly from the individual then this information must be provided to the individual at the time of collection.
Where it has been collected via indirect means, such as via LinkedIn, the information must be provided at the time of the first communication with the individual.
b) Establish a legal basis for processing
You must establish that one of the lawful bases for processing personal data set out in current data protection laws applies. The two most appropriate lawful bases to rely upon in most marketing contexts are 'legitimate interests' and 'consent'. Where possible, the legitimate interests basis for processing should be used to justify PHG's direct marketing activities. However, there will be circumstances in which PHG will not be able to rely upon legitimate interests for its marketing activities. Where marketing activities are undertaken using the legitimate interests lawful basis for processing, you will need to complete PHG's DPIA document here. This involves following a series of steps, including identifying the interest, conducting a necessity test and balancing the interests with privacy rights of individuals before the marketing activity takes place. If these steps are not followed, the processing is unlikely to be lawful.
Consent should be used as the lawful basis for marketing only as a last resort, where no other lawful basis is available. This is because it is very difficult to establish that consent has been validly obtained and consent may be withdrawn by an individual at any time.
However, for certain marketing activities, consent is likely to be the only lawful basis for processing available to PHG. For example:
a) where specific direct marketing legislation requires PHG to obtain consent from an individual (see below for further detail on this point), the most appropriate lawful basis for processing the individual's personal data in relation to those marketing activities under current data protection laws will also be consent;
b) and where an individual would not reasonably expect their personal data to be used by PHG for direct marketing purposes, given the circumstances in which their personal data was collected by PHG, then consent is likely to be the only lawful basis available to PHG to justify its marketing activities.
Please see the PHG Data Protection Policy, in particular 'The Legal basis for processing Personal Data” section which sets out further information on the different lawful bases for processing.
c) Comply with the other data protection principles
You will need to act in accordance with the key principles set out in data protection law in respect of all personal data that you process. In addition to providing a privacy notice and establishing a lawful basis for processing, which will assist PHG to fulfil its obligations in relation to the 'lawfulness, fairness and transparency' principle, you must comply with the following:
Under current data protection laws, personal data must be collected for specified purposes. This means that PHG cannot easily use data it holds for marketing purposes if that data was originally collected for an entirely different purpose. For example, if you are organising an event and you collect personal data in order to administer that event, you cannot subsequently decide to use this data for marketing purposes – the relevant individuals would not have been informed of this future use at the time when the data was collected, and it would not be fair to process their data in this way;
Where you are collecting and/or processing personal data for marketing purposes, you must ensure that the data is adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed. For example, if you plan to send an email newsletter to tenants and customers advertising a particular opportunity, you will need to collect and process information such as names, email addresses and potentially also which opportunities those individuals are interested in, but further information about their ethnicity or health etc. are unlikely to be required and should not therefore be collected;
Personal data used for marketing purposes, e.g. marketing lists, should be kept accurate and up to date;
If you collect personal data for marketing reasons then you cannot keep it indefinitely – you will need to consider how long PHG actually needs to retain that information for. Please see PHG's Records Retention Schedule here for further information on retention periods.
Integrity and confidentiality:
Personal data, including where it is collected for marketing purposes, must be kept securely on PHG systems. Please see PHG's Information Security Policy here and our Data Protection Policy here for further information on holding personal data securely.
d) Comply with individuals' rights under data protection laws
Individuals may object to the use of their personal data for direct marketing purposes under current data protection laws.
If an individual exercises their right under the GDPR to object to the use of their personal data for marketing purposes (rather than simply opting out of receiving marketing communications), you must inform PHG's Data Protection Team as soon as possible at firstname.lastname@example.org and PHG will be obliged to stop processing the individual's personal data for marketing purposes. PHG's data protection officer will help you to put appropriate measures in place to ensure that the request is complied with.
6. What additional steps do I need to take for specific types of direct marketing?
There are additional steps you need to take where you carry out direct marketing by:
- Electronic means (for example, email or text)
- Live telephone calls
- Automated telephone calls
This guidance note sets out the additional steps required for the most common types of direct marketing carried out at PHG.
