Filter By

Show All

Connect to


Direct Mail & Legitimate Interest- Is 3rd party data dead?


3rd party marketing lists are crucial for marketers trying to acquire new customers, especially when using direct mail. This article will investigate the challenges of using purchased lists and highlight methods to ensure compliance with the GDPR and the DMA Code.

The ICO’s draft Direct Marketing Code has caused concern and confusion amongst marketers who use 3rd party data for direct mail. In the Code, the ICO make a general recommendation that consent is “better” than Legitimate Interests for marketing activities.

The DMA does not agree with this claim which directly contradicts the GDPR text and undermines the opinions of the European Data Protection Board (EDPB) and even the ICO’s own guidance… The DMA has responded to the consultation on the draft code highlighting our concerns and questioning aspects of their guidance. You can read the DMA’s response here.

So, what are the rules on using 3rd party data under Legitimate Interest?

‚ÄčThe use of 3rd party data for postal marketing can be conducted under legitimate interest, this is not going to change!

The use of 3rd party lists for marketing has two challenges in terms of data protection regulations.

The first challenge is the lawful basis for processing for the marketing communication you wish to send. Legitimate interest is a lawful basis for marketing, as outlined by Recital 47 of the GDPR. This means that providing you follow the guidance on legitimate interest and complete a legitimate interest assessment, you can rely upon it for this marketing activity.

The second challenge is facilitating the data transfer between the data broker and end-user of the data. Again, legitimate interests can be used here. The DMA has confirmation from the ICO that Legitimate Interests can be used to sell/rent data to a 3rd party who only use the data for postal marketing, hopefully providing some clarity on data transfer for data brokers.

How can organisations ensure they are staying compliant?

Transparency is a key theme to all arms of data protection compliance. Here are some steps you should take to ensure that your processes relating to list use are transparent and in line with the data protection principles enshrined into the GDPR:

  • Conduct a Legitimate Interests Assessment- conduct an LIA to ensure the rights and freedoms of the data subject are balanced with the needs of your business. Document the results and decision making around this LIA process. The Data Protection Network has produced a handy template with input from the DMA.
  • Update your privacy policy- Update your privacy policy to reflect where you are obtaining this data and your lawful basis for processing the data, along with information on how to opt-out. This will help your organisation meet the Article 14 Requirements outlined in the GDPR.
  • Ensure your marketing has privacy information included- Include Privacy information, such as a statement on data processing and where the data was obtained from, in the mailing to ensure transparency.
  • Make it easy to opt-out- Have a simple opt-out method, include information on this method in every communication with the data subject.
  • Screen against the MPS- Ensure you screen against the MPS and your in-house suppression files before sending the mailing. More information on the MPS can be found here.
  • Do your due diligence- Ensure that you are only purchasing/renting data from reputable sources to ensure that transparency and other data protection principles are adhered to.

Please feel free to contact me for advice on how to utilise 3rd party data to boost your postal campaigns on

Hear more from the DMA

Please login to comment.