GDPR And Direct Marketing In The UK: Compliance Guide For SMEs

If you’re running a small business or startup, direct marketing can feel like the fastest way to grow - build an email list, run SMS campaigns, retarget website visitors, and keep your brand front of mind.

But if you’re not careful, “growth marketing” can quickly turn into a GDPR headache.

The good news is you don’t need a legal team to get the basics right. You just need a clear system that matches how direct marketing under GDPR works in the UK, and how it interacts with other rules (especially PECR).

In this guide, we’ll walk you through what counts as direct marketing, what legal basis you can rely on, when you need consent, and how to build a compliant workflow that still converts.

What Counts As Direct Marketing Under UK GDPR?

When business owners hear “direct marketing”, they often think “email marketing”. In reality, the definition is broader - and that matters, because GDPR requirements for direct marketing can apply even when you’re not sending an email newsletter.

Direct Marketing Is Usually Any Marketing Sent Directly To Someone

Under UK data protection law, direct marketing generally means advertising or promoting your products/services directly to specific individuals. That can include:

• Email marketing (newsletters, promotions, product updates)
• SMS marketing
• Phone calls (including sales calls)
• Direct messages on social media (where personal data is involved)
• Targeted postal marketing
• Online targeted advertising where you’re using personal data (for example, customer lists uploaded for custom audiences)

It’s also worth noting that UK GDPR primarily protects individuals. Marketing to a generic business address (like info@company.co.uk) can raise different issues than marketing to a named person at work (like jane.smith@company.co.uk), but in practice many “business contacts” are still identifiable individuals - so GDPR can still apply.

“Personal Data” Is The Trigger

GDPR applies when you’re processing personal data. For marketing, that often includes:

• names
• email addresses
• mobile numbers
• purchase history and preferences
• website identifiers (like cookie IDs and device IDs, and sometimes IP addresses depending on how they’re used)

So even if you’re thinking “we’re just sending a discount code”, if you’re doing it to a list of identifiable people, you’re in direct marketing GDPR territory.

What Are Your Main Legal Obligations For Direct Marketing GDPR Compliance?

For UK businesses, compliance usually comes down to a few core duties under UK GDPR and the Data Protection Act 2018. You don’t need to memorise legislation - but you do need a workable checklist.

1) Be Clear, Fair And Transparent

You need to tell people:

• who you are
• what marketing you’ll send
• how you got their details
• the legal basis you’re relying on
• how they can opt out (and how to do it easily)

This usually means having a properly drafted Privacy Policy and making sure it matches your actual marketing activity (not just a generic template that doesn’t reflect how you operate).

2) Use Personal Data Only For Legitimate, Limited Purposes

You should collect and use data for a clear purpose. If the purpose changes (for example, you collected emails for order updates but later decide to add them to a marketing list), you need to check:

• is the new use compatible with what you originally told them?
• do you need fresh consent?
• can you rely on legitimate interests?

3) Keep Data Accurate And Up To Date

Marketing databases get messy fast. People change emails, change roles, or ask to unsubscribe. You need a system to:

• remove bounced/invalid contacts
• respect opt-outs promptly
• avoid re-adding unsubscribed people later through imports

4) Store Data Securely

If your mailing list is sitting in an unsecured spreadsheet, or you’re sharing customer lists freely with contractors, you’re taking on unnecessary risk. Security doesn’t have to be complicated - but it does need to be intentional (access controls, vendor due diligence, and sensible retention).

5) Respect Marketing Rights (Especially The Right To Object)

People have a strong right to object to direct marketing. Once they opt out, you generally need to stop marketing to them.

Practically, that means:

• every marketing email should include an unsubscribe link
• SMS should include a clear “STOP” mechanism
• your team should know how to record and apply opt-outs across systems

Consent Vs Legitimate Interests: Which Legal Basis Works Best?

This is where many SMEs get stuck.

Under UK GDPR, you need a “lawful basis” to process personal data. For direct marketing, the two most common are:

• consent
• legitimate interests

But there’s a twist: for electronic marketing (email, SMS, and sometimes calls), you often also need to comply with PECR (the Privacy and Electronic Communications Regulations). So even if GDPR allows something, PECR may still require consent.

When Consent Makes Sense

Consent tends to be the safer option when you’re doing higher-impact marketing or relying on channels where consent is the default expectation (like SMS).

