Ensuring your marketing database is legal - checklist

Marketing database on a rotating card index, filled with cards and divided with multicoloured tabs

Any business that handles and stores data and uses it for marketing purposes needs to make sure they're doing so legally. Our checklist covers your main obligations.

  • Review what data you collect, and why you need it.
  • Ensure that you do not collect any unnecessary personal data; delete any unnecessary information from your records.
  • Make sure you are up-to-date with the General Data Protection Regulation (GDPR) and what it means to your business.
  • Check whether you need to notify the Information Commissioner about your use of personal data and, if necessary, do so.
  • Train employees on how data protection principles apply to their work.
  • Make breaches of data security policies and misuse of data disciplinary offences.
  • Collect information fairly; to be sure, always ask contacts to opt in before adding them to your database.
  • Make sure you have a fully documented and demonstrable process for processing data lawfully, and that you've carried out a data risk assessment.
  • Include a statement of your privacy policy on your website.
  • Maintain a 'do not contact' list of individuals and companies who have opted out; check against this list before adding new contacts to your database.
  • Take steps to ensure that you input data accurately.
  • If you buy in mailing (or other) lists, ensure that they have been properly screened: for example, checked against the Mailing Preference Service, and that the list broker has obtained the proper opt ins if you want to market to the list electronically.
  • Give contacts the right to opt out from further communications whenever you send them mail or electronic communications.
  • Protect access to systems and data: for example, through appropriate building security and computer passwords.
  • Install appropriate electronic security: for example, a firewall and anti-virus software.
  • Restrict access to sensitive information to employees who need it.
  • Set up a system for updating your database, including removing information that is no longer needed.
  • Dispose of old records (on paper or electronic records) securely.
  • Ensure that you back up your database, and that backup copies are kept secure.
  • Set up a procedure for responding to subject access requests from individuals who ask to see what information you hold on them.
  • Check the legal position before you transfer or sell your database (for example, selling to a third party or transferring to an overseas office).

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.