GDPR for marketing teams UK guidance matters because marketing teams handle personal data every day. Email lists, customer relationship management (CRM) records, campaign analytics, social media audiences, retargeting pixels, lead forms, event registrations and customer segments all involve data protection risk. Used well, this data helps organisations communicate with the right people. Used poorly, it can lead to complaints, enforcement action and loss of customer trust.

For marketing managers, digital marketers and email campaign teams, the key point is that UK marketing compliance is not only about UK General Data Protection Regulation (UK GDPR). The Privacy and Electronic Communications Regulations (PECR) also apply to electronic marketing, including many email, text and direct message campaigns. UK GDPR governs how personal data is processed; PECR sets specific rules for electronic marketing communications.

This guide explains how marketing teams can handle customer data compliantly, including lawful basis, consent, legitimate interests, the soft opt-in, CRM hygiene, social media targeting and staff training. If your team needs practical support, our GDPR training for marketing teams is designed to help marketing professionals apply UK GDPR and PECR in everyday campaigns.

How Does UK GDPR Apply to Marketing Teams?

UK GDPR applies whenever marketing teams process personal data. Personal data means information relating to an identified or identifiable living person. In marketing, this may include names, email addresses, phone numbers, job titles, location data, customer preferences, browsing behaviour, purchase history, campaign engagement and lead scoring data.

Marketing teams process personal data when they:

• collect leads through forms;
• upload contacts into a CRM;
• send email campaigns;
• segment audiences;
• personalise content;
• track email opens or clicks;
• build lookalike audiences;
• run retargeting campaigns;
• manage event registrations;
• enrich customer records;
• analyse campaign performance;
• share data with agencies or platforms.

UK GDPR requires personal data to be processed lawfully, fairly and transparently. This means you need a clear purpose, a lawful basis, appropriate privacy information, security controls, retention rules and respect for individual rights.

Marketing teams must also think about customer expectations. Just because data is available does not mean it should be used. A customer who provides their email address to receive an order confirmation may not expect to be added to unrelated promotional campaigns without proper consent or another lawful route.

Good marketing data protection starts before the campaign launches. Teams should ask:

• What data are we collecting?
• Why do we need it?
• What lawful basis applies?
• Have we told people clearly?
• Do PECR rules require consent?
• How can people opt out?
• How long will we keep the data?
• Are third-party tools involved?
• Do cookies or pixels require consent?

Lawful Basis for Marketing Under UK GDPR

Every marketing activity involving personal data needs a lawful basis under UK GDPR. The most common lawful bases for marketing are consent and legitimate interests, although contract or legal obligation may apply in limited supporting contexts, such as service communications or compliance records.

Marketing teams should not assume that consent is always required under UK GDPR. However, PECR may require consent for certain electronic marketing activities, especially emails and texts to individual subscribers. This is why marketing teams must consider UK GDPR and PECR together.

Consent vs Legitimate Interest

Consent marketing GDPR rules require consent to be freely given, specific, informed and unambiguous. It should involve a clear affirmative action, such as ticking an unchecked box or actively choosing to subscribe. Pre-ticked boxes, silence or inactivity are not valid consent.

Valid consent should be:

• separate from general terms and conditions;
• clear about what the person is signing up to;
• specific to the organisation and type of marketing;
• easy to withdraw;
• recorded with evidence of when, how and what the person agreed to.

Legitimate interests may be available for some marketing activities, particularly where customers would reasonably expect the processing and the impact on their privacy is limited. However, you should complete a legitimate interests assessment. This involves identifying the legitimate interest, showing the processing is necessary, and balancing it against the rights and expectations of individuals.

For example, a business may rely on legitimate interests to send postal marketing to existing customers, subject to transparency and opt-out rights. However, for many email or text campaigns to individual subscribers, PECR may still require consent or a valid soft opt-in.

In short: UK GDPR lawful basis answers “Can we process this personal data?” PECR answers “Can we send this electronic marketing message?”

Email Marketing and PECR Rules

GDPR email marketing UK compliance requires marketers to understand PECR. PECR sets specific rules for electronic mail marketing, including emails, texts and some direct messaging.

For individual subscribers, such as consumers, sole traders and some partnerships, unsolicited electronic marketing usually requires consent unless the soft opt-in applies.

For corporate subscribers, such as limited companies, PECR allows unsolicited B2B electronic marketing without consent or soft opt-in. However, UK GDPR still applies if you are processing personal data, such as a named employee’s work email address. You must still be transparent, use a lawful basis, provide opt-outs and respect objections.

Marketing emails must not hide or disguise the sender’s identity. They must include a valid address or method for opting out. In practice, every marketing email should include a clear unsubscribe option.

What Is the Soft Opt-In?