For consent to be valid, it generally needs to be:

• freely given (no unfair pressure)
• specific (clear what they’re signing up for)
• informed (you explain who you are and what you’ll send)
• unambiguous (a clear affirmative action - not pre-ticked boxes)

If you’re collecting marketing consent through your website, make sure it aligns with your Cookie Policy and your privacy information, especially if tracking or analytics feeds into remarketing.

When Legitimate Interests Can Work

Legitimate interests can be a practical lawful basis for GDPR-compliant direct marketing in certain cases, particularly where:

• you have an existing relationship with the person (for example, they’re a customer)
• they would reasonably expect to hear from you
• your marketing is not intrusive
• you make opting out easy and respected immediately

In practice, businesses often use legitimate interests for things like:

• marketing to existing customers about similar products/services
• B2B outreach where the message is relevant to the person’s role (with care)
• some forms of post/telephone marketing (subject to other rules)

Don’t Skip The “Balancing Test”

If you rely on legitimate interests, you should document a simple assessment (often called a Legitimate Interests Assessment or LIA). The point is to show you have considered:

• your business interest (why you want to market)
• the person’s rights and expectations
• any safeguards (easy opt-out, limited frequency, relevant content)

This doesn’t need to be a 20-page memo - but having something written down can be very helpful if your practices are questioned later.

How PECR Changes The Rules For Email, SMS, Cookies And Calls

If you’re only thinking about GDPR, you’re only seeing half the compliance picture. For many SMEs, the biggest “gotcha” in direct marketing GDPR compliance is forgetting about PECR.

PECR applies to certain types of electronic marketing and tracking. So your marketing plan should consider both UK GDPR and PECR together.

Email And SMS Marketing: When Do You Need Consent?

As a general rule, sending marketing by email or SMS to individual subscribers requires prior consent - unless an exception applies. Different rules can apply where you’re messaging a corporate subscriber (for example, some limited company email addresses), but you should still handle personal data lawfully and always provide a clear opt-out.

The most common exception for SMEs is the soft opt-in.

The soft opt-in can apply where:

• you obtained the person’s contact details in the course of a sale (or negotiations for a sale)
• you’re marketing your own similar products/services
• you gave them a clear chance to opt out at the time you collected their details
• you give an opt-out option in every message

For startups, this is often very practical - but you need to set up the right wording and tick-boxes at checkout/on sign-up forms to rely on it confidently.

Cold Calling And Telephone Marketing

If your growth strategy includes phone outreach, you should consider both data protection and marketing rules. It’s not just about whether you have their number - it’s also about whether you’re allowed to use it for marketing, and whether they’ve opted out via preference services.

It’s also worth being careful about scripts and training, especially if you outsource sales. A quick check of your process against the cold calling rules can save you headaches later.

And if you’re doing outbound calls that involve customer data, it’s sensible to also understand the compliance expectations around business calls (especially if calls are recorded, monitored, or used for training).

Cookies And Tracking For Retargeting

If you’re using cookies or similar technologies to:

• track visitor behaviour
• build audiences for retargeting
• measure conversions

you’ll likely need a proper cookie consent setup for non-essential cookies. That typically means:

• clear information about what cookies do
• a real choice (not “by using this site you accept…”)
• consent recorded before non-essential cookies fire

This is where your Cookie Policy needs to match your actual tracking and advertising tools.

What Does A GDPR-Compliant Direct Marketing Workflow Look Like For SMEs?

Compliance is much easier when it’s built into your process, instead of treated like an afterthought.

Here’s a practical workflow you can adapt to most small business and startup marketing operations.

Step 1: Map Your Marketing Data Sources

List where marketing data comes from, for example:

• website sign-up forms
• checkout pages
• lead magnets (ebooks, webinars)
• offline events
• referrals and introductions
• sales outreach lists

For each source, record what you collect (name/email/phone/etc.) and what you tell people at the point of collection.

Step 2: Decide Your Lawful Basis (And Keep It Consistent)

You should be able to answer, for each list:

• Are we relying on consent, soft opt-in, or legitimate interests?
• What evidence do we have (timestamped opt-in, checkout wording, LIA)?
• What opt-out method is in place?

