The term 'direct marketing' refers to the communication of advertising or marketing material which is directed to particular individuals
What is 'direct marketing'
What is and is not covered by 'direct marketing'?
What direct marketing activities does UCL carry out?
What rules apply to UCL's direct marketing activities?
What steps do I need to take in order to carry out direct marketing activities?
What additional steps do I need to take for specific types of direct marketing?
How do I obtain an individual's consent for marketing purposes?
Do I need to maintain a list of people who have opted out of marketing?
Can I use publically available data for marketing purposes?
Can I use marketing lists obtained from third parties?
Can I share personal data with third parties for marketing purposes?
I want to send marketing to alumni or for fundraising purposes UCL's alumni department deals with our alumni programme and fundraising.
Do I need to carry out a data protection impact assessment?
Who can I contact for further information?
The term 'direct marketing' refers to the communication of advertising or marketing material which is directed to particular individuals.
This definition is wider than you might expect and covers any advertising, promotional or marketing material sent by UCL to a specific individual (who may be an employee of another organisation). Direct marketing is not confined to communications sent in a commercial context, e.g. in relation to the provision of goods or services – it also includes promoting UCL's aims and objectives.
Within UCL, we talk in general terms about internal marketing and external marketing. Internal marketing is generally used to mean (i) communications to UCL staff relating to their experience as a member of staff and (ii) communications to enrolled UCL students relating to their experience as a student, but not necessarily related to their actual course (for example, making students aware of a seminar on resilience or a careers event). Other than in exceptional cases, communications to UCL staff do not amount to direct marketing.
Whilst there are likely to be more circumstances in which communications sent to enrolled UCL students could be viewed as direct marketing, in general communications to enrolled students do not amount to direct marketing; but should rather be seen as activities that form part of UCL's complete student experience for enrolled students and that, in most instances, look to further UCL's core purposes of education, research and innovation (please see UCL's Statement of Tasks in the Public Interest here for further information).
External marketing is generally used to mean communications to individuals that are not current UCL staff members or enrolled UCL students. The most common examples of external marketing at UCL are communications sent to (i) prospective students, (ii) alumni, (iii) philanthropists or (iv) individuals that UCL consider may be interested in courses, training or events offered by UCL.
In most instances UCL's external marketing activities do amount to direct marketing. The one obvious exception is external marketing that is not directed at a specific individual – such as a marketing email sent to a generic email address like email@example.com.
UCL undertakes a broad range of direct marketing activities. Examples include:
Promoting our programmes of study to prospective students;
Advertising alternative courses to individuals who previously expressed an interest in a particular UCL course, or who have applied unsuccessfully for a similar course;
Promoting UCL events, such as lectures or courses, externally;
Targeted marketing to professionals for courses or invites to events relevant to their current employment;
Marketing additional programmes to alumni.
This marketing takes many forms, e.g. via SMS, email, social media and post.
The main pieces of legislation currently governing UCL’s direct marketing activities are:
Data protection rules: the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA 2018); and
Marketing specific rules: the UK Privacy and Electronic Communications Regulations (PECR).
The GDPR and DPA 2018 govern how you may process personal data such as names, contact details and any other information that relates to an identifiable living individual. This includes where you use that information in a direct marketing context, e.g. when sending a direct marketing email or organising an event.
PECR imposes several obligations on organisations in respect of specific types of direct marketing – for example, electronic and telephone based direct marketing – which apply in addition to the requirements of the GDPR.
The steps that you must take in respect of all types of direct marketing communications are set out below.
a) Provide a privacy notice
You must inform the individuals who will receive the marketing communication that you will use their personal data for marketing purposes. This is usually done by giving the individual a privacy notice, which describes how you will market to them as well as setting out other relevant privacy information. Please see the UCL website here and here for further guidance on privacy notices.
Where the personal data to be used for marketing purposes is collected by UCL directly from the individual then this information must be provided to the individual at the time of collection.
Where it has been collected via indirect means, such as via LinkedIn, the information must be provided at the time of the first communication with the individual.
b) Establish a legal basis for processing
You must establish that one of the legal bases for processing personal data set out in current data protection laws applies. The two most appropriate legal bases to rely upon in most marketing contexts are 'legitimate interests' and 'consent'. Where possible, the legitimate interests basis for processing should be used to justify UCL's direct marketing activities. However, there will be circumstances in which UCL will not be able to rely upon legitimate interests for its marketing activities. Where marketing activities are undertaken using the legitimate interests legal basis for processing, you will need to follow UCL's guidance here, This involves following a series of steps, including identifying the interest, conducting a necessity test and balancing the interests with privacy rights of individuals before the marketing activity takes place. If these steps are not followed, the processing is unlikely to be lawful.
