The marketing industry has now passed an important milestone, with exactly a year to go until the biggest change to data laws in a generation comes into force, and marketers are even less confident about their readiness now than they were three months ago.

The EU’s General Data Protection Regulation (GDPR), which has been adopted into UK law in spite of Brexit, will come into effect from 25 May 2018 and involves higher maximum fines of 4% of global turnover for breaches.

READ MORE: New online ad laws ‘put future of the web in danger’

Only 54% of businesses surveyed by the Direct Marketing Association (DMA) expect to be compliant by the deadline. That number has fallen substantially from 68% since the DMA asked the same question in February. Nearly a quarter of companies have not even started preparing yet, despite the new law being first announced more than five years ago.

Confusion over consent

Confidence has been hit by controversial guidance issued by the Information Commissioner’s Office, which will police the law in the UK. It is consulting stakeholders on a number of key areas such as gaining consent to use personal data, profiling individuals and ‘legitimate interests’ for processing data, but its piecemeal approach has been held up by the general election.

Its draft guidance on how brands must request consent to use personal data for marketing purposes was due to be finalised in May, but marketers are still waiting to find out whether its initial strict interpretation will remain intact. Among its most significant proposed measures are:

  • An unambiguous opt-in is required to process personal data
  • Brands will need to be specific about what will be done with the data
  • Individual companies must be named when requesting consent for third-party marketing
  • Pre-ticked boxes and any assumption that consent is given by default will be insufficient
  • Brands should not stop consumers using a service if they withhold consent for their data being processed

Bodies such as the DMA are pushing for clarity. At an event in London today (25 May) chairman Mark Runacus said: “We need clear and consistent guidance and we need that as a matter of urgency if we are to meet the 2018 deadline.”

He expressed concern that the ICO would “penalise those who are trying to be open, honest and transparent” by taking proactive steps on the basis of its advice prior to the draft guidance, which took a harder line than many expected.

What are ‘legitimate interests’?

Asking for consent isn’t marketers’ only hope for ensuring their communications with consumers abide by the new law. The GDPR allows other legal justifications for processing personal data, the most relevant of which for marketers will be legitimate interests – essentially the right of a company to do business.

The ICO has not yet provided guidance on when brands can use this justification, but direct marketing is explicitly stated as a legitimate interest in the