The direct marketing code of practice: five things fundraisers need to know

09 January 2020
Governance and ComplianceEthics
Standard Content

The Information Commissioner’s Office announced this week a consultation on an updated Direct Marketing Code of Conduct. Daniel Fluskey, Head of Policy and External Affairs at the Chartered Institute, runs through what is in the updated Code and what fundraisers need to know.

As Al Pacino said in The Godfather Part III: "Just when I thought I was out, they pull me back in." He wasn’t talking about GDPR and direct marketing, but if he was a fundraiser (let’s avoid mafia/fundraiser analogies here) the sentiment might be the same when he saw that early 2020 has brought a new consultation from the ICO on an updated Direct Marketing Code of Practice.

There has been a Direct Marketing Code for quite a while – but following GDPR, there was a need to update the guidance to make it relevant and practical to today’s demands. So, it’s not a surprise that this is with us – and while the eagle-eyed among you might know that the Privacy and Electronic Regulations (PECR) are due to be updated, this Code covers the e-privacy regs as they stand from 2003.

The consultation runs until 4 March, and the IoF will be responding. We’d love to hear the thoughts and views from our members to inform our response – please do send any through to me. But to begin with, here’s a top-line run through of what’s in there and what fundraisers need to know.

1. What's the direct marketing code of practice all about?

GDPR is the law, setting out the principles and requirements of data processing. The ICO produces Codes of Practice to provide practical guidance on different areas and themes of data processing – explaining the law and giving recommendations for good practice. For example, there is a Code on Data Sharing, and now they’ve turned to updating the one for Direct Marketing.

2. Does the code apply to charities and fundraising?

Yes, and yes. The Direct Marketing Code is about the processing of personal data, whatever the organisation. So it covers charities storing and using personal data for the purpose of direct marketing. And direct marketing is defined broadly, including ‘the promotion of aims and ideas as well as advertising goods and services. Any method of communication which is directed to particular individuals could constitute direct marketing’. (So, TV appeals, unaddressed door drops, street fundraising are not within scope as they aren’t directed to particular individuals).

3. Will we have to follow the code of practice?

The new Codes of Practice from the ICO have the status of ‘statutory guidance’. That means that it is more than advisory. In determining whether organisations have complied with the law, the ICO has a ‘statutory duty to take the provision of this code into account when enforcing the GDPR and PECR.’ The ICO sets out the enhanced status of the Code, stating that while it does not impose any additional legal obligations that go beyond the requirements of the GDPR and PECR, “Adherence to this code will be a key measure of your compliance with data protection laws. If you do not follow this code, you will find it difficult to demonstrate that your processing complies the GDPR or PECR.”

Right then, it’s significant stuff. Fundraisers and charities will need to read and take on the code, which is why responding to this consultation really important.

4. What kind of thing is in the direct marketing code?

Pretty much everything that you can imagine that is related to direct marketing. That’s much more than sending emails, making calls, or posting direct mail: it’s lead generation, collecting details, profiling, online advertising, sharing data.

It confirms some of the stuff we knew (e.g, sending an email to ask for consent is in itself a marketing email that you would have needed consent to send in the first place), as well as informing that there are some areas that aren’t completely clear cut (such as the classification of a ‘service message’ for which key factors are likely to be ‘phrasing, tone and context’).

There’s also information on when a Data Protection Impact Assessment is required (such as large scale profiling or data matching) and the kind of factors to include in a balancing exercise for assessing legitimate interest.

There’s too much content to outline it all (basically, if it’s part of direct marketing then it’s in there), and also lots of examples to try and bring it to life – including quite a few charity, university, and cultural organisations.

5. What should we do next and what feedback would be useful?

First of all, please do take a look at the Code. It is detailed (120 pages) but you can look at specific sections and areas. We want to know whether fundraisers think it is clear and easy to use (or isn’t), whether the examples are helpful, and any views or thoughts on particular areas or specific issues that you think need to be looked at again or are obviously missing.

We’ll be engaging with our members, and discussing the proposed Code at our Standards Advisory Board – if you have any thoughts you’d like to share then please do (it can be one small point, or a lengthy thesis!). Just email them across to

Daniel Fluskey
Daniel Fluskey
Head of Policy and External Affairs at the Chartered Institute of Fundraising
Members Only Content