Consent should be used as the legal basis for marketing only as a last resort, where no other legal basis is available. This is because it is very difficult to establish that consent has been validly obtained and consent may be withdrawn by an individual at any time.
However, for certain marketing activities, consent is likely to be the only legal basis for processing available to UCL. For example:
where specific direct marketing legislation requires UCL to obtain consent from an individual (see below for further detail on this point), the most appropriate legal basis for processing the individual's personal data in relation to those marketing activities under current data protection laws will also be consent; and
where an individual would not reasonably expect their personal data to be used by UCL for direct marketing purposes, given the circumstances in which their personal data was collected by UCL, then consent is likely to be the only legal basis available to UCL to justify its marketing activities.
Please see the UCL website here for data protection law FAQs, in particular 'the processing personal data' section which sets out further information on the different legal bases for processing.
c) Comply with the other data protection principles
You will need to act in accordance with the key principles set out in data protection law in respect of all personal data that you process. In addition to providing a privacy notice and establishing a legal basis for processing, which will assist UCL to fulfil its obligations in relation to the 'lawfulness, fairness and transparency' principle, you must comply with the following:
Purpose limitation: under current data protection laws, personal data must be collected for specified purposes. This means that UCL cannot easily use data it holds for marketing purposes if that data was originally collected for an entirely different purpose. For example, if you are organising an event and you collect personal data in order to administer that event, you cannot subsequently decide to use this data for marketing purposes – the relevant individuals would not have been informed of this future use at the time when the data was collected, and it would not be fair to process their data in this way;
Data minimisation: where you are collecting and/or processing personal data for marketing purposes, you must ensure that the data is adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed. For example, if you plan to send an email newsletter to prospective students advertising a particular course, you will need to collect and process information such as names, email addresses and potentially also which course(s) those individuals are interested in, but further information about their ethnicity or health etc. are unlikely to be required and should not therefore be collected;
Accuracy: personal data used for marketing purposes, e.g. marketing lists, should be kept accurate and up to date;
Storage limitation: if you collect personal data for marketing reasons then you cannot keep it indefinitely – you will need to consider how long UCL actually needs to retain that information for. Please see UCL's Records Retention Schedule here for further information on retention periods; and
Integrity and confidentiality: personal data, including where it is collected for marketing purposes, must be kept securely on UCL systems. Please see UCL's Information Security Policy here and our Data Protection Policy here for further information on holding personal data securely.
d) Comply with individuals' rights under data protection laws
Individuals may object to the use of their personal data for direct marketing purposes under current data protection laws.
If an individual exercises their right under the GDPR to object to the use of their personal data for marketing purposes (rather than simply opting out of receiving marketing communications), you must inform UCL's data protection team as soon as possible at firstname.lastname@example.org and UCL will be obliged to stop processing the individual's personal data for marketing purposes. UCL's data protection team will help you to put appropriate measures in place to ensure that the request is complied with.
There are additional steps you need to take where you carry out direct marketing by:
- Electronic means (for example, email or text);
- Live telephone calls;
- Automated telephone calls; or
This guidance note sets out the additional steps required for the most common types of direct marketing carried out at UCL – which means it does not cover fax marketing or automated telephone calls.
For some types of direct marketing, the steps you need to take will depend upon the status of the individual you are targeting. There are two main types of individual for the direct marketing rules:
- Individual subscriber: this is a person that is contacted by UCL for direct marketing purposes either in their capacity as an individual, a sole trader or a partner in certain types of partnership. An example of an individual subscriber is a prospective or past student that is contacted by UCL in connection with a course that may be of interest to them.
- Corporate subscriber: this is a person that is contacted by UCL for direct marketing purposes in their capacity as a member of staff of a business or government body. An example of a corporate subscriber is an employee of a company which UCL contacts to request funding from the company.
a) Electronic marketing (e.g. by email or text) Individual subscribers only
You must not send electronic marketing communications to individual subscribers unless: •
- The individual subscriber has specifically consented to receive electronic marketing from UCL (see below for further information on consent); or
- All of the following criteria for the so-called 'soft opt-in' are satisfied: o the individual subscriber has previously received products or services from UCL (e.g. they have previously studied on a UCL course or attended a UCL event),
- or they have entered into negotiations for UCL products or services;
- the marketing relates to a similar product or service provided by UCL; and
- you gave the individual subscriber a simple way to opt out of marketing when you initially took their details.
Corporate subscribers only
You must not send electronic marketing communications to a corporate subscriber who has informed UCL that they do not wish to receive our electronic marketing.
