The Notify Gazette

Published by Authority · United Kingdom Edition

OFFICIAL · Information Commissioner's Office

Notice No.

NTC-GB-005

Date Issued

2026-05-27

Status

In force

Category

Privacy & Compliance

UK GDPR, PECR soft opt-in and the Information Commissioner's Office consent management framework for transactional and marketing dispatch

The Information Commissioner's Office enforces the United Kingdom General Data Protection Regulation alongside the Privacy and Electronic Communications Regulations 2003 (as amended). The PECR soft opt-in for similar products and services, the 72-hour breach notification window, the right of erasure and the duty to provide a Data Subject Access Request response within one month all flow through 4notify's consent envelope — the dispatch never leaves the API edge without a clean lawful-basis record.

EmailSMSWebhook

Preamble

Whereas the Information Commissioner's Office issued the UK GDPR Guide and the PECR Direct Marketing Code of Practice, and whereas every electronic communication for marketing or transactional purposes is required to carry a valid lawful basis, the present Notice records the standing consent management framework operated by 4notify on behalf of every UK-resident controller.

Cited Statutes

Data Protection Act 2018 + UK GDPR

Primary domestic implementation of UK General Data Protection Regulation; ICO is the supervisory authority.

PECR 2003 (as amended in 2003, 2004, 2011, 2018, 2019, 2025)

Privacy and Electronic Communications Regulations: rules on cookies, electronic mail and SMS marketing, soft opt-in and consent.

ICO Direct Marketing Code of Practice 2023

Statutory code giving the soft opt-in its operational shape: prior commercial relationship + similar products + clear opt-out at point of collection and on every message.

ICO Personal Data Breach Notification Guidance

72-hour breach notification to the ICO; affected data subjects without undue delay where high risk to rights and freedoms.

Implementation

Lawful-basis registration per dispatch

Each dispatch envelope carries one of six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests); the basis is set at template registration.

Soft opt-in qualification

For marketing dispatches to existing customers, the soft opt-in (similar products + clear opt-out at point of collection) is verified at the envelope; non-qualifying dispatches blocked at the edge.

Right of erasure within 30 days

DSAR / erasure requests propagate from the controller's CRM through 4notify within 24 hours; suppression list updated across all four MNOs and the email gateway.

72-hour breach notification webhook

Any envelope-level incident (mis-routing, mis-personalisation, dispatch to suppressed contact) generates a webhook to the controller's Data Protection Officer within 1 hour for a 72-hour ICO notification window.

Dispatch Envelope

json
{
  "event": "dispatch.consent_envelope",
  "controller_id": "GB-CTRL-12345",
  "lawful_basis": "soft_opt_in",
  "soft_opt_in_evidence": {
    "prior_transaction": "ORD-2025-09-14-94821",
    "similar_products_match": true,
    "opt_out_link_present": true,
    "opt_out_link_at_collection": true
  },
  "dispatch": { "channel": "email", "template": "promo_xmas_v2" },
  "suppression_check": "passed"
}

Sample Dispatch

EmailSubject: Your unsubscribe preference has been applied

We have updated your preferences with effect from today. You will no longer receive marketing emails from us, but you will continue to receive transactional messages (such as order confirmations and delivery alerts). To exercise your other rights under UK GDPR, including the right of erasure, contact [email protected].

Enforcement Checklist

ICO registration fee paid for the current year
Data Protection Officer contact configured at controller level
Soft opt-in evidence stored for every marketing dispatch
Erasure propagation tested across all dispatch channels
72-hour breach notification webhook target reachable

What 4notify does differently

4notify is the only A2P platform that stores per-envelope soft opt-in evidence (prior transaction reference, similar-products match, opt-out link audit), propagates erasure across all four MNOs in under 24 hours and emits a 72-hour breach notification webhook on every dispatch-level incident.

Questions on the Order Paper

Does the soft opt-in apply to SMS as well as email?

Yes — PECR Regulation 22(3) extends the soft opt-in to electronic mail, which includes SMS, MMS and over-the-top messaging.

What if the controller hasn't registered with the ICO?

4notify blocks marketing dispatches at the API edge until a valid ICO registration is supplied; transactional dispatches (lawful basis: contract) remain available.

How is the 72-hour clock measured?

From the moment the controller becomes aware of the breach. 4notify provides a per-envelope timestamp to anchor that determination.

Signed at the Cabinet Office

4notify Operations

2026-05-27 · NTC-GB-005

Start free

14 days. No card. UK-based support through the working week.

Try 4notify Talk to the team

Other Notices in this Edition

NTC-GB-001 · Banking & Payments

Confirmation of Payee on Faster Payments: dispatching the verification result to the payer in real time

NTC-GB-002 · Telecommunications

Ofcom Calling Line Identification, alphanumeric Sender ID and the 7000-series shortcodes for SMS-A2P traffic in the United Kingdom

NTC-GB-003 · Tax & Customs

Making Tax Digital for VAT, Self Assessment and the Government Gateway one-time-passcode dispatch

NTC-GB-004 · Health