marketing strategy

The Strands of a GDPR-Compliant Marketing Strategy?

The Strands of a GDPR-Compliant Marketing Strategy?

I originally wrote this article earlier in the year and have updated it in light of new clarifications from the ICO and DMA. The strategy I suggest seems robust and GDPR-compliant. Any comments?

If you like what you read, get in contact to discuss how Kudos can help with your Privacy and Data Usage policies and statements, Legitimate Interests Assessments, Consent and data management and much more!

There’s been some interesting developments recently in the charity sector and this article pulls some of those strands together as they form the basis of a solid future strategy that relates to all sectors (assuming the ICO agrees – caveat, caveat!)

Strand 1 –

Let’s start with the RNLI “opt-in only” strategy, initiated 18 months ago. That was a brave move, taken in the knowledge that it would lose RNLI income (£35.6million over 5 years was their forecast). It was a move driven by the wish to reduce their reliance on direct mail and by what was felt to be an ethical approach to fundraising. But it seems that RNLI are reviewing that decision in light of GDPR. More info here

In March 2017, the charity said that the opt-in only campaign had achieved a response rate of 32.6 per cent, more than triple the 10.4 per cent response rate from the charity’s 2015 summer campaign. It also said that the average donation in 2016 was £8.39, almost triple the £2.94 average donation from the previous year’s appeal.

RNLI also said the charity’s net income ratio had improved since the move to opt in, as it was “spending less by contacting fewer of those individuals who had a lower propensity to respond” previously.

Despite this, the appeal raised just £526,000, compared with over £800,000 in 2015.


See more at:


Strand 2

The Direct Marketing Association has said that focusing purely on a fully opted-in consent model for fundraising is “not totally necessary” under GDPR, as it is only one of six legal grounds on which personal data can be processed. See more at:

John Mitchison, Head of Preference Services, Compliance and Legal at the Direct Marketing Association said last week “You may have a significant part of your database for which you’ve never really bothered to collect consent and maybe you only deal with them on a direct mail basis, and you may want to just continue doing that and that’s perfectly fine to do under the basis of legitimate interest.”

Mitchison however warned that processing data under legitimate interest was not “a get out of jail free card” which could be used to “mail anybody”. He said that organisations wishing to process data based on legitimate interest must “make sure that the legitimate interest of your organisations is balanced against the rights of the consumer; that it’s reasonable and you provide an unsubscribe option so the person can stop whenever they want to”.

He said organisations currently relying on consent to legally process personal data would need to go through a “recommissioning process, as your current consent is almost certainly not going to be valid” after GDPR comes into force in May 2018. Unlucky RNLI!

And remember – PECR requires that you have positive consent (opt-in) for email and telephone communications. Legitimate Interests cannot be used for these channels – you must have consent. If you have acquired consent via pre-ticked boxes or as a mandatory requirement to provide information, this will not acceptable under GDPR – you need to re-permission them.


Strand 3

The ICO has fined a number of charities for the wording in their Fair Processing notices, relating to enhancing their Supporter records by appending information such as age, income, house price, etc. This is then used to profile Supporters and target the suitable ones, whilst excluding the unsuitable Supporters. Note that the practice of appending and targeting (ie profiling) is not the issue – it relates to the wording of their Data Usage policies. An example is here from the ICO website – see point 41.

Profiling and targeting sounds very sensible to me and is what every industry has always done and continues to do. With the exception now of the charity sector – they have largely stopped this practice recently, due to the fear of being clobbered by the ICO.

The result? Higher operational costs due to mass marketing instead of targeted marketing. Supporters receiving more communications that are irrelevant to them (“junk mail”?) Lower ROI. Hmmm, doesn’t sound good does it? It’s regressive direct marketing.
So make sure your privacy policies and data usage statements are accurate and cover this use!


Strand 4

So what does the DMA and ICO say about it? Mitchison, (DMA) also spoke about the recent series of fines issued by the Information Commissioner’s Office to 13 charities for various data protection breaches, including some third-party data profiling and wealth screening.

He said the problem with this was “nobody can really define what profiling is. It’s quite clear that the ICO don’t know what profiling is either, because they’ve just sent out a paper asking stakeholders to inform them of what they do and what they consider profiling to be”.

The ICO has yet to announce when it will publish its guidance on data profiling under GDPR, but Mitchsion said he expected the final guidance to grade data profiling activities “on a spectrum”.

“What we at the DMA expect is that profiling will be judged on a spectrum, with the use of plain data for segmentation and basic selections at one end and the more intrusive activities – like scraping a person’s Facebook page to append further data – at the other end, due to it being obviously more intrusive”.

See more at:

So we await clarity on this point from the ICO and pray that common sense prevails and they agree with the DMA view.


Strand 5

GDPR compliant states that an individual must be made aware of the use of their data by an organisation in their usage and privacy statement and given the clear opportunity to opt out. It seems however that under GDPR, positive consent (ie opt-in) is only required if the profiling activities in question “produces legal effects” or “significantly affects” a data subject (Art 22(1)). Whether enhancement, profiling & targeted as I describe earlier falls under this definition remains to be seen.