Both individual subscribers and corporate subscribers
You must include UCL's identity and contact details in all electronic marketing communications. In each marketing message you send you must include an option for the recipient to opt out of receiving future marketing messages from UCL. It is also good practice to include a link to the relevant UCL privacy notice in the marketing message.
b) Live marketing calls Individual subscribers only
You must not make unsolicited live marketing calls to: •
- An individual subscriber who has informed UCL that they do not wish to receive our calls; or
- Any number registered with the 'Telephone Preference Service' (a central register of individuals who have opted out of receiving live marketing calls) unless the individual subscriber has specifically consented to UCL’s calls.
Corporate subscribers only
You must not make unsolicited live marketing calls to:
- A corporate subscriber who has informed UCL that they do not wish to receive our calls; or
- Any number registered with the 'Corporate Telephone Preference Service' unless the corporate subscriber has specifically consented to UCL’s calls.
Both individual subscribers and corporate subscribers
You must always say who is calling, allow UCL's number (or an alternative contact number) to be displayed to the person receiving the call, and provide a contact address or freephone number if asked. It is also good practice to explain to the individual where they can find a copy of the relevant UCL privacy notice.
c) Marketing by post
You must not make unsolicited live marketing calls to anyone who has informed UCL that they do not wish to receive our postal marketing. You should also screen against the Mail Preference Service to ensure that you are not sending postal marketing to anyone listed unless the person has specifically consented to receiving marketing by post from UCL. All letters must clearly set out UCL's identity and contact details. Recipients must also be made aware in every letter that they can opt out of receiving further letters, and how they can exercise this option (e.g. by calling, emailing or writing to UCL) using the contact details provided. It is also good practice to explain to the individual in the letter where they can find a copy of the relevant UCL privacy notice.
Any consent obtained by UCL for marketing purposes must be:
- Freely given, specific, informed and unambiguous. The individual must clearly have consented to the processing of their personal data by UCL for marketing purposes;
- Separate from other terms and conditions;
- Obtained via an active opt-in, e.g. ticking a box or clicking a button;
- Granular, distinguishing between different processing and purposes (e.g. different types of marketing);
- Obtained using clear, intelligible language;
- Easy to withdraw; and
- Refreshed on a regular basis.
You should maintain a 'suppression list' of people who have opted out of or objected to receiving marketing. This is not the same as saying that you have to delete all personal details of the individuals concerned. To the contrary, you have a positive obligation: (i) to retain enough information about the relevant individuals to ensure that UCL does not send marketing to people on the list and (ii) to keep those details up to date.
In order to comply with data protection legislation, we must not retain this suppression list data for longer than is required for the purpose. When determining an appropriate retention period, you should therefore consider how long the risk of someone being re-added in error to a UCL marketing list might remain.
There is no straight forward answer to this question, and the answer will depend upon where the data has been collected from and what marketing activities you want to carry out using that data. As a starting point, a good rule of thumb is to ask yourself if it is reasonable to assume that a person that makes their contact details publically available via that source has done so on the understanding that those details may be used by UCL to contact them for the intended marketing activities.
If the answer to this question is no then it is highly unlikely that you will be able to use those details lawfully for marketing purposes. If the answer is yes then it is much more likely that you will be able to use those details lawfully for marketing purposes. An example where the answer is likely to be yes is information collected about an individual from LinkedIn where you wish to contact that individual for B2B marketing purposes in their capacity as a member of staff of a business.
For specific advice on the lawful use of publically available data for a particular marketing activity you wish to carry out, please contact the data protection team at email@example.com.
We do not recommend using marketing lists provided by third parties. This is because it is difficult to be sure that the third party provider has taken the appropriate steps and obtained all appropriate consents to allow UCL to market to individuals on the list.
You should not generally share personal data that you have collected with third parties for marketing purposes. There may be some circumstances in which this is permissible, e.g. where the relevant individuals were informed of this data sharing at the time that you collected the data, all data protection principles have been complied with and appropriate consents were obtained in respect of the marketing to be carried out by that other organisation. However, this is a risk for UCL and we do not recommend sharing data with third parties in a marketing context.
12. I want to send marketing to alumni or for fundraising purposes UCL's alumni department deals with our alumni programme and fundraising.
Please contact the alumni department before carrying out any marketing aimed at alumni or any specific fundraising activities.
A data protection impact assessment (DPIA) must be carried out before you process personal data in a way that is likely to result in a high risk to the rights and freedoms of individuals. If you are unsure whether any proposed marketing activities will require you to carry out a DPIA, please see our DPIA screening questions and further guidance here.
We hope that you find this guidance helpful. If you require any further information on the issues raised in this document, please contact the data protection team at firstname.lastname@example.org.