This step is where many SMEs accidentally mix lists, import contacts without clear permission, or assume “if it’s public online, it’s fair game” (it usually isn’t).

Step 3: Make Your Opt-Out Process Frictionless

Your marketing needs to be easy to stop. Practically, you want:

• one-click unsubscribes in email
• clear STOP instructions for SMS
• a process for manual requests (for example, “please remove me” replies)

Also, don’t delete opt-outs entirely. Often you’ll need a “suppression list” (a record of who opted out) so you don’t accidentally re-market to them later.

Step 4: Keep Your Privacy Information Up To Date

Your privacy information should reflect what you’re actually doing with customer and lead data, including:

• what marketing you send
• whether you profile people or personalise marketing
• who you share data with (email platform providers, CRM tools, ad platforms)
• international data transfers (common when using global software tools)

If you don’t have this in place, it’s hard to argue you’re being transparent under direct marketing GDPR requirements. Having a tailored Privacy Policy is usually a key part of getting this right.

Step 5: Manage Suppliers And Platforms Properly

If you use third-party providers (email marketing tools, CRMs, analytics, ad platforms), you should check:

• do you have a data processing agreement (where required)?
• where is data stored?
• what security controls exist?
• can you delete data easily when needed?

If you’re building out compliance more broadly (especially as you scale or raise investment), it can be worth formalising this through a GDPR package so your policies, procedures, and contracts work together.

Common Direct Marketing GDPR Mistakes Startups Make (And How To Avoid Them)

Most direct marketing GDPR problems don’t come from bad intentions. They come from fast growth, messy systems, and “we’ll fix it later”. Here are a few common pitfalls we see.

Mistake 1: Buying Or Scraping Email Lists

Purchased lists and scraped contacts are high-risk. Even if a supplier claims the list is “GDPR compliant”, you still need to be confident that:

• the people consented to receive marketing from you specifically (not just “partners”)
• you can prove that consent
• your outreach meets PECR rules

In many cases, the compliance burden (and reputational risk) outweighs the short-term benefits.

Mistake 2: Treating All Customers The Same

Your marketing database should distinguish between:

• customers you can market to via soft opt-in
• leads who opted in explicitly
• contacts where you’re relying on legitimate interests (and why)
• people who opted out (suppression list)

If everything is dumped into one list, you can’t reliably apply the right legal rules - and that’s when mistakes happen.

Mistake 3: Hiding The Unsubscribe Option

If a person can’t find the unsubscribe link, or unsubscribing is treated like a “request” rather than an immediate action, you’re creating avoidable risk. Make opting out easy and treat it as a normal part of marketing.

Mistake 4: Forgetting About Cookies And Retargeting

It’s common to focus on email consent and forget that your biggest compliance gap is actually your website tracking and retargeting set-up.

If you rely on analytics and ads to drive growth, your cookie consent and notices need to be aligned. That includes having a workable Cookie Policy and ensuring non-essential cookies aren’t firing before consent (where required).

Mistake 5: No One “Owns” Compliance Internally

Even in a small team, someone should be responsible for:

• approving marketing sign-up language
• keeping opt-out systems working
• reviewing new campaign ideas (especially anything involving profiling, targeting, or data sharing)

This doesn’t have to slow you down - it just prevents “random acts of marketing” that accidentally create legal exposure.

Key Takeaways

• Direct marketing rules under GDPR can apply whenever you use personal data to promote products or services directly to individuals - and that includes more than just email newsletters.
• UK GDPR and PECR often apply together, especially for email, SMS, cookies, and some forms of calling, so you need a combined compliance approach.
• Consent and legitimate interests are the most common lawful bases, but you should document your reasoning and keep your marketing lists organised by lawful basis.
• The soft opt-in can be a practical route for marketing to existing customers, but only if you set up the right wording and opt-out options from the start.
• Your Privacy Policy and Cookie Policy should reflect what you actually do, particularly if you track visitors, personalise marketing, or share data with marketing platforms.
• Most compliance issues come from messy processes, so building a simple workflow (data source mapping, opt-outs, supplier checks) is usually the best first step.

This article is for general information only and doesn’t constitute legal advice. If you need advice for your specific situation, you should speak to a qualified professional.

If you’d like help setting up compliant direct marketing systems, privacy wording, or a practical GDPR framework that fits how your business actually grows, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.