• Contact Us

Is Your Charity Protected Against Marketing Mistakes?

on Monday, 30 May 2022.

Despite the emergence of new software and technology, human error remains inevitable and the ICO continues to take a stringent approach on breaches of data protection legislation and contravention of the Privacy and Electronic Communications Regulations.

Information security continues to be the area of greatest risk in terms of data protection compliance and it remains the case that the majority of ICO fines for data protection breaches are as a result of security incidents. Charities must ensure that they put in place technical and organisational measures to safeguard personal data.

In terms of electronic communications and being compliant with the PECR, charities should also ensure they are satisfied that any new software they are using are configured correctly and that staff are given appropriate training on how to use these software as well as general compliance with the PECR when sending electronic communications.

How Things Can Go Wrong

The recent ICO fine given to the Royal Mail Group Limited (RM) is an illustration of how things can go wrong when dealing with electronic communications and the ICO's expectations around what organisations must do in practice to safeguard personal data.

As part of its 'special stamp series' campaign, RM inadvertently sent direct marketing emails via its Eloqua system to 215,202 individuals who had opted out of receiving future marketing from RM following a previous campaign. The incident arose due to a manual error when using Eloqua to send a reminder to permissioned customers about the campaign. The ICO concluded that RM actions were in contravention of regulation 22 of the PECR.

RM has demonstrated its awareness of both data protection and marketing compliance for instance, by reporting the breach to the ICO and by implementing a number of measures to prevent this happening again. Although the ICO was satisfied that RM did not deliberately set out to contravene the PECR, the ICO did consider the breach serious:

  • By storing all consented and non-consented email addresses on the same system together with the risk of human error which can occur, RM should have been aware of the risk that direct marketing emails could be sent to customers who had opted out.
  • RM did not have valid consent to send the direct marketing emails, either because an individual had opted-out or because they had used RM's services as a guest (without creating an account) and did not have sight of RM's privacy notice to be able to give valid consent.
  • For the individuals who checked out as guests, RM cannot rely on the soft opt-in exemption because they were simply not given the opportunity to refuse use of their contact details for the purposes of direct marketing.
  • In using the Eloqua system, RM should have been aware of its responsibilities under PECR as a result of the ICO's published detailed guidance.
  • By introducing a 'templated solution' which has been used before in 'single contact' campaigns, RM could have done this for all its campaigns.

This case illustrates that if a breach is considered to be serious enough then the ICO will closely scrutinise the measures that were in place prior to the incident.

The monetary penalty of £20,000 in this case is a reminder of the seriousness of non-compliance with the law and encouraging businesses to ensure that they obtain valid consent when required and that they only send direct marketing communications to those who consent to receiving it.


Make sure that you remind staff of the detailed guidance to understand what they need to do when carrying out marketing by phone, text, email, post or fax.


It is particularly important to remember that you can only send marketing emails or messages to individuals if they you have their consent to do so.


You should check that the training you are giving to staff is sufficient and that new staff have had the training before they are allowed access to personal data and send electronic communications. We offer bespoke data protection training to charities to help staff become more aware of data protection risks and situations which could arise at your agency. Please contact us if you'd like to know more about our training sessions.

Pitfalls of Using Software

The ICO's decision confirms that human error is inevitable and alternative measures could have been put in place to prevent the contravention. The risks of sending emails to the wrong group of recipients when stored on one system (as happened here) are too great. Instead software should be implemented with additional measures in place to check permissions before sending emails to multiple recipients.

For data protection advice in relation to your charity, please contact Penny Bygrave in our Commercial team on 07909 681 572, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input