The ICO Fined One Firm £130,000 for a Single Email Campaign. The FCA Has Its Own List of Requirements on Top of That. Most Firms Are Running Both Risks Simultaneously.
Direct marketing sits at the intersection of two demanding regulatory regimes — PECR and UK GDPR — and for FCA-authorised firms, a third layer of conduct obligations on top. Get the consent wrong and you're facing ICO enforcement. Get the content wrong and you're facing FCA action. Get the data handling wrong and you're facing both. The rules aren't complicated but they're exacting: consent must be freely given, specific, informed and unambiguous; soft opt-in has precise eligibility conditions; TPS screening isn't optional; legitimate interest requires a documented three-part balancing test; suppression lists must be permanent; opt-outs must be processed within one working day for electronic communications. Most firms have a paragraph on this somewhere. Few have a complete, documented framework that covers every channel, every lawful basis, every obligation to third parties, and every piece of evidence the ICO will ask for during an investigation. This Direct Marketing Policy is that framework — channel-by-channel, regulation-by-regulation, with templates and checklists built in for operational use from day one.
The ICO doesn't fine firms for marketing. It fines them for marketing without a paper trail.
What's included: Full regulatory mapping — PECR Regulations 19/20/21/22/23, UK GDPR Articles 5(1)(c)/5(1)(d)/5(1)(e)/6/7/12/13-14/21(2)/21(3)/25/28/33/34/35, DPA 2018 Schedule 2, COBS 2.1/4/4.2R, CONC 3, ICOBS 2, MCOB 3, PRIN 6/7, FSMA 2000, CCA 1974, PSR 2017, Consumer Protection from Unfair Trading Regulations 2008 · Four-channel framework — email (PECR Reg 22 prior consent/soft opt-in/unsubscribe requirements), SMS (explicit consent/opt-out instructions), telephone (TPS screening/CLI/call timing 8am-8pm Mon-Sat/max 3 attempts per 30 days/automated calls prior consent), direct mail (MPS compliance/legitimate interest LIA) · Lawful basis selection framework — consent (freely given/specific/informed/unambiguous, no pre-ticked boxes), legitimate interests (three-part test: purpose/necessity/balancing), contract · Soft opt-in eligibility conditions — prior sale or negotiation, similar products/services only, opt-out at collection and every subsequent communication · Consent management lifecycle — capture (date/method/scope), refresh (two-year cycle), granular preferences, withdrawal processing · Corporate vs individual subscriber distinction with separate compliance requirements · Legitimate Interest Assessment template with documented balancing test · TPS/CTPS monthly screening requirement with records · Suppression list management — permanent retention, cross-referenced across all databases, shared with third parties · One working day opt-out processing standard for electronic, 28-day maximum for all channels · Data protection integration — minimisation, accuracy, storage limitation, privacy by design/default, Article 21 absolute objection right · Third-party due diligence framework — Article 28 processor agreements (processing instructions/confidentiality/security/sub-processing/data subject rights/breach notification) · ICO 72-hour breach notification trigger for marketing data · Role accountability matrix — Senior Management/DPO/Marketing Manager/Compliance Officer/Marketing Staff · 2-hour line manager escalation / 4-hour Senior Management notification standard for regulatory breaches · Six-year consent record retention, permanent suppression list retention, seven-year audit report retention · Ready-to-use appendices: Pre-Campaign Verification Checklist (8-point), Channel-Specific Requirements Matrix (email/SMS/telephone/direct mail), Direct Marketing Channel Assessment Template, Consent Tracking Template (reference/date/method/channels/withdrawal/evidence), Third-Party Data-Sharing Assessment
Built for: Marketing Managers, Data Protection Officers, Compliance Officers, and Senior Management at FCA-regulated firms who need a complete PECR/UK GDPR-aligned Direct Marketing Policy that satisfies both ICO and FCA expectations — and that operationalises every compliance obligation into documented, auditable procedures.