For some types of direct marketing, the steps you need to take will depend upon the status of the individual you are targeting. There are two main types of individual for the direct marketing rules:
- Individual subscriber:
This is a person that is contacted by PHG for direct marketing purposes either in their capacity as an individual, a sole trader or a partner in certain types of partnership. An example of an individual subscriber is a prospective or current tenant that is contacted by PHG in connection with a service that may be of interest to them.
- Corporate subscriber:
This is a person that is contacted by PHG for direct marketing purposes in their capacity as a employee of a business or government body. An example of a corporate subscriber is an employee of a company which PHG contacts to request funding from the company.
a) Electronic marketing (e.g. by email or text) individual subscribers only
You must not send electronic marketing communications to individual subscribers unless:
- The individual subscriber has specifically consented to receive electronic marketing from PHG (see below for further information on consent); or
- All of the following criteria for the so-called 'soft opt-in' are satisfied:
a) The individual subscriber has previously received products or services from PHG (e.g. they have previously accessed a PHG service or attended a PHG event),
b) or they have entered into negotiations for PHG products or services;
c) the marketing relates to a similar product or service provided by PHG; and
d) you gave the individual subscriber a simple way to opt out of marketing when you initially took their details.
Corporate subscribers only
You must not send electronic marketing communications to a corporate subscriber who has informed PHG that they do not wish to receive our electronic marketing.
Both individual subscribers and corporate subscribers
You must include PHG's identity and contact details in all electronic marketing communications. In each marketing message you send you must include an option for the recipient to opt-out of receiving future marketing messages from PHG. It is also good practice to include a link to the relevant PHG privacy notice in the marketing message.
b) Live marketing calls
Individual subscribers only
You must not make unsolicited live marketing calls to:
a) An individual subscriber who has informed PHG that they do not wish to receive our calls; or
b) Any number registered with the 'Telephone Preference Service' (a central register of individuals who have opted out of receiving live marketing calls) unless the individual subscriber has specifically consented to PHG’s calls.
Corporate subscribers only
You must not make unsolicited live marketing calls to:
a) A corporate subscriber who has informed PHG that they do not wish to receive our calls; or
b) Any number registered with the 'Corporate Telephone Preference Service' unless the corporate subscriber has specifically consented to PHG’s calls.
Both individual subscribers and corporate subscribers
You must always say who is calling, allow PHG's number (or an alternative contact number) to be displayed to the person receiving the call, and provide a contact address or freephone number if asked. It is also good practice to explain to the individual where they can find a copy of the relevant PHG privacy notice.
c) Marketing by post
You must not send mail to anyone who has informed PHG that they do not wish to receive our postal marketing. You should also screen against the Mail Preference Service to ensure that you are not sending postal marketing to anyone listed unless the person has specifically consented to receiving marketing by post from PHG. All letters must clearly set out PHG's identity and contact details. Recipients must also be made aware in every letter that they can opt-out of receiving further letters, and how they can exercise this option (e.g. by calling, emailing or writing to PHG) using the contact details provided. It is also good practice to explain to the individual in the letter where they can find a copy of the relevant PHG privacy notice.
7. How do I obtain an individual's consent for marketing purposes?
Any consent obtained by PHG for marketing purposes must be:
a) Freely given, specific, informed and unambiguous. The individual must clearly have consented to the processing of their personal data by PHG for marketing purposes;
b) Separate from other terms and conditions;
c) Obtained via an active opt-in, e.g. ticking a box or clicking a button;
d) Granular, distinguishing between different processing and purposes (e.g. different types of marketing);
e) Obtained using clear, intelligible language;
f) Easy to withdraw; and
g) Refreshed on a regular basis.
8. Do I need to maintain a list of people who have opted out of marketing?
You should maintain a 'suppression list' of people who have opted out of or objected to receiving marketing. This is not the same as saying that you have to delete all personal details of the individuals concerned. To the contrary, you have a positive obligation: (i) to retain enough information about the relevant individuals to ensure that PHG does not send marketing to people on the list and (ii) to keep those details up to date.
