IMG_5777.jpeg
IMG_5778.jpeg
IMG_5779.jpeg
IMG_5780.jpeg
IMG_5781.jpeg
IMG_5782.jpeg
IMG_5783.jpeg
IMG_5784.jpeg
IMG_5777.jpeg
IMG_5778.jpeg
IMG_5779.jpeg
IMG_5780.jpeg
IMG_5781.jpeg
IMG_5782.jpeg
IMG_5783.jpeg
IMG_5784.jpeg

Direct Marketing Policy Template

£49.00

UK GDPR — and for FCA-authorised firms, a third layer of conduct obligations on top. Get the consent wrong and you're facing ICO enforcement. Get the content wrong and you're facing FCA action. Get the data handling wrong and you're facing both. The ICO fined one firm £130,000 for a single email campaign. The rules are exacting: consent must be freely given, specific, informed, and unambiguous; soft opt-in has precise eligibility conditions; TPS screening isn't optional; and opt-outs must be processed within one working day. Most firms have a paragraph on this somewhere. The ICO doesn't fine firms for marketing — it fines them for marketing without a paper trail.

What's included:

  • Full regulatory mapping: PECR Regulations 19–23, UK GDPR Articles 5/6/7/12/13–14/21/25/28/33–35, DPA 2018, COBS 2.1/4, CONC 3, ICOBS 2, MCOB 3, PRIN 6/7, and CCA 1974

  • Four-channel compliance framework: email (PECR Reg 22 consent/soft opt-in/unsubscribe), SMS (explicit consent/opt-out instructions), telephone (TPS screening/CLI/call timing/max 3 attempts per 30 days), and direct mail (MPS compliance/legitimate interest LIA)

  • Lawful basis selection framework: consent (freely given, specific, informed, unambiguous — no pre-ticked boxes), legitimate interests (documented three-part test), and contract

  • Consent management lifecycle: capture (date/method/scope), two-year refresh cycle, granular preferences, and one working day withdrawal processing

  • Suppression list management: permanent retention, cross-referenced across all databases, and shared with third parties

  • Third-party due diligence: Article 28 processor agreements covering processing instructions, confidentiality, security, sub-processing, and breach notification

  • Ready-to-use appendices: Pre-Campaign Verification Checklist, Channel-Specific Requirements Matrix, Consent Tracking Template, and Third-Party Data-Sharing Assessment

  • + much more

Who is this for?

Marketing Managers, Data Protection Officers, Compliance Officers, and Senior Management at FCA-regulated firms who need a complete, board-approved Direct Marketing Policy that satisfies both ICO and FCA expectations — and operationalises every compliance obligation into documented, auditable procedures.

How it works

  • Step 1 — Read it. Every section exists for a reason, grounded in a specific regulatory obligation.

  • Step 2 — Understand it. Map the content against your current practices. Identify where you're strong and where gaps exist.

  • Step 3 — Make it yours. Tailor the language to reflect how your organisation actually operates. A policy that sounds like your firm is a policy your people will follow.

  • Step 4 — Take ownership. Assign clear accountability — Board approval, named SMF holder, designated policy owner. A policy without an owner is a liability, not an asset.

  • Step 5 — Operationalise it. Embed the policy into your governance calendar, training programme, and annual review cycle. This is where compliance becomes culture.

Or, get this free with RegTechPRO

Access this alongside the full compliance policy library — SM&CR, COBS, AML, Consumer Duty, GDPR, and more — for a fraction of the cost of consultancy.

View RegTechPRO pricing and packages →

UK GDPR — and for FCA-authorised firms, a third layer of conduct obligations on top. Get the consent wrong and you're facing ICO enforcement. Get the content wrong and you're facing FCA action. Get the data handling wrong and you're facing both. The ICO fined one firm £130,000 for a single email campaign. The rules are exacting: consent must be freely given, specific, informed, and unambiguous; soft opt-in has precise eligibility conditions; TPS screening isn't optional; and opt-outs must be processed within one working day. Most firms have a paragraph on this somewhere. The ICO doesn't fine firms for marketing — it fines them for marketing without a paper trail.

What's included:

  • Full regulatory mapping: PECR Regulations 19–23, UK GDPR Articles 5/6/7/12/13–14/21/25/28/33–35, DPA 2018, COBS 2.1/4, CONC 3, ICOBS 2, MCOB 3, PRIN 6/7, and CCA 1974

  • Four-channel compliance framework: email (PECR Reg 22 consent/soft opt-in/unsubscribe), SMS (explicit consent/opt-out instructions), telephone (TPS screening/CLI/call timing/max 3 attempts per 30 days), and direct mail (MPS compliance/legitimate interest LIA)

  • Lawful basis selection framework: consent (freely given, specific, informed, unambiguous — no pre-ticked boxes), legitimate interests (documented three-part test), and contract

  • Consent management lifecycle: capture (date/method/scope), two-year refresh cycle, granular preferences, and one working day withdrawal processing

  • Suppression list management: permanent retention, cross-referenced across all databases, and shared with third parties

  • Third-party due diligence: Article 28 processor agreements covering processing instructions, confidentiality, security, sub-processing, and breach notification

  • Ready-to-use appendices: Pre-Campaign Verification Checklist, Channel-Specific Requirements Matrix, Consent Tracking Template, and Third-Party Data-Sharing Assessment

  • + much more

Who is this for?

Marketing Managers, Data Protection Officers, Compliance Officers, and Senior Management at FCA-regulated firms who need a complete, board-approved Direct Marketing Policy that satisfies both ICO and FCA expectations — and operationalises every compliance obligation into documented, auditable procedures.

How it works

  • Step 1 — Read it. Every section exists for a reason, grounded in a specific regulatory obligation.

  • Step 2 — Understand it. Map the content against your current practices. Identify where you're strong and where gaps exist.

  • Step 3 — Make it yours. Tailor the language to reflect how your organisation actually operates. A policy that sounds like your firm is a policy your people will follow.

  • Step 4 — Take ownership. Assign clear accountability — Board approval, named SMF holder, designated policy owner. A policy without an owner is a liability, not an asset.

  • Step 5 — Operationalise it. Embed the policy into your governance calendar, training programme, and annual review cycle. This is where compliance becomes culture.

Or, get this free with RegTechPRO

Access this alongside the full compliance policy library — SM&CR, COBS, AML, Consumer Duty, GDPR, and more — for a fraction of the cost of consultancy.

View RegTechPRO pricing and packages →