Ensuring your marketing database is legal - checklist

Business owner checking database on computer

Any business that handles and stores data and uses it for marketing purposes needs to make sure that it is doing so legally. Our checklist covers your main obligations when it comes to managing your database.

  • Review what data you collect, and why you need it.
  • Ensure that you do not collect any unnecessary personal data; delete any unnecessary information from your records.
  • Make sure you are up-to-date with the General Data Protection Regulation (GDPR) and what it means to your business.
  • Check whether you need to notify the Information Commissioner about your use of personal data and, if necessary, do so.
  • Train employees on how data protection principles apply to their work.
  • Make breaches of data security policies and misuse of data disciplinary offences.
  • Collect information fairly; to be sure, always ask contacts to opt in before adding them to your database.
  • Make sure you have a fully documented and demonstrable process for processing data lawfully, and that you've carried out a data risk assessment.
  • Include a statement of your privacy policy on your website.
  • Maintain a do not contact list of individuals and companies who have opted out; check against this list before adding new contacts to your database.
  • Take steps to ensure that you input data accurately.
  • If you buy in mailing lists, ensure that they have been properly screened: check against the Mailing Preference Service, and make sure that your list broker has obtained the proper opt-ins for email marketing.
  • Give contacts the right to opt out from further communications whenever you send them mail or electronic communications.
  • Protect access to systems and data: for example, through appropriate building security and computer passwords.
  • Install appropriate electronic security: for example, a firewall and anti-virus software.
  • Restrict access to sensitive information to those employees who need it.
  • Set up a system for updating your database, including removing information that is no longer needed.
  • Dispose of old records (on paper or electronic records) securely.
  • Ensure that you back up your database, and that backup copies are kept secure.
  • Set up a procedure for responding to requests from individuals who ask to see what information you hold on them.
  • Check the legal position before you transfer or sell your database (for example, selling to a third party or transferring to an overseas office).

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.