Ted Sheils, Data Protection and Privacy Officer at TSB Bank states “Profiling is defined in GDPR article 4 as: “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

Paragraph 58 of the recital states: “The data subject should have the right not to be subject to a decision…which is based solely on automated processing, which produces legal effects… or similarly significantly affects him or her, like automatic refusal of an on-line credit application…without any human intervention. In any case, such processing should be subject to suitable safeguards, including…the right to obtain human intervention…to get an explanation of the decision reached after such assessment and the right to contest the decision.

GDPR seeks to regulate rather than prohibit profiling. If your profiling produces “legal effects” or “significantly affects” a data subject, then Data Controllers are required to implement suitable measures to protect data subjects’ rights, freedoms and legitimate interests. This applies to uses of profiling such as whether to provide credit, or a mortgage application where the decision is based solely on the automated processing (profiling) of the data. It would be appropriate for Data Controllers wishing to comply with GDPR’s profiling requirements, to notify the data subject at the time the decision based on profiling is communicated, of his / her entitlement (i) to have the decision explained, (ii) to express his / her point of view, (iii) to contest the decision, and (iv) to have the decision reviewed with an element of human intervention.

If you managed to get through the last few paragraphs of legal-speak, it does seem clear to me that the DMA is correct – “profiling” is a spectrum and our use of the word for enhancements/targeting is VERY different to the definition of profiling in GDPR article 4.


NOW FOR THE INTERESTING BIT! If the ICO agree with the DMA, then we have the basis for a solid strategy that combines quality and quantity:

1)   Opted-in Consumers are more responsive and give more. You can use opt-in as a measure of engagement and loyalty. You can segment your audience based on it. They will give you the best ROI. And you need it for email and telephone marketing. So get asking for consent to email and/or telephone your consumers. Quickly! These are your QUALITY segments.

2)   But the RNLI case study shows that you probably won’t have enough opted-in Consumers. This is often because the Consumer doesn’t actually understand why you are asking for consent – they’ve never heard of GDPR! So get out there and educate your Consumers. Show them you are “doing consent well”

3)   Undertake a Legitimate Interest Assessment for using Direct Mail marketing. If your LIA case is valid, use this channel but give them the opportunity every time to opt out. They won’t respond as well and they won’t give as much plus they will have reduced ROI. But you will have a lot of them and the income they produce will be substantial. These are your QUANTITY segments. Remember this applies to direct mail, not email or telephone as these are opt-in channels under PECR.

4)   Enhance your records from reputable sources and suppliers and undertake profiling to target those with suitable characteristics. Let’s call these Profiled Targets. But ensure your Data Usage, Privacy Policy wording and Fair Processing notices are clear. And undertake due diligence on the data suppliers and their data.

5)   Create a Consent Journey for your Consumers that dovetails with your Customer/Supporter Journey. As they move along the Consent Journey, you will move Consumers from “Profiled Targets” to “Quantity Segments” to “Quality Segments”. And each cluster of Consumers gets steadily more profitable as they go.

6)   Maximising opt-in rates will open up a new Marketing front that requires consent statements to undergo rigorous split-cell testing and roll-out processes. Consent requires segmentation and analysis – just like the creative and audience-targeting elements of your Marketing campaigns. A consent statement that appeals to a younger audience will probably be different to the wording that appeals to an older audience, etc


Kudos believe that “Doing consent well” will enhance your brand reputation. In the future it will be expected by consumers. Those companies that don’t do it well will fall by the wayside. Consumers will expect organisations to use their data appropriately. And they want some say in what you hold on them, why you hold it and what you do with it. According to the Information Commissioners Office, “Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation”.

Kudos have a vision of putting consumers in control of the use of their data – that it is fundamentally an ethical and morally correct concept. Consumers want change and they will appreciate and value the brands that clearly give them choice and control.

We also believe that more value must be placed on quality over quantity. Data is a valuable asset, but only with the consent to use it. In the face of tighter UK regulation and the impending General Data Protection Regulation (GDPR), the days of holding bulk records with dubious consent are over. Data is an asset, but it also presents a business risk. The focus must now be on accurate and permissioned data, which will become a premium commodity in and of itself.



GDPR compliant sets a high standard for consent…


“Doing consent well should put individuals in control, build Consumer trust and engagement, and enhance your reputation.”



Check your consent practices and your existing consents. Refresh consents if they don’t meet the GDPR compliant standard.

Consent means offering individuals genuine choice and control

Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.

Explicit consent requires a very clear and specific statement of consent.

Keep your consent requests separate from other terms and conditions.

Be specific and granular. Vague or blanket consent is not enough.

Be clear and concise.

Name any third parties who will rely on the consent.

Make it easy for people to withdraw consent and tell them how.

Keep evidence of consent – who, when, how, and what you told people.

Keep consent under review, and refresh it if anything changes.

Avoid making consent a precondition of a service.

Public authorities and employers will find using consent difficult.

Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate.


For more details, give James Squires a call on 0330 043 1593 or email