The soft opt-in UK GDPR phrase is often used, but technically the soft opt-in comes from PECR. It allows organisations to send electronic marketing to existing customers without fresh consent if all the conditions are met.

For commercial marketing, the soft opt-in may apply where:

• you obtained the person’s contact details during a sale or negotiation for a sale;
• you are marketing your own similar products or services;
• the person was given a clear chance to opt out when their details were collected;
• the person is given a clear chance to opt out in every subsequent message.

The soft opt-in does not apply to cold prospects or new contacts from bought-in lists. It also does not allow you to send unrelated marketing simply because someone once bought from you.

Example: A customer buys a training course from your website and gives their email address during checkout. You may be able to email them about similar courses if they were clearly offered an opt-out at the point of collection and every marketing email includes an unsubscribe option.

Example: A marketing team buys a list of personal email addresses and sends a campaign. The soft opt-in does not apply because the contacts are not your existing customers and you did not collect their details during a sale or negotiation.

In 2026, marketing teams should also be aware that ICO guidance has been updated to reflect changes introduced by the Data (Use and Access) Act 2025, including charitable soft opt-in provisions. Commercial teams should still apply the commercial soft opt-in rules carefully.

After reviewing your PECR and soft opt-in processes, it may be useful to train campaign teams with a GDPR and email marketing course, especially where staff manage email platforms, forms, CRM records and unsubscribe workflows.

Customer Data in Your CRM — What You Can and Cannot Do

Your CRM is one of the highest-risk marketing systems because it may contain customer contact details, lead sources, preferences, purchase history, notes, engagement scores and segmentation data.

Good CRM compliance starts with data hygiene. Teams should keep records accurate, relevant and up to date. Old, duplicated, unverified or unclear records increase the risk of unlawful marketing.

Marketing teams can use CRM data where they have:

• a clear purpose;
• a lawful basis;
• appropriate transparency;
• accurate records;
• valid consent or soft opt-in evidence where needed;
• a working unsubscribe process;
• appropriate access controls;
• retention rules.

Marketing teams should not:

• upload bought-in personal lists without verifying valid consent;
• merge datasets without checking compatibility and transparency;
• keep unsubscribed contacts in active campaign lists;
• ignore marketing objections;
• use old consent records where the scope is unclear;
• collect unnecessary data fields;
• retain inactive contacts indefinitely;
• give agencies unrestricted CRM access;
• use data for unrelated purposes without review.

Bought-in lists are particularly risky. They are not automatically illegal in every context, but for B2C email marketing they are usually unsuitable unless you can prove valid, specific consent to your organisation for that type of marketing. Vague third-party consent is not enough. As a practical policy, many organisations prohibit purchased personal email lists because the compliance risk is too high.

Unsubscribes must be respected promptly. Suppression lists should be maintained so people who opt out are not re-added later through a new upload or imported spreadsheet.

CRM access should also be role-based. Not everyone in marketing needs access to every customer record. Agencies, freelancers and third-party processors should only receive access where necessary and under appropriate contracts.

For teams managing CRM campaigns, data protection training for marketing professionals can help staff understand lawful basis, list hygiene, segmentation and consent records. For wider business context, GDPR Essentials for UK Businesses provides a useful foundation for managers and operational leads.

Social Media Marketing and Data Protection

Social media marketing can involve personal data in several ways. This includes direct messages, lead forms, custom audiences, lookalike audiences, engagement analytics, influencer campaigns and social listening.

GDPR for digital marketers applies where individuals can be identified or profiled. Even where platforms provide aggregated analytics, marketing teams should understand what data they upload, how it is used and what responsibilities they may have.

Examples include:

• uploading customer email lists to create custom audiences;
• using tracking pixels on a website;
• collecting leads through social media forms;
• responding to customer complaints through direct messages;
• using social listening tools to monitor individuals;
• running retargeting campaigns based on website visits.

Retargeting and cookie-based advertising often require consent under PECR because cookies and similar technologies are placed or accessed on a user’s device, unless a narrow exemption applies. Marketing teams should work with web, analytics and compliance colleagues to ensure cookie banners, consent management platforms and privacy notices reflect actual tracking.

Social media direct messages can also fall under electronic marketing rules. If a direct message promotes products or services, PECR may apply depending on the circumstances.

Marketing teams should avoid assuming that “the platform handles GDPR”. Platforms may provide tools, but your organisation remains responsible for its own processing decisions, uploads, targeting criteria and transparency.

Profiling, Targeting and Automated Marketing

Profiling means using personal data to evaluate or predict aspects of a person, such as interests, behaviour, preferences, economic situation, location or likely purchasing behaviour.

Marketing profiling may include:

• lead scoring;
• customer segmentation;
• behavioural targeting;
• predictive product recommendations;
• abandoned basket campaigns;
• loyalty scoring;
• churn prediction;
• personalised pricing;
• automated audience selection.