In order to comply with data protection legislation, we must not retain this suppression list data for longer than is required for the purpose. When determining an appropriate retention period, you should therefore consider how long the risk of someone being re-added in error to a PHG marketing list might remain.
You should log any request for opting out with Service Desk so that it can be flagged and recorded in QLx.
9. Can I use publicly available data for marketing purposes?
There is no straight forward answer to this question, and the answer will depend upon where the data has been collected from and what marketing activities you want to carry out using that data. As a starting point, a good rule of thumb is to ask yourself if it is reasonable to assume that a person that makes their contact details publicly available via that source has done so on the understanding that those details may be used by PHG to contact them for the intended marketing activities.
If the answer to this question is no, then it is highly unlikely that you will be able to use those details lawfully for marketing purposes. If the answer is yes, then it is much more likely that you will be able to use those details lawfully for marketing purposes. An example where the answer is likely to be yes is information collected about an individual from LinkedIn where you wish to contact that individual for B2B marketing purposes in their capacity as an employee of a business.
For specific advice on the lawful use of publicly available data for a particular marketing activity you wish to carry out, please contact the Data Protection Team at email@example.com.
10. Can I use marketing lists obtained from third parties?
We do not recommend using marketing lists provided by third parties. This is because it is difficult to be sure that the third party provider has taken the appropriate steps and obtained all appropriate consents to allow PHG to market to individuals on the list.
11. Can I share personal data with third parties for marketing purposes?
You should not generally share personal data that you have collected with third parties for marketing purposes. There may be some circumstances in which this is permissible, e.g. where the relevant individuals were informed of this data sharing at the time that you collected the data, all data protection principles have been complied with and appropriate consents were obtained in respect of the marketing to be carried out by that other organisation. However, this is a risk for PHG and we do not recommend sharing data with third parties in a marketing context.
12. Do I need to carry out a data protection impact assessment?
A data protection impact assessment (DPIA) must be carried out before you process personal data in a way that is likely to result in a high risk to the rights and freedoms of individuals.
- when conducting ‘large scale’ profiling of individuals for marketing purposes
- matching datasets for marketing purposes
- processing may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data
- using geo-location data for marketing purposes
- tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes
- targeting children or other vulnerable individuals for marketing purposes
If you are unsure whether any proposed marketing activities will require you to carry out a DPIA, please see our DPIA screening questions below.
When carrying out a DPIA for marketing, you must be able to:
- describe the nature, scope, context and purposes of what you are planning to do
- assess its necessity, proportionality and any compliance measures in place
- identify and assess risks to individuals
- identify any additional measures which may be appropriate to mitigate any risks
13. Who can I contact for further information?
We hope that you find this guidance helpful. If you require any further information on the issues raised in this document, please contact the Data Protection Team at firstname.lastname@example.org.
DPIA screening questions: direct marketing activity
To determine whether you will need to complete a DPIA, complete the following screening questions, if the answer to any of these is 'yes', then a DPIA is required.
- Will the marketing activity involve the collection of new information about individuals?
- Will the marketing activity require individuals to provide information about themselves?
- Will information about individuals be shared with organisations or people who have not previously had routine access to the information?
- Will the marketing activity use information about individuals for a purpose it is not currently used for, or in a way it is not currently used?
- Does the marketing activity involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition.
- Will the marketing activity result in you making decisions or treating individuals in ways which can have a significant impact on them?
- Is the marketing activity likely to raise privacy concerns or expectations? For example, using sensitive tenancy information to target individuals such as disability, employment status, benefits, or flags such as domestic abuse that people would consider to be particularly private?
- Will the marketing activity require direct contact with individuals in ways they may find intrusive, for example, unexpected telephone calls or the promotion of unrelated service?
- Will the marketing activity use personal data, including personal data obtained from live or operational systems for access or transfer outside the UK (e.g. use of Cloud, Hybrid or offshore support purposes)?
- Will the marketing activity involve processing special category personal data?
- Does the marketing activity involve directly targeting individuals who have not explicitly opted in to marketing?
- Does the marketing activity involve promoting a service that the individual is not familiar with or isn't part of their established relationship with PHG? e.g. marketing Progress Futures or Progress Lifeline services to existing tenants.