The ICO Fined One Firm £130,000 for a Single Email Campaign. The FCA Has Its Own List of Requirements on Top of That. Most Firms Are Running Both Risks Simultaneously.
Direct marketing sits at the intersection of two demanding regulatory regimes — PECR and UK GDPR — and for FCA-authorised firms, a third layer of conduct obligations on top. Get the consent wrong and you're facing ICO enforcement. Get the content wrong and you're facing FCA action. Get the data handling wrong and you're facing both. The rules aren't complicated but they're exacting: consent must be freely given, specific, informed and unambiguous; soft opt-in has precise eligibility conditions; TPS screening isn't optional; legitimate interest requires a documented three-part balancing test; suppression lists must be permanent; opt-outs must be processed within one working day for electronic communications. Most firms have a paragraph on this somewhere. Few have a complete, documented framework that covers every channel, every lawful basis, every obligation to third parties, and every piece of evidence the ICO will ask for during an investigation. This Direct Marketing Policy is that framework — channel-by-channel, regulation-by-regulation, with templates and checklists built in for operational use from day one.
The ICO doesn't fine firms for marketing. It fines them for marketing without a paper trail.
What's included: Full regulatory mapping — PECR Regulations 19/20/21/22/23, UK GDPR Articles 5(1)(c)/5(1)(d)/5(1)(e)/6/7/12/13-14/21(2)/21(3)/25/28/33/34/35, DPA 2018 Schedule 2, COBS 2.1/4/4.2R, CONC 3, ICOBS 2, MCOB 3, PRIN 6/7, FSMA 2000, CCA 1974, PSR 2017, Consumer Protection from Unfair Trading Regulations 2008 · Four-channel framework — email (PECR Reg 22 prior consent/soft opt-in/unsubscribe requirements), SMS (explicit consent/opt-out instructions), telephone (TPS screening/CLI/call timing 8am-8pm Mon-Sat/max 3 attempts per 30 days/automated calls prior consent), direct mail (MPS compliance/legitimate interest LIA) · Lawful basis selection framework — consent (freely given/specific/informed/unambiguous, no pre-ticked boxes), legitimate interests (three-part test: purpose/necessity/balancing), contract · Soft opt-in eligibility conditions — prior sale or negotiation, similar products/services only, opt-out at collection and every subsequent communication · Consent management lifecycle — capture (date/method/scope), refresh (two-year cycle), granular preferences, withdrawal processing · Corporate vs individual subscriber distinction with separate compliance requirements · Legitimate Interest Assessment template with documented balancing test · TPS/CTPS monthly screening requirement with records · Suppression list management — permanent retention, cross-referenced across all databases, shared with third parties · One working day opt-out processing standard for electronic, 28-day maximum for all channels · Data protection integration — minimisation, accuracy, storage limitation, privacy by design/default, Article 21 absolute objection right · Third-party due diligence framework — Article 28 processor agreements (processing instructions/confidentiality/security/sub-processing/data subject rights/breach notification) · ICO 72-hour breach notification trigger for marketing data · Role accountability matrix — Senior Management/DPO/Marketing Manager/Compliance Officer/Marketing Staff · 2-hour line manager escalation / 4-hour Senior Management notification standard for regulatory breaches · Six-year consent record retention, permanent suppression list retention, seven-year audit report retention · Ready-to-use appendices: Pre-Campaign Verification Checklist (8-point), Channel-Specific Requirements Matrix (email/SMS/telephone/direct mail), Direct Marketing Channel Assessment Template, Consent Tracking Template (reference/date/method/channels/withdrawal/evidence), Third-Party Data-Sharing Assessment
Built for: Marketing Managers, Data Protection Officers, Compliance Officers, and Senior Management at FCA-regulated firms who need a complete PECR/UK GDPR-aligned Direct Marketing Policy that satisfies both ICO and FCA expectations — and that operationalises every compliance obligation into documented, auditable procedures.
Image 1 of 1