Profiling is not automatically prohibited, but it must be lawful, fair and transparent. Individuals should be told when profiling is used in a meaningful way, especially where it affects what they see, what offers they receive or how they are treated.

Higher-risk profiling may require a Data Protection Impact Assessment (DPIA). This is especially important where profiling is large-scale, intrusive, unexpected, involves sensitive data, affects vulnerable individuals or combines multiple datasets.

Marketing teams should also consider fairness. Just because an automated tool can identify a segment does not mean the resulting campaign is appropriate. For example, targeting people based on inferred financial vulnerability, health concerns or sensitive characteristics can create serious legal and ethical risks.

Practical safeguards include:

• explaining profiling in privacy notices;
• limiting data used for segmentation;
• avoiding sensitive targeting unless clearly lawful;
• reviewing automated rules;
• testing for unfair outcomes;
• allowing people to object to direct marketing;
• keeping human oversight where decisions may significantly affect individuals.

What Happens If You Get It Wrong?

Marketing mistakes can lead to complaints, unsubscribe spikes, reputational damage, platform restrictions and regulatory enforcement.

ICO enforcement cases show that direct marketing remains an active enforcement area. Recent action has included fines for unsolicited marketing messages and campaigns using third-party sourced data without valid permission. The ICO has also warned that vague consent, third-party consent or dressing marketing as service updates is not enough.

Common failures include:

• sending marketing emails without consent or soft opt-in;
• using bought-in lists without valid evidence;
• ignoring unsubscribes;
• failing to identify the sender;
• sending marketing under the guise of service messages;
• using tracking cookies without proper consent;
• relying on legitimate interests without assessment;
• failing to explain profiling;
• keeping old CRM records indefinitely.

Penalties are not the only risk. Customers may lose trust quickly if they feel their data has been misused. A poorly targeted campaign can damage brand reputation more than it improves conversion.

Marketing compliance should therefore be built into campaign planning. Before launch, teams should check audience source, lawful basis, PECR compliance, consent evidence, opt-out wording, cookie consent, privacy information and suppression lists.

Training Your Marketing Team on GDPR

Marketing teams need role-specific training because their work involves fast-moving tools, customer data and campaign pressure. General GDPR awareness is useful, but it may not cover email marketing, CRM segmentation, retargeting, social media pixels or soft opt-in rules in enough detail.

Training should cover:

• UK GDPR and PECR interplay;
• consent requirements;
• soft opt-in rules;
• legitimate interests assessments;
• B2B vs B2C marketing differences;
• CRM data hygiene;
• unsubscribe and suppression processes;
• bought-in list risks;
• cookie consent and retargeting;
• social media lead generation;
• profiling and automated targeting;
• data sharing with agencies and platforms;
• breach reporting;
• documentation and evidence.

Training should use campaign examples. Staff should practise deciding whether a campaign needs consent, whether soft opt-in applies, whether a list can be used, and what privacy information should be provided.

Marketing managers should also keep records. This may include consent logs, legitimate interests assessments, campaign approval checks, supplier contracts, DPIAs, cookie records and unsubscribe logs.

For practical, campaign-focused learning, explore our GDPR training for marketing teams. It helps marketing professionals understand how to handle customer data, email campaigns and targeting activity compliantly under UK rules.

FAQs

Do I need consent to send marketing emails under UK GDPR?

For individual subscribers, PECR usually requires consent unless the soft opt-in applies. UK GDPR also requires a lawful basis for processing the personal data, so marketing teams must consider both PECR and UK GDPR.

What is the soft opt-in rule?

The soft opt-in allows you to send marketing emails or texts to existing customers without fresh consent if you collected their details during a sale or negotiation, market your own similar products or services, and gave them an opt-out at collection and in every message. It does not apply to cold prospects or bought-in lists.

Can I use legitimate interest for B2B marketing?

You may be able to rely on legitimate interests for some B2B marketing under UK GDPR, but you still need to consider PECR and provide clear opt-outs. Named business contacts are still personal data, so transparency and objection rights matter.

Do I need to update my marketing consents?

You should review consent records if they are old, unclear, bundled, based on pre-ticked boxes, or do not specify your organisation and marketing purpose. If you cannot show valid consent, you may need to refresh permissions or stop using that list for consent-based campaigns.

What is the ICO’s guidance on email marketing?

The ICO explains that electronic mail marketing must comply with PECR and UK GDPR. For individual subscribers, you generally need consent or a valid soft opt-in; for corporate subscribers, consent may not be required under PECR, but you should still identify yourself, provide opt-outs and comply with UK GDPR.

Equip your marketing team to market compliantly — explore our GDPR training for marketing professionals and help your team manage customer data, email campaigns and targeting activity with confidence.