Email marketing

Email marketing and data protection


Under the Data Protection Act 2018, you must not allow a third party access to personal information kept in your database. However, you can provide personal information to a third party if:

  • an individual on the database asks somebody else - eg their solicitor - to obtain personal information on their behalf
  • your business outsources the processing of personal information - for example, payroll or customer mailing
  • the police need it as part of an investigation

The UK General Data Protection Regulation (UK GDPR) sits alongside the Data Protection Act 2018 and sets out rules on processing and safeguarding personal data.

Outsourcing the processing of personal information

If you outsource certain processes that need access to your database of personal information - eg for email marketing - your business will remain liable for the information and keep full control over its use. In the event of a Data Protection Act 2018 breach, you are liable. See reporting serious breaches of personal data.

Protect customers' personal information

You must take the appropriate measures to protect the personal information you have, whether or not you process it yourself or outsource it. In order to decide what measures are appropriate, you should consider:

  • what type of information you have
  • what harm or damage could be caused from its misuse
  • what technology is available to protect the information
  • how much it would cost to ensure an appropriate level of information security

Under the Data Protection Act individuals and organisations that process personal information need to register with the Information Commissioner's Office (ICO) and pay a fee, unless they are exempt. 

If you employ another business to process personal information for you, you must obtain evidence from them that they can do so in a secure manner. It is also highly recommended that you regularly check this yourself.

In order to ensure compliance with GDPR and information security, you must have a written contract with them, which:

  • sets out the nature, duration, purposes and categories or types of personal data being processed
  • ensures they are bound by a duty of confidentiality in relation to the personal information
  • ensures they only use and disclose personal information in line with your instructions
  • requires them to take appropriate security measures to your standards
  • ensures they return or delete all the personal information upon ending the contract
  • assists you in your compliance with GDPR in relation to the personal information

If you outsource processes to a business outside the European Economic Area, you will have to take further measures.